Arbitrary file overwrite in Directus TUS resumable upload endpoint allows authenticated users to replace any existing file by UUID, bypassing row-level access controls. The vulnerability affects the npm package directus, where the /files/tus controller validates only collection-level permissions but skips item-level authorization checks. Attackers with basic file upload permissions can permanently overwrite victim files with malicious content, potentially escalating privileges by replacing admin-owned assets. EPSS data not available, but the moderate complexity (CVSS AC:L, PR:L) and specific bypass mechanism suggest focused targeting risk. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.
Authenticated attackers with subscriber-level access can obtain paid lifetime membership plans in the ProfilePress WordPress plugin (≤4.16.11) without payment by exploiting a missing ownership verification flaw. The vulnerability allows hijacking of another user's active subscription during checkout to manipulate proration calculations. With a 7.1 CVSS score, low attack complexity, and requiring only low-privilege authentication, this presents a significant revenue loss risk for sites using ProfilePress for paid memberships. No public exploit identified at time of analysis, though EPSS data not available. Vendor patch released in version 4.16.12.
Arbitrary shortcode execution in ProfilePress plugin for WordPress (all versions up to 4.16.11) allows unauthenticated attackers to execute arbitrary shortcodes by injecting malicious code into billing field values during checkout, potentially leading to information disclosure or content manipulation. The vulnerability stems from insufficient sanitization of user-supplied input before shortcode processing. Wordfence has documented this issue with a CVSS score of 6.5 and no confirmed active exploitation at time of analysis.
Directus GraphQL endpoints fail to deduplicate resolver invocations within single requests, allowing authenticated users to exploit GraphQL aliasing for denial-of-service attacks. An attacker with minimal read-only permissions can repeat expensive relational queries using multiple aliases in a single request, forcing concurrent execution of numerous complex database queries that exhaust connection pools and server resources, potentially degrading or crashing the service. No public exploit code has been identified, and this vulnerability requires prior authentication to the Directus instance.
Unauthenticated attackers can modify registration form status in Pie Register plugin for WordPress versions up to 3.8.4.8 due to a missing capability check in the pie_main() function. The vulnerability allows unauthorized changes to critical registration settings without authentication, impacting the integrity of user registration workflows. CVSS 6.5 reflects moderate severity with both confidentiality and availability impact; no public exploit code or active exploitation has been confirmed at this time.
Stored cross-site scripting (XSS) in WPFunnels - Easy Funnel Builder plugin for WordPress versions up to 3.7.9 allows authenticated contributors and higher-privileged users to inject arbitrary JavaScript via the 'button_icon' parameter in the 'wpf_optin_form' shortcode due to insufficient input sanitization and output escaping. The injected scripts execute in the context of any user viewing the affected page, potentially compromising website visitors and enabling session hijacking, credential theft, or malware distribution. This vulnerability requires authenticated attacker access but affects all site visitors who view injected pages.
Stored Cross-Site Scripting in WP Travel Engine plugin versions up to 6.7.5 allows authenticated contributors and above to inject malicious scripts via the 'wte_trip_tax' shortcode due to insufficient input sanitization and output escaping. When site visitors access pages containing the injected payload, the arbitrary JavaScript executes in their browsers, enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been identified at time of analysis.
Stored Cross-Site Scripting (XSS) in Xpro Addons - 140+ Widgets for Elementor plugin for WordPress up to version 1.4.24 allows authenticated contributors and above to inject malicious scripts via the Icon Box widget that execute for all users viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping, making it a direct code injection risk in a widely-used page builder extension. CVSS 6.4 reflects moderate severity with limited direct impact (confidentiality and integrity) but cross-site scope; no public exploit code or active exploitation has been identified at time of analysis.
Stored Cross-Site Scripting in Gutenverse - Ultimate WordPress FSE Blocks Addons & Ecosystem plugin versions up to 3.4.6 allows authenticated attackers with contributor-level access or higher to inject arbitrary JavaScript via the 'imageLoad' parameter, resulting in persistent script execution in pages viewed by other users. CVSS 6.4 reflects medium severity with cross-site scope; no public exploit code or active exploitation has been identified at the time of analysis, but the vulnerability requires only low privileges and no user interaction beyond initial page access.
