Arbitrary file upload in midi-Synth WordPress plugin via 'export' AJAX action.
Privilege escalation in Truelysell Core WordPress plugin <= 1.8.7. Insufficient role validation allows elevation.
In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix use-after-free in iscsit_dec_session_usage_count() In iscsit_dec_session_usage_count(), the function calls complete() while holding the sess->session_usage_lock.
The Linux kernel's t7xx WWAN driver fails to validate the number of page fragments added to network socket buffers during packet reception, allowing excessive fragmentation to overflow the skb_shinfo(skb)->frags[] array and corrupt kernel memory. A local attacker with low privileges could trigger this vulnerability through malicious modem firmware or crafted network packets, potentially causing kernel crashes or undefined behavior. No patch is currently available for this medium-severity issue.
Privilege escalation in the Magic Login Mail or QR Code WordPress plugin (versions up to 2.05) allows unauthenticated attackers to hijack any user account, including administrator accounts, by exploiting a race condition in QR code file handling. The plugin creates QR code login images with predictable filenames in the public uploads directory and fails to delete them immediately after email transmission, enabling attackers to intercept the encoded login URLs. An attacker can trigger login requests for arbitrary users and extract valid authentication tokens during the window before file cleanup occurs.
Local privilege escalation in the Linux kernel macvlan driver allows a local attacker with user privileges to cause memory corruption and kernel crashes through improper error handling in macvlan_common_newlink(). The vulnerability stems from a use-after-free condition when macvlan link creation fails during device registration, enabling denial of service and potential privilege escalation on affected systems.
A buffer overflow in the Linux kernel's ALSA USB audio driver allows local attackers with user privileges to write beyond allocated URB buffers by crafting malicious audio parameters with mismatched packet sizes and frame counts. An attacker can trigger out-of-bounds memory corruption, potentially achieving privilege escalation or denial of service. No patch is currently available for this vulnerability.
In the Linux kernel, the following vulnerability has been resolved: KVM: Don't clobber irqfd routing type when deassigning irqfd When deassigning a KVM_IRQFD, don't clobber the irqfd's copy of the IRQ's routing entry as doing so breaks kvm_arch_irq_bypass_del_producer() on x86 and arm64, which explicitly look for KVM_IRQ_ROUTING_MSI.
In the Linux kernel, the following vulnerability has been resolved: linkwatch: use __dev_put() in callers to prevent UAF After linkwatch_do_dev() calls __dev_put() to release the linkwatch reference, the device refcount may drop to 1.
The Linux kernel iwlwifi driver fails to properly cancel the mlo_scan_start_wk work queue item during disconnection, allowing it to execute after associated data structures are freed or modified. A local attacker with standard user privileges can trigger use-after-free or initialization-after-free memory corruption by manipulating interface state transitions, potentially leading to denial of service or privilege escalation. No patch is currently available.
A use-after-free vulnerability in the Linux kernel's binder subsystem allows local attackers with low privileges to cause memory corruption by accessing transaction objects after they have been freed during frozen target thawing. The flaw exists in binder_netlink_report() which dereferences a transaction pointer following a BR_TRANSACTION_PENDING_FROZEN error, potentially enabling denial of service or local privilege escalation. No patch is currently available.
In the Linux kernel, the following vulnerability has been resolved: HID: i2c-hid: fix potential buffer overflow in i2c_hid_get_report() `i2c_hid_xfer` is used to read `recv_len + sizeof(__le16)` bytes of data into `ihid->rawbuf`.
The Linux kernel bonding driver contains a use-after-free vulnerability in the slave device initialization path that allows local attackers with user privileges to cause memory corruption or denial of service. The flaw occurs when slave array updates happen before XDP setup completion, enabling the new slave to be used for transmission before being freed by error cleanup handlers. This affects Debian, Ubuntu, and other Linux distributions running vulnerable kernel versions.
A double-free vulnerability in the Linux kernel's xe/nvm driver allows local users with low privileges to cause a denial of service or potential code execution through improper memory management during auxiliary device initialization failures. The flaw occurs when auxiliary_device_add() fails and triggers both the release callback and an additional kfree() operation on the same memory region. This affects Linux systems with the xe driver, and no patch is currently available.
