Reflected cross-site scripting in the LambertGroup AllInOne Banner with Playlist WordPress plugin (versions ≤3.8) allows remote unauthenticated attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. With EPSS exploitation probability at 0.04% (10th percentile), this represents a low likelihood of automated or widespread exploitation despite the network attack vector. No active exploitation or public POC has been identified at time of analysis. Impact requires user interaction (clicking malicious link), limiting autonomous exploitation scenarios.
Reflected cross-site scripting (XSS) in LambertGroup AllInOne Content Slider WordPress plugin through version 3.8 enables remote attackers to execute arbitrary JavaScript in victim browsers by tricking users into clicking malicious links. The vulnerability allows content injection with low-level impacts across confidentiality, integrity, and availability due to scope change (S:C in CVSS vector). Reported by Patchstack security researchers, EPSS exploitation probability is very low (0.04%, 10th percentile), indicating minimal observed real-world targeting despite no authentication requirement.
Reflected cross-site scripting (XSS) in LambertGroup AllInOne Banner with Thumbnails WordPress plugin through version 3.8 allows unauthenticated remote attackers to inject malicious scripts via crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but needs no authentication. Exploitation probability is low (EPSS 0.04%, 10th percentile), with no confirmed active exploitation or public POC at time of analysis. Changed scope (S:C) in CVSS vector indicates potential to impact resources beyond the vulnerable component.
Reflected cross-site scripting in LBG Zoominoutslider WordPress plugin versions through 5.4.5 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs requiring user interaction. EPSS exploitation probability is very low (0.04%, 10th percentile), and no active exploitation is confirmed. A Patchstack database entry documents the vulnerability, but no vendor-released patch version is identified at time of analysis.
Reflected cross-site scripting in UberSlider Classic WordPress plugin through version 2.5 allows remote attackers to execute malicious JavaScript in victim browsers via crafted URLs. Exploitation requires user interaction (clicking malicious link). EPSS score of 0.04% (10th percentile) indicates minimal observed exploitation activity. No CISA KEV listing confirms this is not being actively exploited in widespread campaigns, though the low attack complexity and network vector make exploitation straightforward once a victim is socially engineered.
Reflected cross-site scripting in UberSlider MouseInteraction WordPress plugin versions ≤2.3 allows remote attackers to execute arbitrary JavaScript in victim browsers through crafted URLs requiring user interaction. Reported by Patchstack audit team. EPSS score of 0.04% (10th percentile) indicates low probability of widespread exploitation. No CISA KEV listing or public proof-of-concept identified at time of analysis.
Reflected cross-site scripting in UberSlider PerpetuumMobile WordPress plugin versions ≤2.3 allows remote attackers to inject malicious scripts that execute in victim browsers when users click crafted links. The vulnerability requires user interaction but no authentication, with CVSS 7.1 (High) severity due to scope change enabling attacks across security boundaries. EPSS score of 0.04% (10th percentile) indicates low current exploitation probability, with no CISA KEV listing or public exploit code identified at time of analysis. Patchstack vulnerability database confirms the flaw affects default plugin configurations.
Reflected cross-site scripting in UberSlider Ultra WordPress plugin (versions ≤2.3) enables remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but needs no authentication. EPSS exploitation probability is low (0.04%, 10th percentile), and no active exploitation or public proof-of-concept has been identified at time of analysis. The changed scope (S:C) in the CVSS vector indicates potential impact beyond the vulnerable component itself.
Reflected cross-site scripting (XSS) in Porto WordPress theme versions through 7.6.2 allows remote attackers to inject malicious JavaScript into web pages viewed by victims. Exploitation requires user interaction (clicking a malicious link). EPSS probability is low (0.04%, 10th percentile), indicating minimal observed exploitation activity. No active exploitation confirmed by CISA KEV. Patchstack has documented this vulnerability, suggesting detection capabilities exist.