Stored Cross-Site Scripting in Xpro Addons - 140+ Widgets for Elementor plugin up to version 1.4.20 allows authenticated contributors and above to inject malicious scripts via the Pricing Widget's 'onClick Event' setting, which execute in the browsers of any user viewing the affected pages. The vulnerability stems from insufficient input sanitization and output escaping, enabling persistent XSS attacks that compromise site integrity and user sessions. No active exploitation has been confirmed, but the low attack complexity and contributor-level access requirement present a moderate real-world risk for WordPress sites with contributor user bases.
Stored Cross-Site Scripting (XSS) in Simple Shopping Cart WordPress plugin versions up to 5.2.4 allows authenticated contributors and above to inject arbitrary JavaScript via the 'wpsc_display_product' shortcode attributes due to insufficient input sanitization and output escaping. Injected scripts execute in the browsers of all users viewing affected pages. No public exploit code or active exploitation has been reported at time of analysis.
Stored Cross-Site Scripting (XSS) in WP Shortcodes Plugin - Shortcodes Ultimate up to version 7.4.7 allows authenticated contributors and above to inject arbitrary JavaScript via the 'src' attribute of the su_lightbox shortcode, which executes in the browsers of all users viewing the affected page. The vulnerability stems from insufficient input sanitization and output escaping, requiring only contributor-level access to exploit. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored Cross-Site Scripting in WP Shortcodes Plugin - Shortcodes Ultimate up to version 7.4.8 allows authenticated attackers with author-level permissions to inject arbitrary JavaScript into pages via the su_carousel shortcode's 'su_slide_link' attachment meta field. The vulnerability stems from insufficient input sanitization and output escaping, enabling malicious scripts to execute when any user visits an affected page. No public exploit code or active exploitation has been identified at the time of analysis.
Stored Cross-Site Scripting in ElementsKit Elementor Addons and Templates plugin (versions up to 3.7.9) allows authenticated contributors and above to inject malicious scripts via the 'ekit_tab_title' parameter in the Simple Tab widget due to insufficient input sanitization and output escaping. Injected scripts execute when users access affected pages. No public exploit code or active exploitation has been identified at time of analysis.
Stored Cross-Site Scripting (XSS) in Royal Addons for Elementor plugin allows authenticated contributors and above to inject arbitrary JavaScript via the 'button_text' parameter, affecting all versions through 1.7.1049. The vulnerability stems from insufficient input sanitization and output escaping, enabling attackers to execute malicious scripts in the context of any user visiting an affected page. No public exploit code or active exploitation has been identified at time of analysis.
Stored cross-site scripting in Ultimate Member plugin versions up to 2.11.1 allows authenticated subscribers and above to inject arbitrary JavaScript via the user description field when HTML support is enabled, executing malicious scripts in pages viewed by other users. The vulnerability requires prior authentication and user interaction but affects site visitors broadly once injected. Wordfence reported the issue; a fix is available in patched versions.
Open redirect vulnerability in Directus login redirection logic allows unauthenticated attackers to bypass URL allow-list validation through malformed URLs containing backslashes, silently redirecting authenticated users to arbitrary external domains. The vulnerability exploits a parser differential between server-side validation and browser URL normalization, creating a phishing vector particularly dangerous in SSO/OAuth2 flows where attackers can capture authentication tokens without visible user indication. CVSS 6.1 reflects moderate real-world risk due to user interaction requirement and limited direct confidentiality impact, but the attack chain (authentication + silent redirect + credential theft) presents meaningful business risk.
Improper access controls in Tenda 4G03 Pro firmware (versions up to 04.03.01.53) enable unauthenticated remote attackers to bypass authentication mechanisms via the /bin/httpd binary, potentially achieving unauthorized administrative access to the router. This vulnerability has publicly available exploit code and affects consumer-grade 4G routers commonly used for home and small office networks. EPSS data not available, but the combination of network-accessible attack vector, low complexity, and public exploit elevates real-world risk.