The Linux kernel's efivarfs implementation fails to propagate errors from __efivar_entry_get(), causing the efivar_entry_get() function to mask failures and return success regardless of the underlying operation's result. This error handling flaw enables uninitialized heap memory to be copied to userspace through the efivarfs_file_read() path, potentially exposing sensitive kernel data to local users with read access to efivarfs. No patch is currently available for this high-severity vulnerability affecting the Linux kernel.
The Linux kernel's ALSA loopback driver contains a use-after-free vulnerability in the PCM trigger callback due to inadequate locking when accessing shared cable state during concurrent stream operations. A local attacker with minimal privileges can trigger this flaw by rapidly opening, closing, and triggering PCM streams, potentially causing kernel crashes or memory corruption. No patch is currently available for this vulnerability.
A use-after-free vulnerability in the Linux kernel's gpio-virtuser configfs release path allows local users with standard privileges to trigger memory corruption and potentially achieve code execution by causing mutex operations on freed memory. The flaw exists because the device structure is freed while a mutex guard scope is still active, leading to undefined behavior when the guard attempts to unlock the already-destroyed mutex. This vulnerability affects Linux systems with the affected kernel versions and requires local access to exploit.
A race condition in the Linux kernel's MPTCP address management function allows local attackers with user-level privileges to cause a denial of service through kernel crashes via improper list manipulation without RCU synchronization. The vulnerability exists in mptcp_pm_nl_flush_addrs_doit() where list_splice_init() is called while holding a spinlock, creating unsafe concurrent access conditions. Currently, no patch is available for this medium-severity vulnerability.
Arbitrary PHP code execution in the Flexi Product Slider and Grid for WooCommerce WordPress plugin through version 1.0.5 allows authenticated contributors to exploit unsanitized file path parameters in the flexipsg_carousel shortcode to include and execute arbitrary files on the server. The vulnerability requires an attacker with Contributor-level access or above to create posts containing malicious shortcodes, but carries high risk due to lack of input validation on the theme parameter enabling local file inclusion attacks. No patch is currently available for this vulnerability.
Unauthenticated attackers can exploit SQL injection in the PhotoStack Gallery plugin for WordPress (versions up to 0.4.1) through the unescaped 'postid' parameter to extract sensitive database information. The vulnerability stems from insufficient input validation and unprepared SQL queries, allowing attackers to inject arbitrary SQL commands without authentication. With no patch currently available, all WordPress installations using this plugin are at risk of data exposure.
Unauthenticated attackers can forge IPN payment notifications in the BlueSnap Payment Gateway for WooCommerce plugin by spoofing whitelisted IP addresses through header manipulation, allowing them to arbitrarily modify order statuses without authorization. The vulnerability stems from improper IP validation in all versions up to 3.3.0, affecting WordPress installations with this payment plugin active. No patch is currently available.
The Linux kernel netfilter connection tracking module fails to properly manage garbage collection timing, allowing an attacker with local access to bypass cleanup operations and cause unbounded memory consumption on affected systems. By maintaining a sufficiently high packet rate, an attacker can prevent the garbage collector from executing, causing the connection tracking list to grow indefinitely and potentially lead to denial of service. No patch is currently available for this vulnerability.
The Linux kernel's libceph library fails to reset sparse-read state machine tracking during OSD connection failures, causing the client to misinterpret new replies as continuations of previous ones. This can lead to the sparse-read machinery entering an unrecoverable failure state, resulting in denial of service through infinite error loops. Local attackers or systems experiencing network faults could exploit this to crash or hang OSD client operations.
A race condition in the Linux kernel's NVMe target bio completion handler can cause a NULL pointer dereference when a bio is re-submitted while simultaneously being deinitialized, leading to denial of service on systems running affected kernel versions. Local attackers with access to NVMe target functionality can trigger this race to crash the kernel. A patch is not currently available.
A race condition in Linux kernel shmem swap entry handling allows local attackers with user privileges to cause denial of service through memory corruption when swap entries are truncated concurrently with other operations. The vulnerability stems from an unprotected order lookup that can become stale before the actual swap entry removal, potentially causing truncation to erase data beyond intended boundaries. No patch is currently available.
