Skip to main content
CVE-2025-68842 HIGH This Week

totalbounty Widget Logic Visual widget-logic-visual is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68501 HIGH This Week

Mollie Mollie Payments for WooCommerce mollie-payments-for-woocommerce is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68495 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Reflected XSS.This issue affects JetEngine: from n/a through <= 3.8.0. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68037 HIGH This Week

Atlas Gondal Export Media URLs export-media-urls is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68031 HIGH This Week

faraz sms افزونه پیامک حرفه ای فراز اس ام اس farazsms is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67991 HIGH This Week

vanquish User Extra Fields wp-user-extra-fields is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67990 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 GMap Targeting gmap-targeting allows Reflected XSS.This issue affects GMap Targeting: from n/a through <= 1.1.7. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67984 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in calliko NPS computy nps-computy allows DOM-Based XSS.This issue affects NPS computy: from n/a through <= 2.8.2. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67978 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FixBD Educare educare allows Reflected XSS.This issue affects Educare: from n/a through <= 1.6.1. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67971 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPManageNinja FluentCart fluent-cart allows Reflected XSS.This issue affects FluentCart: from n/a through < 1.3.0. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-53237 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Soflyy WP Wizard Cloak wp-wizard-cloak allows Reflected XSS.This issue affects WP Wizard Cloak: from n/a through <= 1.0.1. [CVSS 7.1 HIGH]

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-53233 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RylanH Storyform storyform allows Reflected XSS.This issue affects Storyform: from n/a through <= 0.6.14. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-53231 HIGH This Week

wpdevstudio Easy Taxonomy Images easy-taxonomy-images is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-53228 HIGH This Week

jezza101 bbpress Simple Advert Units bbpress-simple-advert-units is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68069 HIGH This Week

Missing Authorization vulnerability in wpWax Directorist directorist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Directorist: from n/a through <= 8.5.10. [CVSS 7.1 HIGH]

Authentication Bypass
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-27115 HIGH This Week

ADB Explorer through version 0.9.26020 fails to validate user-supplied directory paths, enabling local attackers to trigger recursive deletion of arbitrary filesystem directories including critical system and user folders. An attacker can exploit this by crafting a malicious shortcut or script that launches the application with a sensitive path argument, causing permanent data loss when the application processes the ClearDrag() function at startup or exit. Any user tricked into launching ADB Explorer via a weaponized shortcut or batch file faces complete loss of targeted directories such as Documents or user profile folders.

Path Traversal Microsoft Windows
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-2035 MEDIUM This Month

Remote code execution in Deciso OPNsense's backup functionality allows authenticated network-adjacent attackers to execute arbitrary commands with root privileges through insufficient input validation in the diag_backup.php file. An attacker with valid credentials can inject malicious commands into backup filename parameters to achieve code execution on the affected system. No patch is currently available for this vulnerability.

PHP RCE Command Injection
NVD GitHub
CVSS 3.0
6.8
EPSS
0.2%
CVE-2026-27125 MEDIUM PATCH This Month

Svelte versions prior to 5.51.5 improperly enumerate prototype chain properties during server-side rendering attribute spreading, allowing polluted Object.prototype properties to inject unexpected attributes into SSR output or cause rendering errors. This vulnerability affects applications using SSR where the prototype chain has been previously manipulated, though client-side rendering is unaffected. The issue requires prototype pollution as a precondition but can lead to information disclosure or denial of service in vulnerable SSR environments.

Code Injection Svelte Red Hat
NVD GitHub
CVSS 3.1
6.8
EPSS
0.1%
CVE-2026-22341 MEDIUM This Month

Booked scheduling software versions 3.0.0 and earlier contain an authentication bypass flaw that allows authenticated users to abuse alternate authentication paths or channels to gain unauthorized access. An attacker with valid credentials could exploit this vulnerability to escalate privileges or access restricted functionality without proper authorization. No patch is currently available for affected installations.

