Stored XSS in YayMail plugin for WordPress (versions up to 4.3.2) allows authenticated Shop Manager-level users to inject malicious scripts through inadequately sanitized settings, affecting multi-site installations or those with disabled unfiltered_html. Attackers can execute arbitrary JavaScript in pages viewed by other users, though exploitation requires elevated privileges and specific WordPress configurations. No patch is currently available.
Jenkins versions 2.550 and earlier fail to properly validate Run Parameter access controls, allowing authenticated users with Item/Build and Item/Configure permissions to enumerate sensitive information about jobs, builds, and their display names they should not have access to. This information disclosure vulnerability affects Jenkins LTS 2.541.1 and earlier, with no patch currently available. Attackers can exploit this to gather intelligence about build infrastructure by referencing builds outside their authorized scope.
Client-side denial-of-service in Splunk Enterprise and Splunk Cloud Platform allows low-privileged users to inject malicious payloads through user profile parameters in the authentication REST API endpoint, causing significant page load delays or temporary unresponsiveness of the Splunk Web interface. Affected versions include Splunk Enterprise below 10.2.0, 10.0.2, 9.4.8, 9.3.9, and 9.2.12, and Splunk Cloud Platform below 10.2.2510.3, 10.1.2507.8, 10.0.2503.9, and 9.3.2411.121. No patch is currently available for this vulnerability.
Improper access control in Splunk Enterprise versions below 9.3.9, 9.4.8, and 10.0.2 allows low-privileged users without admin roles to access the Monitoring Console App endpoints, enabling unauthorized disclosure of sensitive information. The vulnerability affects only on-premises Splunk Enterprise deployments and does not impact Splunk Cloud Platform instances. No patch is currently available.
The Order Splitter for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wos_troubleshooting' AJAX endpoint in all versions up to, and including, 5.3.5. [CVSS 4.3 MEDIUM]
The Gutenberg Blocks with AI by Kadence WP plugin for WordPress fails to properly validate the upload_files capability in its AJAX image import function, allowing authenticated contributors to upload arbitrary images to the Media Library despite lacking file upload permissions. This authorization bypass affects all versions up to 3.6.1 and requires only basic user authentication with no user interaction. An attacker with contributor-level access can exploit this to upload malicious image files that could be leveraged for further attacks.
Insufficient input validation in the Gutenberg Blocks with AI by Kadence WP plugin allows authenticated contributors and above to perform server-side request forgery against GetResponse API endpoints, potentially exposing sensitive data like contacts and campaigns stored on the site. The vulnerability stems from overly permissive access controls that grant the dangerous `endpoint` parameter manipulation to users with only Contributor-level privileges instead of requiring administrator access. Attackers can also extract the site's stored GetResponse API credentials from request headers during exploitation.
Authenticated attackers with Subscriber-level or higher access to WordPress sites running PDF Invoices & Packing Slips for WooCommerce through version 5.6.0 can modify Peppol/EDI endpoint identifiers for arbitrary orders due to missing authorization checks in the plugin's AJAX handler. This allows attackers to redirect invoices to different endpoints, potentially disrupting payment processing and exposing sensitive customer data. No patch is currently available.
The EmailKit - Email Customizer for WooCommerce & WP plugin through version 1.6.2 fails to properly validate user permissions on the template update function, allowing any authenticated user with Subscriber-level access or higher to modify post titles across the WordPress site. This capability check bypass affects all post types including standard posts, pages, and custom post types, enabling unauthorized content manipulation by low-privileged attackers. No patch is currently available.
The Plus Addons for Elementor plugin for WordPress fails to validate post-type-specific permissions in its AJAX handler, allowing authenticated authors and above to create draft posts for restricted post types like pages and custom post types. An attacker with author-level access can bypass capability checks by directly specifying arbitrary post types, potentially enabling unauthorized content creation or manipulation of restricted content areas.
Frontend User Notes (WordPress plugin) versions up to 2.1.0 is affected by authorization bypass through user-controlled key (CVSS 4.3).
The Taskbuilder WordPress plugin through version 5.0.2 fails to properly authorize AJAX comment submission functions, allowing authenticated subscribers to post comments on any project or task regardless of access permissions. Attackers can exploit this to comment on private projects they cannot view and inject malicious HTML/CSS through unsanitized input parameters.
The Tickera - Sell Tickets & Manage Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_change_ticket_status' AJAX endpoint in all versions up to, and including, 3.5.6.4. [CVSS 4.3 MEDIUM]
The Booking Calendar plugin for WordPress through version 10.14.14 contains an insecure direct object reference in the handle_ajax_save function that fails to validate user-controlled input, allowing authenticated subscribers and above with booking permissions to modify other users' plugin settings and disrupt their booking calendar functionality. This vulnerability requires valid WordPress credentials but poses a direct threat to multi-user WordPress installations where booking functionality is delegated across accounts.
