Missing Authorization vulnerability in GhostPool Gauge gauge allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gauge: from n/a through <= 6.56.4. [CVSS 7.5 HIGH]
XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite is affected by missing authorization (CVSS 7.5).
Missing Authorization vulnerability in YayCommerce YayCurrency yaycurrency allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YayCurrency: from n/a through <= 3.3. [CVSS 7.5 HIGH]
Shiprocket Shiprocket shiprocket is affected by authorization bypass through user-controlled key (CVSS 7.4).
Authorization Bypass Through User-Controlled Key vulnerability in cnvrse Cnvrse cnvrse allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cnvrse: from n/a through <= 026.02.10.20. [CVSS 7.5 HIGH]
Missing Authorization vulnerability in Jthemes Exzo exzo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Exzo: from n/a through <= 1.2.4. [CVSS 7.5 HIGH]
Missing Authorization vulnerability in GhostPool Aardvark Plugin aardvark-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Aardvark Plugin: from n/a through <= 2.19. [CVSS 7.5 HIGH]
Missing Authorization vulnerability in WP Legal Pages WPLegalPages wplegalpages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPLegalPages: from n/a through <= 3.5.4. [CVSS 7.5 HIGH]
Wi-Fi routers lacking management frame protection are susceptible to forged deauthentication and disassociation attacks, enabling unauthenticated remote attackers to disconnect legitimate users and disrupt network availability. This vulnerability allows attackers to broadcast spoofed wireless management frames without credentials, creating denial-of-service conditions affecting all connected devices. No patch is currently available for this high-severity issue.
Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends is affected by authorization bypass through user-controlled key (CVSS 5.4).
HTTP Basic Authentication over unencrypted connections in the device's embedded web interface allows attackers on the same network to passively intercept and capture user credentials. This cleartext transmission of authentication data exposes administrative access to network-based eavesdropping attacks. The lack of HTTPS/TLS support creates a significant credential compromise risk for affected devices with no available patch.
Missing Authorization vulnerability in Saiful Islam Sync Master Sheet – Product Sync with Google Sheet for WooCommerce product-sync-master-sheet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sync Master Sheet – Product Sync with Google Sheet for WooCommerce: from n/a through <= 1.1.3.
Out-of-bounds write in GIMP 3.0.6's XWD (X Window Dump) image file parser allows remote attackers to execute arbitrary code in the context of the user running GIMP, provided the victim is lured into opening a malicious XWD file or visiting a page that delivers one. The CVSS 3.1 vector (AV:L/UI:R) shows this is not a remote-network attack but a user-interaction-driven file-parsing flaw, scored 7.3 (High). There is no public exploit identified at time of analysis, and EPSS is very low (0.08%, 23rd percentile), consistent with an attack that depends on social engineering rather than mass automation.
soporteblue Plugin BlueX for WooCommerce bluex-for-woocommerce is affected by missing authorization (CVSS 6.3).
PDF-XChange Editor's TrackerUpdate process loads libraries from an unsecured location, enabling local attackers with low-privileged code execution to escalate privileges and run arbitrary code with elevated permissions. This high-severity vulnerability (CVSS 7.3) affects systems where an attacker has already gained initial code execution access. No patch is currently available.
XforWooCommerce Product Filter for WooCommerce prdctfltr contains a security vulnerability (CVSS 7.3).
Server-Side Request Forgery (SSRF) vulnerability in Laborator Oxygen oxygen allows Server Side Request Forgery.This issue affects Oxygen: from n/a through <= 6.0.8. [CVSS 7.2 HIGH]
vanquish WooCommerce Bulk Product Editor woocommerce-quick-product-editor is affected by missing authorization (CVSS 7.1).
PixelYourSite plugin versions up to 11.2.0.1 contain a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into web pages without authentication. An attacker can exploit this to execute arbitrary JavaScript in the browsers of site visitors, potentially stealing session data or performing unauthorized actions on behalf of users. No patch is currently available for this vulnerability.
Reflected cross-site scripting in fox-themes Whizz Plugins version 1.9 and earlier allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by victims, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability requires user interaction to trigger and can affect all visitors to a compromised site due to its cross-site impact. No patch is currently available.
DOM-based cross-site scripting in ThemeGoods PhotoMe through version 5.7.1 enables attackers to inject malicious scripts that execute in users' browsers without authentication. An attacker can exploit this vulnerability to steal sensitive data, hijack user sessions, or perform unauthorized actions on behalf of affected users. No patch is currently available, and exploitation requires user interaction to trigger the payload.
