cardpaysolutions Payment Gateway Authorize.Net CIM for WooCommerce authnet-cim-for-woo is affected by missing authorization (CVSS 6.5).
Missing Authorization vulnerability in Tickera Tickera tickera-event-ticketing-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tickera: from n/a through <= 3.5.6.2. [CVSS 6.5 MEDIUM]
favethemes Houzez Theme - Functionality houzez-theme-functionality is affected by cross-site scripting (xss) (CVSS 5.4).
The Menu In Post plugin for Linux through version 1.4.1 contains a DOM-based cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into web pages viewed by other users. An attacker with user-level access can exploit this to steal session tokens, deface content, or perform actions on behalf of victims. No patch is currently available for this vulnerability.
ThemeGoods Grand Restaurant Theme Elements for Elementor grandrestaurant-elementor is affected by cross-site scripting (xss) (CVSS 5.4).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer allows DOM-Based XSS.This issue affects tagDiv Composer: from n/a through <= 5.4.2. [CVSS 6.1 MEDIUM]
Missing Authorization vulnerability in solacewp Solace solace allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Solace: from n/a through <= 2.1.16. [CVSS 6.5 MEDIUM]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kriesi Enfold enfold allows DOM-Based XSS.This issue affects Enfold: from n/a through <= 7.1.3. [CVSS 6.5 MEDIUM]
Gitea's notification API fails to re-validate repository access permissions when retrieving notification details, allowing users with revoked access to private repositories to continue viewing issue and pull request titles through cached notifications. An authenticated attacker can exploit this to maintain visibility into sensitive repository content after their access has been removed. A patch is available.
Gitea's OpenID URI visibility controls lack proper ownership validation, allowing authenticated users to modify the visibility settings of other users' OpenID identities. This integrity bypass affects any Gitea instance where multiple users manage OpenID configurations, enabling account enumeration or information disclosure through unauthorized visibility changes. A patch is available to remediate this medium-severity vulnerability.
Gitea's stopwatch API fails to re-validate repository access permissions, allowing revoked users to access sensitive information through active stopwatch sessions. An authenticated attacker with prior access to a private repository can enumerate issue titles and repository names even after their permissions have been removed. A patch is available to enforce proper access control validation.
Gitlab versions up to 18.6.4 is affected by loop with unreachable exit condition (infinite loop) (CVSS 6.5).
The Infotainment ECU manufactured by Bosch which is installed in Nissan Leaf ZE1 - 2020 uses a Redbend service for over-the-air provisioning and updates. HTTPS is used for communication with the back-end server. [CVSS 6.5 MEDIUM]
Server-Side Request Forgery (SSRF) vulnerability in Marco van Wieren WPO365 wpo365-login allows Server Side Request Forgery.This issue affects WPO365: from n/a through <= 40.0. [CVSS 6.4 MEDIUM]
An attacker could decrypt sensitive data, impersonate legitimate users or devices, and potentially gain access to network resources for lateral attacks. [CVSS 6.1 MEDIUM]
Quick.Cart is vulnerable to reflected XSS via the sSort parameter. An attacker can craft a malicious URL which, when opened, results in arbitrary JavaScript execution in the victim’s browser. [CVSS 6.1 MEDIUM]
An attacker with access to the project file could use the exposed credentials to impersonate users, escalate privileges, or gain unauthorized access to systems and services. [CVSS 6.1 MEDIUM]
WP Chill Modula Image Gallery modula-best-grid-gallery is affected by cross-site scripting (xss) (CVSS 7.1).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pondol Pondol BBS pondol-bbs allows Stored XSS.This issue affects Pondol BBS: from n/a through <= 1.1.8.4. [CVSS 5.4 MEDIUM]
Benjamin Intal Stackable stackable-ultimate-gutenberg-blocks is affected by cross-site scripting (xss) (CVSS 5.4).
go-tuf is a Go implementation of The Update Framework (TUF). [CVSS 5.9 MEDIUM]
Stored XSS in Owl Carousel WP through version 2.2.2 allows authenticated users with high privileges to inject malicious scripts that persist in web pages and execute in visitors' browsers. An attacker with administrative access could exploit improper input sanitization to compromise site visitor sessions or steal sensitive data. A patch is not currently available.
SEOSEON EUROPE S.L Affiliate Link Tracker affiliate-link-tracker is affected by cross-site scripting (xss) (CVSS 5.9).
Signature threshold validation bypass in go-tuf versions 2.0.0 through 2.3.0 allows a compromised or misconfigured TUF repository to disable signature verification by setting thresholds to zero, enabling attackers to tamper with metadata files without detection. This affects systems relying on go-tuf for secure software update verification, potentially allowing unauthorized modifications to trusted metadata both at rest and in transit. A patch is available in version 2.3.1.
cjjparadoxmax Synergy Project Manager synergy-project-manager is affected by cross-site scripting (xss) (CVSS 5.8).
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Aida Computer Information Technology Inc. Hotel Guest Hotspot allows Reflected XSS.This issue affects Hotel Guest Hotspot: through 22012026. [CVSS 5.5 MEDIUM]
merkulove Motionger for Elementor motionger-elementor is affected by missing authorization (CVSS 8.8).
Missing Authorization vulnerability in merkulove Searcher for Elementor searcher-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Searcher for Elementor: from n/a through <= 1.0.3. [CVSS 8.8 HIGH]
Missing Authorization vulnerability in merkulove Carter for Elementor carter-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Carter for Elementor: from n/a through <= 1.0.2. [CVSS 8.8 HIGH]
Missing Authorization vulnerability in merkulove Imager for Elementor imager-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Imager for Elementor: from n/a through <= 2.0.4. [CVSS 8.8 HIGH]
Missing Authorization vulnerability in Mario Peshev WP-CRM System wp-crm-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP-CRM System: from n/a through <= 3.4.5. [CVSS 8.8 HIGH]
Missing Authorization vulnerability in cozythemes HomeLancer homelancer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HomeLancer: from n/a through <= 1.0.1. [CVSS 8.8 HIGH]
Missing Authorization vulnerability in merkulove Crumber crumber-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Crumber: from n/a through <= 1.0.10. [CVSS 5.4 MEDIUM]
merkulove Comparimager for Elementor comparimager-elementor is affected by missing authorization (CVSS 5.4).
Missing Authorization vulnerability in merkulove Scroller scroller allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Scroller: from n/a through <= 2.0.2. [CVSS 5.4 MEDIUM]
Missing Authorization vulnerability in merkulove Audier For Elementor audier-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Audier For Elementor: from n/a through <= 1.0.9. [CVSS 5.4 MEDIUM]
Pool Services WordPress plugin has a Server-Side Request Forgery vulnerability allowing attackers to make the server perform arbitrary HTTP requests to internal and external targets.
SmartDataSoft Electrician - Electrical Service WordPress electrician is affected by server-side request forgery (ssrf) (CVSS 5.4).
Mikado-Themes Verdure verdure is affected by authorization bypass through user-controlled key (CVSS 5.4).
Elated-Themes Sweet Jane sweetjane is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes Holmes holmes is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes Fleur fleur is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes Fiorello fiorello is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes Curly curly is affected by authorization bypass through user-controlled key (CVSS 5.4).
Mikado-Themes Cocco cocco is affected by authorization bypass through user-controlled key (CVSS 5.4).
Leap13 Premium Addons for Elementor premium-addons-for-elementor is affected by missing authorization (CVSS 5.4).
Missing Authorization vulnerability in merkulove Uper for Elementor uper-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Uper for Elementor: from n/a through <= 1.0.5. [CVSS 5.4 MEDIUM]
ThemeGoods PhotoMe versions below 5.7.2 contain a server-side request forgery vulnerability that allows unauthenticated attackers to perform arbitrary HTTP requests on behalf of the affected server. The vulnerability requires user interaction to exploit and can lead to information disclosure or unintended modifications on the target system. No patch is currently available.
Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends is affected by cross-site request forgery (csrf) (CVSS 5.4).
The Merge + Minify + Refresh WordPress plugin through version 2.14 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users. An attacker can craft malicious requests to trick site administrators into executing unintended operations, potentially compromising website functionality or configuration. No patch is currently available for this vulnerability.