The WP Plugin Info Card plugin for WordPress versions up to 6.2.0 contains a cross-site request forgery vulnerability in its AJAX handler due to disabled nonce validation, allowing unauthenticated attackers to create or modify custom plugin entries if a site administrator can be tricked into clicking a malicious link. An attacker could leverage this to inject arbitrary plugin configurations that could be used for further compromise of the WordPress installation. No patch is currently available.
Keybase.io Verification (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
Authenticated users can modify WordPress posts in the EventPrime plugin (versions up to 4.2.8.4) due to missing authorization validation in the event submission function, allowing customer-level attackers to alter administrator-created events by manipulating post identifiers if they possess a valid nonce. The vulnerability requires user authentication and does not enable unauthorized access but permits unauthorized modification of existing content.
Unauthenticated attackers can delete all pending comments in WordPress sites running the Dam Spam plugin up to version 1.0.8 by exploiting missing CSRF protections, requiring only that an administrator be tricked into clicking a malicious link. An attacker with this capability can disrupt comment moderation workflows and potentially suppress legitimate user feedback. No patch is currently available for this vulnerability.
The Kali Forms WordPress plugin through version 2.4.8 allows authenticated contributors and higher-privileged users to read sensitive form data of other users via insecure direct object reference on the REST API, exposing form configurations, reCAPTCHA keys, email templates, and server paths. The vulnerability stems from insufficient permission validation that only checks for the generic `edit_posts` capability rather than verifying ownership of specific form resources. Attackers can exploit this through form ID enumeration without requiring any interaction or elevated privileges beyond basic authenticated access.
Cross-site scripting in REST Management Interface in Payara Server <4.1.2.191.54, <5.83.0, <6.34.0, <7.2026.1 allows an attacker to mislead the administrator to change the admin password via URL Payload.
The WP All Export plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.14 via the export download endpoint. This is due to a PHP type juggling vulnerability in the security token comparison which uses loose comparison (==) instead of strict comparison (===). This makes it possible for unauthenticated attackers to bypass authentication using "magic hash" values when the expected MD5 hash prefix happens to be numeric-looking (matching pa...
In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.5, 9.3.7, and 9.2.9, and Splunk Cloud Platform versions below 10.1.2507.0, 10.0.2503.9, 9.3.2411.112, and 9.3.2408.122, a low-privileged user who does not hold the "admin" or "power" Splunk roles could bypass the SPL safeguards for risky commands when they create a Data Model that contains an injected SPL query within an object. [CVSS 3.5 LOW]
Ffmpeg contains a vulnerability that allows attackers to a double-free condition, potentially causing FFmpeg or any application using it (CVSS 3.3).
A flaw was found in QEMU in the uefi-vars virtual device. When the guest writes to register UEFI_VARS_REG_BUFFER_SIZE, the .write callback `uefi_vars_write` is invoked. [CVSS 3.3 LOW]
The WP-DownloadManager plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.69 via the 'download_path' configuration parameter. [CVSS 2.7 LOW]
YayMail - WooCommerce Email Customizer (WordPress plugin) is affected by missing authorization (CVSS 2.7).
Unrestricted file upload in huanzi-qch base-admin's JSP file upload function allows authenticated remote attackers to upload arbitrary files by manipulating the File parameter, potentially leading to code execution. The vulnerability affects the SysFileController component and has public exploit code available. No patch is currently available from the developers.
SQL injection in Alixhan xh-admin-backend versions up to 1.7.0 allows authenticated attackers to manipulate the prop parameter in the /frontend-api/system-service/api/system/role/query endpoint and execute arbitrary database queries remotely. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or responded to disclosure efforts. Affected organizations running vulnerable versions should immediately restrict access to this endpoint or upgrade if available.
Cross-site request forgery (CSRF) in newbee-mall affects multiple endpoints, allowing unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users. Public exploit code exists for this vulnerability. No patch is currently available, and the project maintainers have not responded to the early disclosure notification.
Improper authorization in GoogTech sms-ssm's LoginInterceptor API interface allows remote authenticated attackers to bypass access controls and manipulate protected functions. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available, requiring organizations to implement compensating controls or restrict access to the affected API endpoints.
A security vulnerability has been detected in ggreer the_silver_searcher versions up to 2.2.0. is affected by improper resource shutdown or release (CVSS 3.3).
Deserialization of Untrusted Data vulnerability in OpenText™ Directory Services allows Object Injection. The vulnerability could lead to remote code execution, denial of service, or privilege escalation.
Path traversal vulnerability in the AMR Printer Management 1.01 Beta web service, which allows remote attackers to read arbitrary files from the underlying Windows system by using specially crafted path traversal sequences in requests directed to the web management service.
Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's HTTP Basic Authentication implementation. Successful exploitation could result in Privilege Escalation, potentially allowing full administrative access.
When hours are entered in time@work, version 7.0.5, it performs a query to display the projects assigned to the user. If the query URL is copied and opened in a new browser window, the ‘IDClient’ parameter is vulnerable to a blind authenticated SQL injection.
Improper Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in Delinea Inc. Cloud Suite and Privileged Access Service.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Delinea Inc. Cloud Suite and Privileged Access Service.
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.