Reflected XSS in the Super Simple Contact Form WordPress plugin through version 1.6.2 allows unauthenticated attackers to inject malicious scripts via the 'sscf_name' parameter due to inadequate input sanitization. An attacker can exploit this by tricking users into clicking a crafted link, causing arbitrary JavaScript to execute in their browsers and potentially leading to session hijacking or credential theft. No patch is currently available.
Stored cross-site scripting in Super Page Cache for WordPress (versions up to 5.2.2) allows unauthenticated attackers to inject malicious scripts through the Activity Log due to inadequate input sanitization. The injected scripts execute in the browsers of any user viewing affected pages, enabling session hijacking, credential theft, or malware distribution. No patch is currently available.
In the Linux kernel, the following vulnerability has been resolved: netfs: Fix early read unlock of page with EOF in middle The read result collection for buffered reads seems to run ahead of the completion of subrequests under some circumstances, as can be seen in the following log snippet: 9p_client_res: client 18446612686390831168 response P9_TREAD tag 0 err 0 ...
The Linux kernel's u32 traffic classifier fails to properly validate negative offset values in skb_header_pointer(), allowing local attackers with low privileges to trigger out-of-bounds memory reads and cause denial of service. This vulnerability affects the network scheduling subsystem and requires local access to exploit, with no currently available patch.
In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: add bounds check for if_id in IRQ handler The IRQ handler extracts if_id from the upper 16 bits of the hardware status register and uses it to index into ethsw->ports[] without validation.
In the Linux kernel, the following vulnerability has been resolved: cgroup/dmem: avoid pool UAF An UAF issue was observed: BUG: KASAN: slab-use-after-free in page_counter_uncharge+0x65/0x150 Write of size 8 at addr ffff888106715440 by task insmod/527 CPU: 4 UID: 0 PID: 527 Comm: insmod 6.19.0-rc7-next-20260129+ #11 Tainted: [O]=OOT_MODULE Call Trace: <TASK> dump_stack_lvl+0x82/0xd0 kasan_report+0xca/0x100 kasan_check_range+0x39/0x1c0 page_counter_uncharge+0x65/0x150 dmem_cgroup_uncharge+0x1f/0x260 Allocated by task 527: Freed by task 0: The buggy address belongs to the object at ffff888106715400 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 64 bytes inside of freed 512-byte region [ffff888106715400, ffff888106715600) The buggy address belongs to the physical page: Memory state around the buggy address: ffff888106715300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888106715380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888106715400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888106715480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888106715500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb The issue occurs because a pool can still be held by a caller after its associated memory region is unregistered.
In the Linux kernel, the following vulnerability has been resolved: net: cpsw: Execute ndo_set_rx_mode callback in a work queue Commit 1767bb2d47b7 ("ipv6: mcast: Don't hold RTNL for IPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP.") removed the RTNL lock for IPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP operations.
In the Linux kernel, the following vulnerability has been resolved: dmaengine: mmp_pdma: Fix race condition in mmp_pdma_residue() Add proper locking in mmp_pdma_residue() to prevent use-after-free when accessing descriptor list and descriptor contents.
In the Linux kernel, the following vulnerability has been resolved: riscv: Sanitize syscall table indexing under speculation The syscall number is a user-controlled value used to index into the syscall table.
Stored XSS in WordPress Press3D plugin (versions up to 1.0.2) allows authenticated authors to inject malicious JavaScript through unsanitized URL schemes in 3D model blocks, executing arbitrary scripts when users interact with affected content. The vulnerability requires author-level access or higher and impacts all installations of the vulnerable plugin versions without available patches.
Chatbot for WordPress by Collect.chat (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Stored XSS in the Ravelry Designs Widget WordPress plugin through version 1.0.0 allows authenticated contributors to inject malicious scripts into page shortcodes due to inadequate input sanitization. When site visitors access affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. An active patch is not currently available.
