Stored Cross-Site Scripting in WowPress plugin for WordPress (all versions up to 1.0.0) allows authenticated attackers with contributor-level access and above to inject arbitrary JavaScript through insufficiently sanitized shortcode attributes, enabling malicious script execution in pages viewed by other users. CVSS 6.4 reflects moderate severity with network-accessible attack vector but requires authenticated access; no public exploit code or active exploitation confirmed at time of analysis.
Stored Cross-Site Scripting in Sports Club Management WordPress plugin versions up to 1.12.9 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript into shortcode attributes, which executes when other users view affected pages. The vulnerability stems from insufficient input sanitization and output escaping in the `scm_member_data` shortcode's 'before' and 'after' parameters, requiring only basic WordPress login privileges but affecting all site visitors who access injected content. No public exploit code or active exploitation has been identified at this time.
Stored Cross-Site Scripting in The Plus Addons for Elementor plugin for WordPress (all versions up to 6.4.9) allows authenticated attackers with contributor-level access and above to inject arbitrary JavaScript into pages via the Progress Bar shortcode due to insufficient input sanitization and output escaping. When other users access affected pages, the injected scripts execute in their browsers, enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored cross-site scripting in Strong Testimonials WordPress plugin up to version 3.2.21 allows authenticated contributors and above to inject arbitrary JavaScript via the testimonial_view shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the context of any user viewing the affected page, enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been identified at time of analysis.
Siklu EtherHaul 8010 wireless backhaul devices contain a static root password that enables physical attackers or those with local console access to gain complete administrative control without authentication. The vulnerability affects firmware version 10.6.2-18707 and potentially other versions of the EtherHaul 8010 product line, allowing credential-based authentication bypass with high confidentiality and integrity impact. No public exploit code or active exploitation has been confirmed at this time, though the CVSS:3.1 physical attack vector (AV:P) reflects that an attacker must have direct physical access to the device's console interfaces.
Server-Side Request Forgery (SSRF) in Getty Images WordPress plugin through version 4.1.0 allows authenticated attackers to make arbitrary HTTP requests from the server, potentially accessing internal services or metadata endpoints. The vulnerability requires valid WordPress user credentials and affects the plugin across all versions up to 4.1.0. This has a moderate real-world risk profile with low EPSS exploitation probability (0.02%) despite moderate CVSS impact, suggesting limited practical weaponization despite theoretical exploitability.
Stored Cross-Site Scripting in Page Builder: Pagelayer WordPress plugin versions up to 2.0.8 allows authenticated attackers with Contributor-level or higher privileges to inject arbitrary JavaScript into page content via the Button widget's Custom Attributes field. The vulnerability bypasses an incomplete XSS filter that blocks common event handlers but fails to block all variants, enabling persistent script execution whenever affected pages are viewed. No public exploit code or active exploitation has been confirmed; however, the low attack complexity and broad applicability to WordPress sites using this popular page builder plugin present meaningful risk.
Stored cross-site scripting in Blubrry PowerPress plugin versions up to 11.15.15 allows authenticated contributors and above to inject arbitrary scripts via the 'powerpress' and 'podcast' shortcodes, executing malicious code whenever users access affected pages. The vulnerability stems from insufficient input sanitization and output escaping in shortcode processing. EPSS score of 6.4 reflects moderate risk; exploitation requires contributor-level WordPress access but no public exploit code has been identified at the time of analysis.
LightPress Lightbox plugin for WordPress allows authenticated attackers with Contributor-level access and above to inject arbitrary JavaScript via the unescaped `group` attribute in the `[gallery]` shortcode, resulting in stored cross-site scripting that executes for all users viewing affected pages. The vulnerability affects all versions up to 2.3.4 and has been addressed in version 2.3.5.
Stored Cross-Site Scripting in Elementor Website Builder plugin for WordPress allows authenticated attackers with Contributor-level access or above to inject arbitrary JavaScript into page content via insufficiently sanitized widget parameters. The injected scripts execute in the browsers of all users accessing affected pages, potentially enabling account hijacking, malware distribution, or defacement. CVSS 6.4 reflects the requirement for authenticated access but the broad scope of impact across all site visitors.