Authentication Bypass
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-26972 MEDIUM PATCH This Month

OpenClaw versions 2026.1.12 through 2026.2.13 contain a path traversal vulnerability in the browser download helper that allows authenticated users with CLI access or valid gateway RPC tokens to write files outside the intended temporary downloads directory. An attacker with these credentials can exploit unsanitized output paths to place arbitrary files on the system. Version 2026.2.13 and later contain the fix.

Path Traversal AI / ML Openclaw
NVD GitHub
CVSS 3.1
6.7
EPSS
0.0%
CVE-2026-27008 MEDIUM PATCH This Month

OpenClaw versions prior to 2026.2.15 allow authenticated administrators to write files outside the skill installation directory due to insufficient validation of the targetDir parameter during skill installation. An admin user could exploit this path traversal vulnerability to place malicious files in arbitrary locations on the system. A patch is available in version 2026.2.15 and later.

Information Disclosure AI / ML Openclaw
NVD GitHub
CVSS 3.1
6.7
EPSS
0.0%
CVE-2024-56208 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in desertthemes NewsMash newsmash allows Stored XSS.This issue affects NewsMash: from n/a through <= 1.0.71. [CVSS 6.5 MEDIUM]

XSS
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2024-51915 MEDIUM This Month

LiteSpeed Technologies LiteSpeed Cache litespeed-cache is affected by cross-site scripting (xss) (CVSS 6.5).

XSS
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68895 MEDIUM This Month

ahachat AhaChat Messenger Marketing ahachat-messenger-marketing contains a security vulnerability (CVSS 6.5).

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-24946 MEDIUM This Month

Missing authorization controls in the tychesoftwares Print Invoice & Delivery Notes plugin for WooCommerce (versions up to 5.8.0) allow unauthenticated attackers to manipulate access control settings and modify invoice or delivery note data. The vulnerability affects WordPress sites running this plugin and could result in unauthorized data modification. A patch is not currently available.

WordPress
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68564 MEDIUM This Month

Missing Authorization vulnerability in sendy Sendy sendy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sendy: from n/a through <= 3.4.2. [CVSS 6.5 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68542 MEDIUM This Month

vgdevsolutions Checkout Gateway for IRIS checkout-gateway-iris is affected by missing authorization (CVSS 6.5).

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68050 MEDIUM This Month

Missing Authorization vulnerability in Leadpages Leadpages leadpages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Leadpages: from n/a through <= 1.1.3. [CVSS 6.5 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68032 MEDIUM This Month

Passionate Brains Advanced WC Analytics advance-wc-analytics is affected by missing authorization (CVSS 6.5).

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68028 MEDIUM This Month

Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress ga-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GA4WP: Google Analytics for WordPress: from n/a through <= 2.10.0. [CVSS 6.5 MEDIUM]

WordPress Authentication Bypass Google
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68026 MEDIUM This Month

Missing Authorization vulnerability in Niaj Morshed LC Wizard ghl-wizard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LC Wizard: from n/a through <= 2.1.1. [CVSS 6.5 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68025 MEDIUM This Month

Addonify Addonify Floating Cart For WooCommerce addonify-floating-cart is affected by missing authorization (CVSS 6.5).

WordPress Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68024 MEDIUM This Month

Missing Authorization vulnerability in Addonify Addonify - WooCommerce Wishlist addonify-wishlist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify - WooCommerce Wishlist: from n/a through <= 2.0.15. [CVSS 6.5 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68023 MEDIUM This Month

Missing Authorization vulnerability in Addonify Addonify &#8211; Compare Products For WooCommerce addonify-compare-products allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify &#8211; Compare Products For WooCommerce: from n/a through <= 1.1.17. [CVSS 6.5 MEDIUM]

WordPress Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68021 MEDIUM This Month

Missing Authorization vulnerability in ConveyThis ConveyThis conveythis-translate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ConveyThis: from n/a through <= 269.5. [CVSS 6.5 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-67993 MEDIUM This Month

Missing Authorization vulnerability in Vito Peleg Atarim atarim-visual-collaboration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Atarim: from n/a through <= 4.2.1. [CVSS 6.5 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-67973 MEDIUM This Month

sunshinephotocart Sunshine Photo Cart sunshine-photo-cart is affected by missing authorization (CVSS 6.5).

