Azure Data Explorer exposes sensitive information to unauthenticated remote attackers through a network-accessible vulnerability requiring only user interaction. An attacker can retrieve confidential data without authorization, potentially compromising customer information stored in affected Azure deployments. No patch is currently available for this high-severity vulnerability.
Information disclosure in Microsoft 365 Word Copilot enables unauthenticated attackers to extract sensitive data through improper handling of escape and control sequences in network communications. The vulnerability requires user interaction to trigger and affects the Copilot AI/ML service with a CVSS score of 7.4. No patch is currently available.
GitLab CE/EE versions 18.6 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 are vulnerable to two-factor authentication bypass when an attacker has knowledge of a victim's credential ID and can forge device responses. This allows an unauthenticated attacker to circumvent 2FA protections and gain unauthorized access to accounts. No patch is currently available.
Quick.Cart is vulnerable to Local File Inclusion and Path Traversal issues in the theme selection mechanism. Quick.Cart allows a privileged user to upload arbitrary file contents while only validating the filename extension. [CVSS 7.2 HIGH]
Missing Authorization vulnerability in e-plugins WP Membership wp-membership allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Membership: from n/a through <= 1.6.4. [CVSS 7.3 HIGH]
Missing Authorization vulnerability in e-plugins Real Estate Pro real-estate-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Real Estate Pro: from n/a through <= 2.1.5. [CVSS 7.3 HIGH]
Missing Authorization vulnerability in e-plugins ListingHub listinghub allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ListingHub: from n/a through <= 1.2.7. [CVSS 7.3 HIGH]
Missing Authorization vulnerability in e-plugins Listihub listihub allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Listihub: from n/a through <= 1.0.6. [CVSS 7.3 HIGH]
Missing Authorization vulnerability in e-plugins fitness-trainer fitness-trainer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects fitness-trainer: from n/a through <= 1.7.1. [CVSS 7.3 HIGH]
Missing Authorization vulnerability in e-plugins Final User final-user allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Final User: from n/a through <= 1.2.5. [CVSS 7.3 HIGH]
e-plugins Hospital Doctor Directory hospital-doctor-directory is affected by missing authorization (CVSS 7.3).
Missing Authorization vulnerability in e-plugins Hotel Listing hotel-listing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hotel Listing: from n/a through <= 1.4.2. [CVSS 7.3 HIGH]
e-plugins Institutions Directory institutions-directory is affected by missing authorization (CVSS 7.3).
Missing Authorization vulnerability in e-plugins Lawyer Directory lawyer-directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lawyer Directory: from n/a through <= 1.3.4. [CVSS 7.3 HIGH]
Incorrect Privilege Assignment vulnerability in Themefic Hydra Booking hydra-booking allows Privilege Escalation.This issue affects Hydra Booking: from n/a through <= 1.1.32. [CVSS 7.3 HIGH]
This vulnerability occurs when the system permits multiple simultaneous connections to the backend using the same charging station ID. This can result in unauthorized access, data inconsistency, or potential manipulation of charging sessions. [CVSS 7.3 HIGH]
Unauthenticated attackers can execute arbitrary OS commands on AP180 series devices running firmware versions before AP_RGOS 11.9(4)B1P8 through a command injection vulnerability. This allows complete system compromise including data theft, modification, and availability disruption. No patch is currently available.
WP Messiah Frontis Blocks frontis-blocks is affected by server-side request forgery (ssrf) (CVSS 7.2).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Magazine grandmagazine allows Reflected XSS.This issue affects Grand Magazine: from n/a through <= 3.5.7. [CVSS 7.1 HIGH]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hossni Mubarak JobWP jobwp allows Stored XSS.This issue affects JobWP: from n/a through <= 2.4.5. [CVSS 7.1 HIGH]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Boopathi Rajan WP Test Email wp-test-email allows Reflected XSS.This issue affects WP Test Email: from n/a through <= 1.1.7. [CVSS 7.1 HIGH]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins Hotel Listing hotel-listing allows Reflected XSS.This issue affects Hotel Listing: from n/a through <= 1.4.0. [CVSS 7.1 HIGH]
highwarden Super Logos Showcase superlogoshowcase-wp is affected by cross-site scripting (xss) (CVSS 7.1).
LambertGroup Universal Video Player universal-video-player is affected by cross-site scripting (xss) (CVSS 7.1).