Reflected cross-site scripting (XSS) in pixfort Core WordPress plugin versions up to 3.2.22 enables remote attackers to inject malicious scripts into web pages viewed by victims. The attack requires user interaction (clicking a malicious link) but no authentication, allowing attackers to steal session tokens, perform actions as the victim, or redirect users to phishing sites. EPSS score of 0.04% (10th percentile) indicates low probability of mass exploitation, and no active exploitation or public proof-of-concept has been identified at time of analysis.
Reflected cross-site scripting (XSS) in Listify WordPress theme versions through 3.2.5 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers through crafted URLs. The vulnerability exists due to improper input sanitization during web page generation, requiring user interaction to trigger. EPSS exploitation probability is very low (0.04%, 10th percentile), and no active exploitation or public exploit code has been identified. Moderate CVSS score reflects changed scope (S:C) allowing potential session token theft across origins.
Reflected cross-site scripting in EventON WordPress plugin versions up to 4.9.12 enables remote attackers to execute arbitrary JavaScript in victim browsers via malicious links. The vulnerability requires victim interaction (CVSS UI:R) and changes execution scope (S:C), allowing session hijacking, credential theft, or malicious actions within the WordPress admin interface. With EPSS exploitation probability at 0.04% (10th percentile) and no CISA KEV listing, this represents a lower-priority XSS requiring social engineering rather than mass exploitation.
designthemes DesignThemes Portfolio designthemes-portfolio is affected by cross-site scripting (xss) (CVSS 7.1).
DOM-based cross-site scripting in RadiusTheme Metro versions 2.13 and earlier allows unauthenticated attackers to inject malicious scripts that execute in users' browsers with no interaction required beyond viewing a crafted page. Successful exploitation enables attackers to steal session tokens, perform unauthorized actions, or deface content for affected users. No patch is currently available.
The Claue WordPress theme through version 2.2.7 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. An attacker can exploit this by crafting a malicious URL to steal sensitive information, perform unauthorized actions, or compromise user sessions without requiring any special privileges or interaction with the application itself.
JanStudio Gecko version 1.9.8 and earlier contain a reflected cross-site scripting (XSS) vulnerability that allows unauthenticated remote attackers to inject malicious scripts through improper input validation during web page generation. Successful exploitation requires user interaction and can lead to unauthorized access to sensitive information, data modification, or service disruption. No patch is currently available.
Reflected cross-site scripting in ThemeGoods Musico through version 3.2.4 enables attackers to inject malicious scripts into web pages viewed by users, potentially compromising session data and user credentials. The vulnerability requires user interaction to trigger and affects all installations of the affected Musico versions, with no patch currently available.
kamleshyadav WP Bakery Autoresponder Addon vc-autoresponder-addon is affected by cross-site scripting (xss) (CVSS 7.1).
Reflected XSS in Awa Plugins through version 1.4.4 enables unauthenticated attackers to inject malicious scripts into web pages viewed by users, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability requires user interaction via a crafted link and has cross-site impact, affecting all installations of the affected plugin versions. No patch is currently available.
Reflected cross-site scripting in ThemeGoods Architecturer versions up to 3.8.8 enables attackers to inject malicious scripts that execute in victims' browsers when they click a crafted link, potentially allowing session hijacking or credential theft. The vulnerability requires user interaction and affects all users of the vulnerable plugin versions. No patch is currently available.
Reflected cross-site scripting in ThemeGoods Grand News version 3.4.3 and earlier enables attackers to inject malicious scripts into web pages viewed by users, potentially allowing credential theft or session hijacking. The vulnerability requires user interaction to trigger but can be exploited remotely without authentication. No patch is currently available.
ThemeGoods Starto versions 2.1.9 and earlier are vulnerable to reflected cross-site scripting (XSS) that can be exploited remotely without authentication, allowing attackers to inject malicious scripts into web pages viewed by users. An attacker can trick users into clicking a malicious link to steal session cookies, redirect to phishing sites, or perform actions on behalf of the victim. No patch is currently available for this vulnerability.