Reflected XSS in fox-themes Reflector plugin versions up to 1.2.2 enables attackers to inject malicious scripts into web pages viewed by victims, potentially allowing theft of session cookies, credentials, or sensitive data through user interaction. The vulnerability requires no authentication and can spread across security boundaries, affecting all users who click malicious links. No patch is currently available.
Reflected cross-site scripting in ThemeGoods Grand Conference up to version 5.3.4 enables attackers to inject malicious scripts into web pages viewed by users, potentially stealing session data or performing actions on their behalf. The vulnerability requires user interaction to trigger but can be exploited remotely without authentication. No patch is currently available.
Reflected cross-site scripting in Link Whisper Free through version 0.9.0 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. Exploitation requires user interaction (clicking a malicious link) but can lead to session hijacking, credential theft, and unauthorized actions performed on behalf of victims. No patch is currently available.
PersianScript Persian Woocommerce SMS persian-woocommerce-sms is affected by cross-site scripting (xss) (CVSS 7.1).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in itex iMoney imoney allows Reflected XSS.This issue affects iMoney: from n/a through <= 0.36. [CVSS 7.1 HIGH]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3themes Diamond diamond allows Reflected XSS.This issue affects Diamond: from n/a through <= 2.4.8. [CVSS 7.1 HIGH]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themebon Business Template Blocks for WPBakery (Visual Composer) Page Builder templates-and-addons-for-wpbakery-page-builder allows Reflected XSS.This issue affects Business Template Blocks for WPBakery (Visual Composer) Page Builder: from n/a through <= 1.3.2. [CVSS 7.1 HIGH]
Hugh Mungus Visitor Maps Extended Referer Field visitor-maps-extended-referer-field is affected by cross-site scripting (xss) (CVSS 7.1).
realvirtualmx RVCFDI para Woocommerce rvcfdi-para-woocommerce is affected by cross-site scripting (xss) (CVSS 7.1).
wpdiscover Timeline Event History timeline-event-history is affected by cross-site scripting (xss) (CVSS 7.1).
GT3themes SOHO - Photography WordPress Theme soho is affected by cross-site scripting (xss) (CVSS 7.1).
GT3themes Oyster - Photography WordPress Theme oyster is affected by cross-site scripting (xss) (CVSS 7.1).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jthemes Prestige prestige allows Reflected XSS.This issue affects Prestige: from n/a through < 1.4.1. [CVSS 7.1 HIGH]
Basix NEX-Forms nex-forms-express-wp-form-builder is affected by cross-site scripting (xss) (CVSS 7.1).
Basix NEX-Forms nex-forms-express-wp-form-builder is affected by cross-site scripting (xss) (CVSS 7.1).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs Slimstat Analytics wp-slimstat allows Reflected XSS.This issue affects Slimstat Analytics: from n/a through <= 5.3.2. [CVSS 7.1 HIGH]
designthemes DesignThemes Core Features designthemes-core-features is affected by cross-site scripting (xss) (CVSS 7.1).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GhostPool Aardvark aardvark allows Reflected XSS.This issue affects Aardvark: from n/a through <= 4.6.3. [CVSS 7.1 HIGH]
peterwsterling Simple Archive Generator simple-archive-generator is affected by cross-site scripting (xss) (CVSS 7.1).
Zack Katz iContact for Gravity Forms gravity-forms-icontact is affected by cross-site scripting (xss) (CVSS 7.1).
keeswolters Mopinion Feedback Form mopinion-feedback-form is affected by cross-site scripting (xss) (CVSS 7.1).
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in harman79 ID Arrays id-arrays allows DOM-Based XSS.This issue affects ID Arrays: from n/a through <= 2.1.2. [CVSS 7.1 HIGH]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webmuehle Court Reservation court-reservation allows Reflected XSS.This issue affects Court Reservation: from n/a through <= 1.10.9. [CVSS 7.1 HIGH]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in anmari amr cron manager amr-cron-manager allows Reflected XSS.This issue affects amr cron manager: from n/a through <= 2.3. [CVSS 7.1 HIGH]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in itex iSape isape allows Reflected XSS.This issue affects iSape: from n/a through <= 0.72. [CVSS 7.1 HIGH]
Paris Holley Asynchronous Javascript asynchronous-javascript is affected by cross-site scripting (xss) (CVSS 7.1).
aThemeArt Translations eDS Responsive Menu eds-responsive-menu is affected by cross-site scripting (xss) (CVSS 7.1).
DaleAB Membee Login membees-member-login-widget is affected by cross-site scripting (xss) (CVSS 7.1).
Bas Schuiling FeedWordPress Advanced Filters faf is affected by cross-site scripting (xss) (CVSS 7.1).