Improper iframe sanitization in SPIP before 4.4.8 enables stored cross-site scripting attacks within the private administrative area, allowing attackers to execute arbitrary JavaScript in the context of backend users. An unauthenticated attacker can inject malicious iframe tags that bypass the application's security filters and execute in victims' browsers when they access the affected area. No patch is currently available and the built-in SPIP security screen does not mitigate this vulnerability.
SPIP before 4.3.6, 4.2.17, and 4.1.20 allows Cross-Site Scripting (XSS) in the private area. The content of the error message displayed by the 'transmettre' API is not properly sanitized, allowing an attacker to inject malicious scripts. [CVSS 6.1 MEDIUM]
Spip versions up to 4.4.5 is affected by url redirection to untrusted site (open redirect) (CVSS 6.1).
Trivy Action versions 0.31.0 through 0.33.1 allow remote code execution on GitHub Actions runners due to insufficient input sanitization when constructing shell environment variable exports. An attacker with repository access can inject shell metacharacters through action inputs to achieve arbitrary command execution in the runner context. The vulnerability requires high privileges to exploit and is addressed in version 0.34.0.
Stored XSS in 10Web Photo Gallery through version 1.8.37 enables authenticated users with high privileges to inject malicious scripts that execute in victims' browsers when they view affected pages. The vulnerability requires user interaction to trigger but can compromise confidentiality, integrity, and availability across different security contexts. No patch is currently available.
Stored XSS in FooGallery through version 3.1.11 allows authenticated users with high privileges to inject malicious scripts that execute in other users' browsers when viewing gallery content. An attacker with administrative or elevated access could leverage this vulnerability to steal session tokens, modify gallery data, or redirect users to malicious sites. A patch is not currently available for affected installations.
DOM-based cross-site scripting in VeronaLabs WP SMS plugin version 7.1 and earlier for WordPress allows authenticated attackers with high privileges to execute arbitrary JavaScript in users' browsers through improper input handling. An attacker could exploit this vulnerability to steal session cookies, perform unauthorized actions on behalf of users, or deface web pages. No patch is currently available for this vulnerability.
Stored XSS in HurryTimer through version 2.14.2 enables authenticated attackers with high privileges to inject malicious scripts that execute in other users' browsers, potentially compromising session data or performing unauthorized actions. The vulnerability requires user interaction to trigger but can affect multiple users due to its persistent nature. No patch is currently available.
CreativeMindsSolutions CM Business Directory cm-business-directory is affected by cross-site scripting (xss) (CVSS 4.8).
KaizenCoders URL Shortify versions up to 1.12.3 contain a server-side request forgery vulnerability that allows high-privileged attackers to make arbitrary HTTP requests from the affected server without user interaction. An authenticated attacker could exploit this flaw to access internal resources, interact with backend services, or perform reconnaissance on the internal network. No patch is currently available for this vulnerability.
Pi-hole Admin Interface versions 6.4 and below allow authenticated administrators to inject stored HTML code through improperly sanitized DNS record inputs, enabling persistent attacks visible to any user viewing the DNS records table. The vulnerability exists in the populateDataTable() function which fails to escape special characters in user-supplied data before inserting it into HTML attributes. An attacker with admin privileges can inject malicious code that executes each time the DNS records page is accessed.
Cross-site scripting in Indico prior to version 3.3.10 allows authenticated users to inject malicious scripts through material file uploads, potentially compromising other users' sessions or stealing sensitive data. The vulnerability affects Indico deployments using Flask-Multipass authentication and requires both user interaction and authenticated access to exploit. A patch is available, and administrators should upgrade to version 3.3.10 and update webserver configurations to enforce strict Content Security Policy for file downloads.
Improper access control in designinvento DirectoryPress up to version 3.6.26 allows authenticated users to modify data and cause service disruptions through misconfigured security levels. An attacker with valid credentials can exploit this vulnerability to manipulate application integrity and availability without requiring user interaction. No patch is currently available for this medium-severity vulnerability.
AA-Team WZone through version 14.0.31 contains a missing authorization vulnerability that allows authenticated users to bypass access control restrictions. An attacker with valid credentials could exploit this misconfiguration to modify data or cause service unavailability. No patch is currently available for this issue.
WP Wand AI Content Generation plugin for WordPress versions up to 1.3.07 contains an authorization bypass that allows authenticated users to modify or disable plugin functionality through improper access control enforcement. An attacker with user-level credentials can exploit this vulnerability to cause service disruption or data integrity issues. No patch is currently available.
Inadequate access control in scripteo Ads Pro plugin version 5.0 and earlier enables authenticated attackers to modify data and cause service disruptions through misconfigured security levels. An attacker with valid credentials can exploit this vulnerability to bypass authorization checks and alter plugin functionality without administrative privileges. No patch is currently available.
Improper access control in 10up Autoshare for Twitter through version 2.3.1 enables authenticated users to modify or disable sharing functionality without proper authorization checks. An attacker with limited privileges could exploit this vulnerability to disrupt social media publishing workflows or cause service unavailability for legitimate users. No patch is currently available for this medium-severity vulnerability.
BBR Plugins Better Business Reviews better-business-reviews is affected by missing authorization (CVSS 5.4).
Complete data destruction in WordPress via the News Element Elementor Blog Magazine plugin (versions up to 1.0.8) due to insufficient authorization checks on an AJAX function, allowing authenticated users with Subscriber-level privileges to truncate core database tables and delete the uploads directory. The vulnerability requires user authentication but no additional interaction, making it exploitable by any low-privileged WordPress user with no patch currently available.
GFI MailEssentials AI versions before 22.4 contain a stored XSS vulnerability in the Local Domains settings page that allows authenticated users to inject malicious scripts into the txtDescription parameter, which are then executed when administrators view the management interface. An attacker with valid credentials can exploit this to perform actions as a logged-in administrator or steal sensitive information from the management console. No patch is currently available for this vulnerability.
Stored cross-site scripting in GFI MailEssentials AI before version 22.4 allows authenticated users to inject malicious JavaScript through the Spam Keyword Checking interface, which executes when administrators access the management console. An attacker with valid credentials can exploit this to steal session tokens, modify security policies, or perform actions on behalf of logged-in administrators. No patch is currently available for this vulnerability.
GFI MailEssentials AI prior to version 22.4 is vulnerable to stored cross-site scripting in the Spam Keyword Checking interface, where authenticated users can inject malicious scripts that execute when administrators access the management console. An attacker with valid credentials can leverage this to perform actions on behalf of logged-in users or steal session information, affecting organizations using vulnerable versions of the product.
Stored cross-site scripting in GFI MailEssentials AI before version 22.4 allows authenticated users to inject malicious scripts into the Anti-Spoofing configuration page, which execute when administrators view the management interface. An attacker with valid credentials can exploit the TxtSmtpDesc parameter to compromise other authenticated users through arbitrary JavaScript execution. No patch is currently available for this medium-severity vulnerability.
Stored XSS in GFI MailEssentials AI versions before 22.4 allows authenticated users to inject malicious scripts into the Sender Policy Framework Email Exceptions interface that execute when administrators view the management console. An attacker with valid credentials can inject HTML/JavaScript through the email description parameter, compromising other logged-in users' sessions.
GFI MailEssentials AI before version 22.4 contains a stored cross-site scripting vulnerability in the Sender Policy Framework configuration interface that allows authenticated users to inject malicious scripts into IP description fields. An attacker with valid credentials can execute arbitrary JavaScript in the context of administrators accessing the management interface, potentially compromising administrative sessions. No patch is currently available for this vulnerability.
GFI MailEssentials AI prior to version 22.4 allows authenticated users to inject malicious scripts into the URI DNS Blocklist configuration page, which are stored and executed when administrators access the management interface. An attacker with valid credentials can exploit the unsanitized ctl00$ContentPlaceHolder1$pv1$TXB_URIs parameter to perform actions in the context of logged-in users, such as stealing session tokens or modifying security settings. No patch is currently available for this stored cross-site scripting vulnerability.
Stored cross-site scripting in GFI MailEssentials AI versions before 22.4 allows authenticated users to inject malicious scripts into the IP DNS Blocklist configuration page that execute when administrators access the management interface. An attacker with valid credentials can inject HTML/JavaScript through the IP configuration parameter to compromise other authenticated users' sessions. No patch is currently available for this vulnerability.
GFI MailEssentials AI versions before 22.4 contain a stored cross-site scripting vulnerability in the IP Blocklist management page that allows authenticated users to inject malicious scripts into the IP description field, which are executed when administrators view the management interface. An attacker with valid credentials can exploit this to hijack administrator sessions or perform unauthorized actions with their privileges. Currently, no patch is available and the vulnerability requires user interaction to trigger.
GFI MailEssentials AI versions before 22.4 contain a stored cross-site scripting vulnerability in the POP2Exchange configuration endpoint that allows authenticated users to inject malicious scripts through the POP3 server login field. An attacker with valid credentials can execute arbitrary JavaScript in the context of administrators viewing the management interface, potentially compromising administrative sessions. No patch is currently available for this vulnerability.
GFI MailEssentials AI versions before 22.4 contain a stored cross-site scripting vulnerability in the Perimeter SMTP Servers configuration page that allows authenticated users to inject malicious scripts into the management interface. An attacker with valid credentials can execute arbitrary JavaScript in the context of other logged-in administrators by manipulating the description parameter. No patch is currently available for this vulnerability.
GFI MailEssentials AI prior to version 22.4 contains a stored cross-site scripting vulnerability in the Mail Monitoring rule creation endpoint that allows authenticated users to inject malicious JavaScript through the rule name field. When an administrator views the affected rules in the management interface, the stored script executes in their browser session, potentially enabling session hijacking or unauthorized administrative actions. No patch is currently available for this vulnerability.
GFI MailEssentials AI prior to version 22.4 contains a stored XSS vulnerability in the Anti-Spam Whitelist management interface that allows authenticated users to inject malicious scripts through the description field. An attacker with valid credentials can craft payloads that execute in the browser context of other administrators accessing the management console, potentially compromising administrative sessions. No patch is currently available for this vulnerability.