DOM-based cross-site scripting in ThemeGoods Photography plugin version 7.6.1 and earlier enables attackers to inject malicious scripts that execute in users' browsers without authentication, potentially compromising sensitive data or session tokens. The vulnerability requires user interaction to trigger and has network-wide impact, affecting any website running the affected Photography plugin version.
Skygroup Agrofood versions 1.3.0 and earlier are vulnerable to reflected cross-site scripting (XSS) attacks that allow unauthenticated remote attackers to inject malicious scripts into web pages viewed by users. An attacker can exploit this vulnerability to steal session cookies, redirect users to malicious sites, or perform actions on behalf of victims. No patch is currently available.
DeepDigital versions 1.0.2 and earlier are vulnerable to reflected cross-site scripting (XSS) attacks due to insufficient input validation during web page generation, allowing unauthenticated remote attackers to inject malicious scripts that execute in users' browsers. Exploitation requires user interaction (clicking a malicious link) but can affect the entire application context, enabling attackers to steal sensitive data or perform actions on behalf of victims. No patch is currently available.
SeventhQueen BuddyApp through version 1.9.2 is vulnerable to reflected cross-site scripting (XSS) due to improper input validation during web page generation, allowing attackers to inject malicious scripts that execute in users' browsers when they click malicious links. An unauthenticated attacker can exploit this to steal session cookies, perform actions on behalf of users, or redirect them to phishing sites. No patch is currently available.
Reflected XSS in Thebe up to version 1.3.0 enables attackers to inject malicious scripts into web pages viewed by users, potentially compromising session data and user interactions across different sites. The vulnerability requires user interaction through a crafted link but has no authentication requirement, making it accessible to unauthenticated attackers. No patch is currently available.
Reflected cross-site scripting in Thecs through version 1.4.7 enables attackers to inject malicious scripts that execute in users' browsers when they click specially crafted links, potentially compromising session data and user credentials. The vulnerability requires user interaction and affects all versions up to 1.4.7, with no patch currently available. An attacker can exploit this to steal sensitive information or perform actions on behalf of affected users.
Reflected cross-site scripting in TheBi through version 1.0.5 enables attackers to inject malicious scripts that execute in users' browsers when they click on specially crafted links. This vulnerability requires user interaction but can lead to session hijacking, credential theft, or malware distribution across trusted domains. No patch is currently available for affected installations.
OpenClaw versions before 2026.2.12 suffer from a path traversal vulnerability in transcript file handling that allows authenticated local users to read and modify arbitrary files on the system by injecting directory traversal sequences into sessionId or sessionFile parameters. An attacker with local access can exploit this to access sensitive files outside the intended agent sessions directory without additional privileges. No patch is currently available for this vulnerability.
OpenClaw versions before 2026.2.14 fail to properly validate OAuth state parameters in the Chutes login flow, allowing attackers to bypass CSRF protections and hijack user sessions. An attacker can trick a user into pasting malicious OAuth callback data to gain unauthorized access and maintain persistent tokens under a compromised account. No patch is currently available for this high-severity vulnerability.
Vulnerability of improper verification in the email application. Impact: Successful exploitation of this vulnerability may affect service confidentiality. [CVSS 7.1 HIGH]
Hexpm's OAuth implementation fails to enforce read-only API key restrictions during token exchange, allowing an attacker with a victim's read-only API key and valid 2FA code to obtain a full-access API key with unrestricted permissions. This privilege escalation vulnerability affects users of the Hexpm package repository and enables unauthorized modification of packages and account settings. No patch is currently available.
RustDesk Server Pro through version 1.7.5 transmits sensitive address book credentials in cleartext over the network heartbeat synchronization API, enabling attackers to intercept and obtain authentication credentials without authentication. The vulnerability affects Windows, macOS, and Linux deployments where the address book sync functionality is enabled. No patch is currently available.
