The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.7. [CVSS 5.3 MEDIUM]
The LearnPress - WordPress LMS Plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.3.2.4 via the get_item_permissions_check function. [CVSS 5.3 MEDIUM]
Mysql Server contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeatable crash (complete DO (CVSS 5.3).
IBM ApplinX 11.1 could disclose sensitive information about server architecture that could aid in further attacks against the system. [CVSS 5.3 MEDIUM]
Unauthenticated attackers can read sensitive data from Oracle Life Sciences Central Designer 7.0.1.0 through an easily exploitable information disclosure vulnerability accessible via HTTP. The flaw requires no user interaction or privileges, allowing remote attackers with network access to gain unauthorized access to a subset of application data. No patch is currently available for this vulnerability.
Configurator contains a vulnerability that allows attackers to unauthorized read access to a subset of Oracle Configurator accessible data (CVSS 5.3).
Vulnerability in the Oracle Solaris product of Oracle Systems (component: Kernel). The supported version that is affected is 11. [CVSS 5.3 MEDIUM]
A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. [CVSS 5.3 MEDIUM]
Vulnerability in the Oracle Solaris product of Oracle Systems (component: Filesystems). Supported versions that are affected are 10 and 11. [CVSS 5.0 MEDIUM]
Mysql contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeatable crash (complete DO (CVSS 4.9).
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 9.0.0-9.5.0. [CVSS 4.9 MEDIUM]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. [CVSS 4.9 MEDIUM]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. [CVSS 4.9 MEDIUM]
Mysql Server contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeatable crash (complete DO (CVSS 4.9).
Mysql Cluster contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeatable crash (complete DO (CVSS 4.9).
BROWAN COMMUNICATIONS PrismX MX100 AP controller stores SMTP credentials in plaintext accessible via the web interface, enabling authenticated administrators to retrieve sensitive password data. The vulnerability requires high-level privileges to exploit but poses a significant risk to email service credentials used by the device. No patch is currently available to remediate this exposure.
Unauthorized data disclosure in Oracle Workflow Loader (versions 12.2.3-12.2.15) allows high-privileged attackers with network access to extract sensitive information from the Oracle E-Business Suite environment. The vulnerability requires administrator-level credentials and HTTP connectivity but can result in complete exposure of workflow-accessible data. A patch is available to remediate this confidentiality issue.
Aspera Console versions up to 3.4.7 is affected by insertion of sensitive information into log file (CVSS 4.9).
Graalvm versions up to 21.3.16 contains a vulnerability that allows attackers to unauthorized update, insert or delete access to some of Oracle Java SE, Oracle G (CVSS 4.8).
Business Automation Workflow versions up to 24.0.0 is affected by execution with unnecessary privileges (CVSS 4.7).
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. [CVSS 4.6 MEDIUM]
Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.29 and 21.3-21.20. [CVSS 4.5 MEDIUM]
Stored XSS in WP Hello Bar plugin up to version 1.02 allows authenticated administrators to inject malicious scripts through the 'digit_one' and 'digit_two' parameters due to inadequate input validation. When users visit affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. No patch is currently available.
Stored XSS in the Viet contact WordPress plugin versions up to 1.3.2 allows authenticated administrators to inject malicious scripts into admin settings due to inadequate input sanitization and output escaping. The injected scripts execute when other users access affected pages, impacting multi-site WordPress installations and sites with unfiltered_html disabled. Exploitation requires administrator-level access and no patch is currently available.
NotificationX plugin for WordPress versions up to 3.1.11 lacks proper authorization checks on REST API endpoints, allowing authenticated users with Contributor-level permissions to reset analytics data for any campaign regardless of ownership. This capability bypass enables low-privileged attackers to tamper with campaign analytics across the WordPress installation. The vulnerability affects WordPress deployments using the affected plugin versions, with no patch currently available.
The Newsletter WordPress plugin through version 9.1.0 contains a cross-site request forgery vulnerability in the hook_newsletter_action() function due to insufficient nonce validation, allowing unauthenticated attackers to unsubscribe legitimate users if they can trick a logged-in administrator into clicking a malicious link. This attack requires user interaction but poses a direct integrity risk to newsletter subscriber lists. No patch is currently available.
Unauthorized data access in Oracle Planning and Budgeting Cloud Service (version 25.04.07) can be achieved by high-privileged attackers with local infrastructure access through the EPM Agent component. The vulnerability requires user interaction from a non-attacker and allows complete compromise of accessible Planning and Budgeting data. No patch is currently available.
Planning And Budgeting Cloud Service contains a vulnerability that allows attackers to unauthorized creation, deletion or modification access to critical data or all O (CVSS 4.2).