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-67969 MEDIUM This Month

knitpay UPI QR Code Payment Gateway for WooCommerce upi-qr-code-payment-for-woocommerce is affected by missing authorization (CVSS 6.5).

WordPress Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-67624 MEDIUM This Month

Missing Authorization vulnerability in Arya Dhiratara Optimize More! &#8211; Images optimize-more-images allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Optimize More! [CVSS 6.5 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-67547 MEDIUM This Month

Missing Authorization vulnerability in uixthemes Konte konte allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Konte: from n/a through <= 2.4.6. [CVSS 6.5 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-24953 MEDIUM This Month

Authenticated attackers can traverse directory restrictions in Mitchell Bennis Simple File List versions up to 6.1.15 to read files outside intended directories, requiring valid credentials but no user interaction. This path traversal vulnerability impacts confidentiality but not system integrity or availability, with no patch currently available.

Path Traversal
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68002 MEDIUM This Month

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in 100plugins Open User Map open-user-map allows Path Traversal.This issue affects Open User Map: from n/a through <= 1.4.16. [CVSS 6.5 MEDIUM]

Path Traversal
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-26329 MEDIUM PATCH This Month

OpenClaw versions prior to 2026.2.14 allow authenticated users to read arbitrary files from the Gateway host through path traversal in the browser tool's upload functionality. An attacker with valid Gateway credentials and browser tool permissions can supply absolute or traversal paths to bypass file access restrictions and access sensitive files. This vulnerability requires authentication and browser tool enablement but presents a high confidentiality risk to affected deployments.

Path Traversal AI / ML Openclaw
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24944 MEDIUM This Month

Inadequate access control in weDevs Subscribe2 plugin version 10.44 and earlier permits unauthenticated attackers to bypass authorization checks and gain unauthorized access to restricted functionality. An attacker can exploit misconfigured security levels to perform actions they should not be permitted to execute, potentially exposing sensitive subscriber data or modifying plugin settings. No patch is currently available.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2350 MEDIUM This Month

Tanium Interact logs sensitive information that authenticated users can access, potentially exposing confidential data through log file inspection. The vulnerability requires valid credentials and does not allow modification or service disruption, limiting its impact to information disclosure.

Information Disclosure Interact
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1292 MEDIUM This Month

Tanium addressed an insertion of sensitive information into log file vulnerability in Trends. [CVSS 6.5 MEDIUM]

Information Disclosure Trends
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-27022 MEDIUM PATCH This Month

Query injection in @langchain/langgraph-checkpoint-redis allows authenticated users to manipulate RediSearch filter logic by injecting special syntax characters into user-provided keys and values, potentially bypassing access controls. An attacker with valid credentials could craft malicious filter parameters to alter query behavior and access unintended data. The vulnerability affects LangGraph checkpoint implementations using Redis storage and is fixed in version 1.0.2.

Redis AI / ML Langchain
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-69011 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPKube Cool Tag Cloud cool-tag-cloud allows Stored XSS.This issue affects Cool Tag Cloud: from n/a through <= 2.29. [CVSS 6.5 MEDIUM]

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-69388 MEDIUM This Month

Missing Authorization vulnerability in cliengo Cliengo - Chatbot cliengo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cliengo - Chatbot: from n/a through <= 3.0.4. [CVSS 6.5 MEDIUM]

Golang AI / ML
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-69385 MEDIUM This Month

AgniHD Cartify - WooCommerce Gutenberg WordPress Theme cartify is affected by missing authorization (CVSS 6.5).

WordPress Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
Prev Page 6 of 8 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy