A vulnerability was determined in Tenda WH450 1.0.0.18. This impacts an unknown function of the file /goform/CheckTools of the component HTTP Request Handler. Executing a manipulation of the argument ipaddress can lead to command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized.
A security flaw has been discovered in itsourcecode Student Management System 1.0. This affects an unknown part of the file /record.php. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be exploited.
A vulnerability was identified in code-projects Online Farm System 1.0. Affected is an unknown function of the file /addProduct.php. The manipulation of the argument Username leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used.
Unauthenticated attackers can access private, draft, and pending template content in Premium Addons for Elementor WordPress plugin (versions up to 4.11.53) due to a missing capability check in the 'get_template_content' function. This authentication bypass allows unauthorized disclosure of sensitive template data without requiring user interaction or special privileges. A vendor patch is available, and the vulnerability carries a moderate CVSS score of 5.3 with low technical impact but confirmed accessibility to restricted resources.
VPSUForm WordPress plugin versions 3.2.24 and earlier expose sensitive embedded system information to unauthorized users via improper access controls, allowing attackers to retrieve data that should be restricted to administrators or authenticated users. The vulnerability affects a widely-deployed WordPress form plugin and has an EPSS score of 0.05% (low exploitation probability), with no confirmed active exploitation or public exploit code at the time of analysis.
Cross-site scripting (XSS) vulnerability in CodexThemes TheGem Theme Elements (for Elementor) plugin through version 5.10.5.1 allows improper neutralization of input during web page generation. Attackers can inject malicious scripts that execute in the context of other users' browsers, potentially compromising WordPress site visitors and administrators. No active exploitation has been confirmed at time of analysis, though the low EPSS score (0.04%) suggests limited real-world exploitation likelihood despite the vulnerability's presence in a widely-used Elementor theme plugin.
Stored cross-site scripting (XSS) in WebCodingPlace Responsive Posts Carousel Pro WordPress plugin versions 15.2 and earlier allows authenticated users to inject malicious scripts that execute in the browsers of other site visitors. The vulnerability resides in improper input sanitization during web page generation, enabling attackers to compromise site integrity and steal sensitive user data. EPSS exploitation probability is notably low (0.04%, 14th percentile), suggesting limited real-world attack incentive despite the stored nature of the flaw.
Type confusion in the Linux kernel's team network driver (team_port_add) allows a local user with CAP_NET_ADMIN to corrupt a team device's header_ops state, leading to a kernel hang or BUG(). When an already-UP GRE device is added as a team port, the operation fails but not before team_dev_type_check_change irreversibly replaces eth_header with ipgre_header on the team device; subsequent packet transmission causes ipgre_header() to dereference struct team private data as struct ip_tunnel, triggering a local denial-of-service. No active exploitation has been confirmed (not in CISA KEV), though a syzbot reproducer demonstrates the issue reliably.
Missing authorization controls in VillaTheme HAPPY helpdesk plugin versions up to 1.0.9 allow unauthenticated attackers to bypass access restrictions and interact with support ticket functionality without proper permission verification. This authentication bypass vulnerability affects WordPress installations using the vulnerable plugin and could permit unauthorized access to sensitive support tickets and helpdesk operations. The issue has been reported by Patchstack security researchers with a low EPSS exploitation probability (0.04%) despite the authorization flaw.
Chakra test WordPress plugin version 1.0.1 and earlier fails to properly enforce access control restrictions, allowing unauthenticated or lower-privileged users to bypass authentication mechanisms and access restricted functionality. The vulnerability stems from incorrectly configured security levels that do not validate user permissions before executing sensitive operations, and is tracked with an exceptionally low EPSS score (0.04%) despite the missing authorization flaw, suggesting limited real-world exploitation despite the theoretical risk.
Cross-Site Request Forgery in Premium Addons for Elementor plugin versions up to 4.11.53 allows unauthenticated remote attackers to create arbitrary Elementor templates by exploiting missing nonce validation in the 'insert_inner_template' function. An attacker must trick a site administrator or user with edit_posts capability into clicking a malicious link, but no public exploit code has been identified. The EPSS score of 0.02% indicates this vulnerability has very low exploitation probability in practice despite the CVSS 4.3 rating.