GFI MailEssentials AI prior to version 22.4 contains a stored cross-site scripting vulnerability in the Advanced Content Filtering rule creation feature that allows authenticated users to inject malicious scripts into rule names, which are later executed in the browsers of administrators viewing the management interface. An attacker with valid credentials can exploit this to perform actions as a logged-in administrator, including potential unauthorized configuration changes or credential theft. No patch is currently available for this vulnerability.
GFI MailEssentials AI versions before 22.4 contain a stored cross-site scripting vulnerability in the Attachment Filtering rule creation feature that allows authenticated users to inject malicious scripts into rule names, which execute when administrators access the management interface. An attacker with valid credentials can exploit this to perform actions on behalf of logged-in administrators or steal sensitive information from the management dashboard. No patch is currently available for this medium-severity vulnerability.
Stored cross-site scripting in GFI MailEssentials AI versions before 22.4 allows authenticated users to inject malicious JavaScript into the Keyword Filtering rule creation interface, which executes when administrators view the management console. An attacker with valid credentials can compromise other users' sessions and perform unauthorized actions within the MailEssentials application. No patch is currently available for this vulnerability.
Stored XSS in SPIP before 4.4.8 allows authenticated users with content-editing privileges to inject malicious scripts through inadequate sanitization in the echapper_html_suspect() function, which then execute in the browsers of other users including administrators. Attackers can exploit this vulnerability to perform unauthorized actions and modify application state within the security context of victim users. No patch is currently available.
SPIP before 4.2.15 allows Cross-Site Scripting (XSS) via crafted content in HTML code tags. The application does not properly verify JavaScript within code tags, allowing an attacker to inject malicious scripts that execute in a victim's browser. [CVSS 5.4 MEDIUM]
Stored XSS in OpenCms v18.0 allows authenticated attackers to inject malicious scripts through the 'text' parameter in blog article creation requests, which execute in other users' browsers when they view the affected content. The vulnerability requires user interaction and results in limited impact to confidentiality and integrity, but currently has no available patch.
ThimPress RealPress versions up to 1.1.0 are vulnerable to cross-site request forgery attacks that could allow attackers to perform unauthorized actions on behalf of authenticated users. An attacker can exploit this vulnerability by tricking users into visiting a malicious webpage, resulting in integrity and availability impacts. No patch is currently available for this vulnerability.
Themes4WP Popularis Extra popularis-extra is affected by cross-site request forgery (csrf) (CVSS 5.4).
Coachify versions 1.1.5 and earlier contain a cross-site request forgery vulnerability that allows unauthenticated attackers to perform unintended actions on behalf of authenticated users through crafted requests. An attacker can leverage this to modify user data or trigger unwanted functionality with user interaction. No patch is currently available for this vulnerability.
PublishPress PublishPress Revisions revisionary is affected by cross-site request forgery (csrf) (CVSS 5.4).
The blst cryptographic library is vulnerable to an out-of-bounds stack write in the blst_sha256_bcopy routine when processing zero-length salt parameters in key generation functions, allowing remote attackers to trigger memory corruption and process crashes. Applications that expose blst_keygen_v5() or similar functions to untrusted input are susceptible to denial-of-service attacks. No patch is currently available for this vulnerability.
The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getCouponList() function in all versions up to, and including, 4.7.8. This is due to the checkAuthCredentials() permission callback always returning true, providing no actual authentication. This makes it possible for unauthenticated attackers to modify the billing and shipping contact information (email and phone) of any WooCommerce order by knowing or...
The Breeze - WordPress Cache Plugin plugin for WordPress is vulnerable to unauthorized cache clearing in all versions up to, and including, 2.2.21. This is due to the REST API endpoint `/wp-json/breeze/v1/clear-all-cache` being registered with `permission_callback => '__return_true'` and authentication being disabled by default when the API is enabled. This makes it possible for unauthenticated attackers to clear all site caches (page cache, Varnish, and Cloudflare) via a simple POST request,...
The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to unauthenticated limited file upload in all versions up to, and including, 7.8.1. This is due to the plugin not properly verifying that a user is authorized to perform file upload actions via the "ajax_checkout_attachment_upload" function. This makes it possible for unauthenticated attackers to upload files to the server, though file types are limited to WordPress's default allowed MIME types (i...
mobile friendly marketing popups. versions up to 4.4.2. contains a security vulnerability (CVSS 5.3).
The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 7.8.5. [CVSS 5.3 MEDIUM]
XStore versions 9.6.4 and earlier fail to properly sanitize HTML script tags, enabling attackers to inject malicious code that executes in users' browsers. This stored or reflected cross-site scripting vulnerability requires no authentication or user interaction, allowing attackers to steal session tokens, deface content, or redirect users to malicious sites. No patch is currently available, leaving affected installations vulnerable.
Everest Forms through version 3.4.1 fails to properly sanitize HTML script tags, enabling unauthenticated attackers to inject malicious code and compromise site integrity. The vulnerability allows attackers to perform code injection attacks without authentication or user interaction, potentially leading to data theft or malware distribution. No patch is currently available for this vulnerability.