Stored cross-site scripting in the ZoomifyWP Free WordPress plugin through version 1.1 allows authenticated contributors and higher to inject malicious scripts via the filename parameter in the zoomify shortcode due to inadequate input sanitization. When other users visit pages containing the injected code, the scripts execute in their browsers, potentially compromising their sessions or data. No patch is currently available for this vulnerability.
Stored XSS in the Best-wp-google-map WordPress plugin through versions 2.1 allows authenticated contributors and above to inject malicious scripts via insufficiently sanitized latitude and longitude shortcode parameters. When other users view pages containing the injected shortcode, the attacker's scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available.
The myCred WordPress plugin through version 2.9.7.3 contains a stored cross-site scripting vulnerability in the 'mycred_load_coupon' shortcode that allows authenticated contributors and above to inject malicious scripts into pages through inadequately sanitized shortcode attributes. When site visitors access pages containing the injected payload, the attacker's script executes in their browsers, potentially compromising user sessions and sensitive data. No patch is currently available for this vulnerability.
Stored XSS in the Percent to Infograph WordPress plugin (versions up to 1.0) allows authenticated users with contributor-level or higher privileges to inject malicious scripts through the percent_to_graph shortcode due to inadequate input sanitization. When pages containing the injected payload are accessed by other users, the malicious scripts execute in their browsers, potentially compromising site security and user data.
Stored cross-site scripting in the Simple Plyr WordPress plugin through version 0.0.1 allows authenticated users with Contributor access or higher to inject malicious scripts via the 'poster' parameter in the plyr shortcode due to inadequate input validation. When victims visit pages containing the injected payload, the attacker's scripts execute in their browsers, enabling session hijacking, credential theft, or malware distribution. No patch is currently available for this vulnerability.
Stored cross-site scripting in the UpMenu WordPress plugin through version 3.1 allows authenticated contributors and above to inject malicious scripts via the 'lang' shortcode attribute due to inadequate input sanitization and output escaping. When victims visit affected pages, the injected scripts execute in their browsers, potentially compromising site security and user data. No patch is currently available.
Stored cross-site scripting in WordPress Sphere Manager plugin through version 1.0.2 allows authenticated users with Contributor privileges or higher to inject malicious scripts via the 'width' parameter in shortcodes due to improper input sanitization. Injected scripts execute in the browsers of any user viewing the affected page, potentially compromising site visitors. No patch is currently available.
Authenticated attackers with Contributor access or higher can inject malicious scripts into WordPress pages via the QuestionPro Surveys plugin's 'questionpro' shortcode, exploiting inadequate input sanitization. The injected scripts execute in the browsers of any user viewing the affected pages, enabling session hijacking, credential theft, or malware distribution. No patch is currently available for versions up to 1.0.
Stored XSS in the Payment Page | Payment Form for Stripe WordPress plugin (versions up to 1.4.6) allows authenticated users with Author-level permissions or higher to inject malicious scripts through the 'pricing_plan_select_text_font_family' parameter due to insufficient input sanitization. The injected scripts execute in the browsers of any user viewing the affected pages, potentially enabling session hijacking, credential theft, or malware distribution. No patch is currently available for this vulnerability.
Stored cross-site scripting in MasterStudy LMS WordPress Plugin versions up to 3.7.11 allows authenticated contributors and above to inject malicious scripts through the 'stm_lms_courses_grid_display' shortcode due to insufficient input sanitization and output escaping. When users access pages containing the injected payload, the arbitrary scripts execute in their browsers, potentially compromising sessions or stealing sensitive data. No patch is currently available.
Stored XSS in WordPress WP Data Access plugin versions up to 5.5.63 allows authenticated contributors and higher to inject malicious scripts into pages via the 'wpda_app' shortcode due to inadequate input sanitization. The injected scripts execute in the browsers of users viewing the affected pages, enabling session hijacking, credential theft, or malware distribution. No patch is currently available.
Stored XSS in the Citations tools WordPress plugin (versions up to 0.3.2) allows authenticated contributors and above to inject malicious scripts through insufficiently sanitized shortcode parameters, which execute in the browsers of users viewing affected pages. The vulnerability requires authentication but affects all site visitors who access pages containing the injected code. No patch is currently available.
Simple Wp colorfull Accordion (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).