Tenda 4G03 Pro wireless router contains a hard-coded ECDSA P-256 private cryptographic key in the /etc/www/pem/server.key file, enabling remote attackers to decrypt HTTPS communications and potentially impersonate the device without authentication. The vulnerability affects firmware versions 1.0, 1.0re, 01.bin, and 04.03.01.53, and carries a CVSS score of 5.3 with proof-of-concept exploitation likely (E:P rating). No public exploit code has been independently confirmed at the time of this analysis.
Unauthenticated arbitrary media upload in Listeo Core plugin for WordPress (versions up to 2.0.27) allows remote attackers to upload arbitrary files to the site's media library via the unprotected listeo_core_handle_dropped_media AJAX endpoint. The vulnerability stems from missing authorization checks and does not directly enable code execution, but significantly degrades site integrity by enabling malicious file storage and potential downstream attacks.
Directus allows information disclosure of GraphQL schema structure via the `/graphql/system` endpoint when `GRAPHQL_INTROSPECTION=false` is configured, exposing collection names, field names, types, and relationships to unauthenticated users and authenticated users at their permission level. The vulnerability bypasses the introspection control mechanism by returning an equivalent SDL (Schema Definition Language) representation through the `server_specs_graphql` resolver, giving administrators a false sense of security while schema information remains publicly accessible.
Unauthenticated information disclosure in AVideo CloneSite plugin allows remote attackers to retrieve sensitive operational logs containing internal filesystem paths, remote server URLs, and SSH connection metadata via the client.log.php endpoint, which lacks authentication controls present in all sibling endpoints within the same plugin directory.
Unauthenticated access to FFmpeg server configuration endpoint in AVideo allows remote attackers to probe infrastructure details and determine encoding architecture without authentication, while sibling management endpoints properly enforce admin-only access. This information disclosure aids reconnaissance for targeted attacks against video encoding infrastructure. CVSS 5.3, no public exploit code identified, no active exploitation confirmed.
AVideo install/test.php diagnostic script exposes sensitive viewer statistics including IP addresses, session IDs, and user agents to unauthenticated remote attackers due to a disabled CLI-only access guard. The vulnerability allows any visitor to retrieve video viewer data via HTTP GET requests without authentication, combined with enabled error reporting that leaks internal filesystem paths. CVSS 5.3 reflects low confidentiality impact; no public exploit code identified at time of analysis.
Open redirect vulnerability in Directus allows unauthenticated attackers to redirect administrators to attacker-controlled URLs after 2FA setup completion via crafted `/admin/tfa-setup` redirect parameter. The attack leverages user interaction on the trusted Directus domain before redirecting to a malicious site, enabling phishing campaigns targeting administrators. CVSS 4.3 (low severity), no public exploit code or active exploitation confirmed.
Kadence Blocks Page Builder Toolkit for Gutenberg Editor plugin for WordPress allows authenticated contributors to bypass authorization checks and upload arbitrary images to the Media Library via the process_pattern REST API endpoint. An attacker with contributor-level access or higher can supply remote image URLs that the server downloads and converts into media attachments, exploiting missing capability verification for the upload_files action. No public exploit code or active exploitation has been reported at time of analysis.
Unauthenticated access to payment order data in the BlockonomicsYPT plugin for AVideo allows remote attackers to retrieve sensitive payment information including user IDs, transaction amounts, and Bitcoin transaction details for any address without authentication. The vulnerable check.php endpoint returns complete order records queryable by Bitcoin address alone, enabling attackers to link on-chain transactions to specific platform user accounts and violate user privacy. No exploit complexity is required beyond discovering Bitcoin addresses on the public blockchain.
Parse Server file upload handler fails to validate Content-Type headers against filename extensions, allowing attackers to upload files with benign extensions (e.g., .txt) but malicious MIME types (e.g., text/html) that are served with the user-supplied Content-Type by cloud storage adapters like S3 and GCS. This enables content-type confusion attacks such as reflected XSS when files are served through CDNs or web servers that trust the stored Content-Type header. The default GridFS adapter is unaffected due to its filename-based Content-Type derivation at serving time.