Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themefic Hydra Booking hydra-booking allows SQL Injection.This issue affects Hydra Booking: from n/a through <= 1.1.32.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup CountDown With Image or Video Background countdown_with_background allows Blind SQL Injection.This issue affects CountDown With Image or Video Background: from n/a through <= 1.5.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup xPromoter top_bar_promoter allows Blind SQL Injection.This issue affects xPromoter: from n/a through <= 1.3.4.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi All In One SEO Pack all-in-one-seo-pack allows Blind SQL Injection.This issue affects All In One SEO Pack: from n/a through <= 4.9.1.
SQL injection in LBG Zoominoutslider WordPress plugin versions through 5.4.4 allows authenticated attackers with low-level privileges to extract sensitive database information and potentially cause denial of service. The vulnerability enables cross-scope impact, meaning attackers can access resources beyond their authorized privilege level. EPSS probability is low (0.04%, 14th percentile), indicating limited observed exploitation activity, though Patchstack's disclosure suggests active security community awareness.
Network traffic sniffing in RTI Connext Professional 7.2.0-7.3.0 and 7.4.0-7.6.x exposes private personal information to unauthorized remote actors with low attack complexity. The vulnerability allows confidentiality breach (high impact) with limited integrity and availability impacts, affecting distributed data-sharing middleware used in critical infrastructure and industrial systems. EPSS exploitation probability is minimal (0.05%, 15th percentile) with no confirmed active exploitation or public exploit code identified at time of analysis.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AIOSEO Plugin Team Broken Link Checker broken-link-checker-seo allows SQL Injection.This issue affects Broken Link Checker: from n/a through <= 1.2.6.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stefano Lissa Newsletter newsletter allows Blind SQL Injection.This issue affects Newsletter: from n/a through <= 9.0.9.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Stockholm Core stockholm-core allows PHP Local File Inclusion.This issue affects Stockholm Core: from n/a through <= 2.4.6.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LiquidThemes Hub Core hub-core allows PHP Local File Inclusion.This issue affects Hub Core: from n/a through <= 5.0.8.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove EduMall edumall allows PHP Local File Inclusion.This issue affects EduMall: from n/a through <= 4.4.7.
Information disclosure in Menulux Mobile App versions prior to 9.5.8 allows remote unauthenticated attackers to access other users' data by manipulating trusted identifiers (IDOR-style flaw). The vulnerability falls under CWE-639 (Authorization Bypass Through User-Controlled Key) and was reported by Turkey's national CERT (USOM). There is no public exploit identified at time of analysis, and EPSS scoring places exploitation probability at just 0.04% (13th percentile).
Local file inclusion in PenciDesign Soledad WordPress theme versions through 8.7.0 allows authenticated attackers with low privileges to include and execute arbitrary PHP files via improper filename control in include/require statements. Attack complexity is high (AC:H), requiring specific server configuration or authenticated access to exploit. No active exploitation confirmed at time of analysis, but vulnerability class (CWE-98) is commonly targeted once POC becomes available. EPSS data not provided; exploitation status unknown beyond vendor disclosure.