OpenClaw versions before 2026.2.12 with the Nostr plugin enabled contain unauthenticated API endpoints that allow remote attackers to read and modify Nostr profiles without authentication when the gateway HTTP port is network-accessible. Attackers can exploit this to steal sensitive profile data, alter gateway configuration, and sign malicious Nostr events using the bot's private key. A patch is available for affected installations.
LangGraph SQLite Checkpoint versions 1.0.9 and prior are vulnerable to unsafe deserialization of msgpack-encoded objects, allowing attackers with write access to the checkpoint database to execute arbitrary code when checkpoints are loaded. This vulnerability affects Python-based AI/ML applications using LangGraph's persistence layer and requires adversary control of the backing storage to exploit. No public patch is currently available for this issue.
Vulnerability of uninitialized pointer access in the scanning module. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 6.8 MEDIUM]
'.../...//' in Azure Compute Gallery allows an authorized attacker to elevate privileges locally. [CVSS 6.7 MEDIUM]
Privilege escalation in Azure Compute Gallery's regex validation enables high-privileged local users to gain unauthorized system access on affected Microsoft and ACI Confidential Containers systems. An authenticated attacker with elevated permissions can exploit the permissive pattern matching to bypass security controls and achieve full system compromise. No patch is currently available, making this a medium-severity risk for environments running vulnerable versions.
Ups Multi-Ups Management Console versions up to 01.06.0001_\(a03\) contains a security vulnerability (CVSS 6.7).
Race condition vulnerability in the permission management service. Impact: Successful exploitation of this vulnerability may affect availability. [CVSS 6.6 MEDIUM]
Unauthorized information disclosure in Azure Compute Gallery occurs due to insecure default initialization settings that authenticated users can exploit to access sensitive data remotely. An authorized attacker can leverage this vulnerability to read confidential information without requiring user interaction. No patch is currently available for Microsoft products and ACI Confidential Containers.
Openclaw versions up to 2026.2.15 is affected by allocation of resources without limits or throttling (CVSS 6.5).
Unauthenticated attackers can delete arbitrary WordPress media attachments in Fluent Forms Pro Add On Pack versions up to 6.1.17 due to missing authorization checks in the deleteFile() AJAX action. The vulnerable endpoint is accessible to unauthenticated users and accepts an attachment_id parameter without nonce verification or capability validation. No patch is currently available for this medium-severity vulnerability affecting WordPress sites.
EC-CUBE administrative authentication can be bypassed by attackers possessing valid admin credentials, allowing them to circumvent multi-factor authentication protections and access the admin panel. This vulnerability (CVSS 6.5) affects administrators or high-privileged users whose credentials have been compromised, potentially enabling unauthorized administrative access.
Site Suggest plugin version 1.3.9 and earlier lacks proper access control checks, enabling unauthenticated remote attackers to access restricted functionality and modify data. The vulnerability affects installations without authentication requirements and could allow attackers to manipulate site suggestions or related content without authorization. No patch is currently available.
Improper access control in the Blend Media WordPress CTA easy-sticky-sidebar plugin through version 1.7.4 allows unauthenticated attackers to exploit misconfigured security levels and gain unauthorized access to sensitive functionality. The vulnerability affects WordPress installations running the vulnerable plugin versions and could enable attackers to read restricted information or disrupt service availability. No security patch is currently available.
Openclaw versions up to 2026.2.14 is affected by missing authentication for critical function (CVSS 6.5).
Cloudfoundry UAA versions 77.30.0 through 78.7.0 and Cloudfoundry Deployment versions 48.7.0 through 54.10.0 contain a logic error in the token revocation endpoint that allows authenticated users to inadvertently revoke tokens belonging to other users. An attacker with valid credentials could exploit this flaw to disrupt service availability by invalidating legitimate user sessions without authorization.
OpenClaw prior to version 2026.2.14 fails to properly validate Telegram allowlist entries by accepting mutable usernames instead of immutable user IDs, enabling attackers to register recycled usernames and bypass access controls. An unauthenticated attacker can exploit this flaw to impersonate legitimate users and send unauthorized commands to OpenClaw bots. No patch is currently available.