CridioStudio ListingPro Reviews listingpro-reviews is affected by cross-site scripting (xss) (CVSS 7.1).
LambertGroup Universal Video Player universal-video-player is affected by cross-site scripting (xss) (CVSS 7.1).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QantumThemes KenthaRadio qt-kentharadio allows Reflected XSS.This issue affects KenthaRadio: from n/a through <= 2.2.0. [CVSS 7.1 HIGH]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jegtheme JNews - Video jnews-video allows Reflected XSS.This issue affects JNews - Video: from n/a through <= 11.0.2. [CVSS 7.1 HIGH]
jegtheme JNews - Frontend Submit jnews-frontend-submit is affected by cross-site scripting (xss) (CVSS 7.1).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shoutoutglobal ShoutOut shoutout allows Reflected XSS.This issue affects ShoutOut: from n/a through <= 4.0.2. [CVSS 7.1 HIGH]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arevico WP Simple Redirect wp-simple-redirect allows Reflected XSS.This issue affects WP Simple Redirect: from n/a through <= 1.1. [CVSS 7.1 HIGH]
extremeidea bidorbuy Store Integrator bidorbuystoreintegrator is affected by cross-site scripting (xss) (CVSS 7.1).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in noCreativity Dooodl dooodl allows Reflected XSS.This issue affects Dooodl: from n/a through <= 2.3.0. [CVSS 7.1 HIGH]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in woofer696 Dinatur dinatur allows Stored XSS.This issue affects Dinatur: from n/a through <= 1.18. [CVSS 7.1 HIGH]
Stored cross-site scripting in Infility Global WordPress plugin through version 2.14.50 allows remote attackers to inject malicious scripts that execute in victim browsers. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) indicates unauthenticated attackers can exploit this remotely with low complexity, requiring only victim interaction. EPSS score of 0.04% (12th percentile) suggests low probability of mass exploitation. Patchstack vulnerability database confirms this as a stored XSS vulnerability, meaning injected scripts persist and affect multiple users who view the compromised content.
agmorpheus Syntax Highlighter Compress syntax-highlighter-compress is affected by cross-site scripting (xss) (CVSS 7.1).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Casey Bisson wpCAS wpcas allows Reflected XSS.This issue affects wpCAS: from n/a through <= 1.07. [CVSS 7.1 HIGH]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Frank Corso Quote Master quote-master allows Reflected XSS.This issue affects Quote Master: from n/a through <= 7.1.1. [CVSS 7.1 HIGH]
Remi Corson Easy Theme Options easy-theme-options is affected by cross-site scripting (xss) (CVSS 7.1).
expresstechsoftware MemberPress Discord Addon expresstechsoftwares-memberpress-discord-add-on is affected by cross-site scripting (xss) (CVSS 7.1).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in matiskiba Ravpage ravpage allows Reflected XSS.This issue affects Ravpage: from n/a through <= 2.33. [CVSS 7.1 HIGH]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Craft craftcoffee allows DOM-Based XSS.This issue affects Craft: from n/a through <= 2.3.6. [CVSS 7.1 HIGH]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods DotLife dotlife allows Reflected XSS.This issue affects DotLife: from n/a through < 4.9.5. [CVSS 7.1 HIGH]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Hoteller hoteller allows Reflected XSS.This issue affects Hoteller: from n/a through < 6.8.9. [CVSS 7.1 HIGH]
codisto Omnichannel for WooCommerce codistoconnect is affected by cross-site scripting (xss) (CVSS 7.1).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dmytro Shteflyuk CodeColorer codecolorer allows Stored XSS.This issue affects CodeColorer: from n/a through <= 0.10.1. [CVSS 7.1 HIGH]
GLS GLS Shipping for WooCommerce gls-shipping-for-woocommerce is affected by cross-site scripting (xss) (CVSS 7.1).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in netgsm Netgsm netgsm allows Reflected XSS.This issue affects Netgsm: from n/a through <= 2.9.63. [CVSS 7.1 HIGH]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mndpsingh287 WP Mail wp-mail allows Reflected XSS.This issue affects WP Mail: from n/a through <= 1.3. [CVSS 7.1 HIGH]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kapil Chugh My Post Order my-posts-order allows Reflected XSS.This issue affects My Post Order: from n/a through <= 1.2.1.1. [CVSS 7.1 HIGH]