Time-of-check-time-of-use (TOCTOU) race condition in Go's internal/syscall/unix Root.Chmod allows local privileged attackers to modify file permissions on targets outside the intended root filesystem boundary. By replacing the target with a symlink between the permission check and the actual chmod operation, attackers can exploit the Linux fchmodat syscall's behavior of silently ignoring AT_SYMLINK_NOFOLLOW to modify arbitrary files outside the restricted root. Exploitation requires high privileges and precise timing; EPSS score of 0.01% indicates minimal real-world exploitation probability despite moderate CVSS severity.
Container privilege escalation in Red Hat Multicluster Engine for Kubernetes allows authenticated local attackers to escalate from non-root container execution to full root privileges by exploiting group-writable permissions on the /etc/passwd file created during container image build time, enabling arbitrary UID assignment including UID 0.
Red Hat Process Automation Manager container images allow local privilege escalation when the /etc/passwd file is created with group-writable permissions during the build process. An attacker with non-root command execution capability who is a member of the root group can modify /etc/passwd to create a new user with UID 0, gaining full root privileges within the container. This requires high privileges (membership in root group) and challenging conditions (AC:H), but affects all versions of Red Hat Process Automation 7 distributed as container images. No public exploit code has been identified at the time of analysis.
Container privilege escalation in Red Hat Web Terminal allows local attackers with group membership to modify the /etc/passwd file and create arbitrary user accounts including root. The vulnerability stems from overly permissive group-writable permissions on /etc/passwd during image build, enabling privilege escalation from non-root container users to full root access within the container. Red Hat Web Terminal across multiple versions is affected; no public exploit code or active exploitation has been reported at the time of analysis.
Privilege escalation in OpenShift Update Service (OSUS) container images allows local attackers with high privileges to gain root access by modifying the group-writable /etc/passwd file created during build time. An attacker executing commands within an affected container can leverage root group membership to inject a new user with UID 0, achieving full container root privileges. No public exploit code or active exploitation has been identified at the time of analysis.
Container privilege escalation in Red Hat Ansible Automation Platform 2 allows non-root users within affected container images to gain root privileges by modifying the group-writable /etc/passwd file. During the container build process, /etc/passwd is created with overly permissive group-write permissions, enabling any user in the root group to add arbitrary entries including a UID 0 account. This vulnerability requires local container execution access and elevated group membership, but results in complete container compromise when exploited.
Remote code execution in Tophat mobile testing harness prior to 2.5.1 allows authenticated network attackers to execute arbitrary commands on a developer's macOS workstation via unsanitized URL query parameters passed directly to bash. The vulnerability affects any developer with Tophat installed, with commands executing under the user's permissions and no confirmation dialog for previously trusted build hosts. This was fixed in version 2.5.1.
Path traversal in liquidjs 10.25.0 allows local file disclosure when renderFile() or parseFile() receives absolute paths or traversal sequences, despite the root parameter being documented as a sandbox boundary. An attacker controlling template filenames passed to these APIs can read arbitrary files accessible to the Node.js process, such as /etc/hosts or sensitive configuration files. The vulnerability affects liquidjs versions prior to 10.25.5; a vendor-released patch is available. No public exploit code or active exploitation has been identified at the time of analysis.
CORS misconfiguration in CoolerControl coolercontrold versions 2.0.0 through 3.x allows unauthenticated remote attackers to read sensitive data and send control commands to the service by exploiting browser-based cross-origin requests from malicious websites. The vulnerability requires user interaction (UI:R) but grants attackers capability to leak information and manipulate daemon operations with a CVSS score of 6.3 (medium).
Server-Side Request Forgery in Kibana One Workflow allows authenticated users with workflow privileges to bypass host allowlist restrictions in the Workflows Execution Engine, enabling unauthorized access to sensitive internal endpoints and data disclosure. Affects Kibana versions 9.3.0 through 9.3.2. No public exploit code or active exploitation has been confirmed at time of analysis.
IPv4 access control bypass in Hono middleware allows IPv4-mapped IPv6 addresses (e.g., ::ffff:127.0.0.1) to bypass IPv4-based ipRestriction() rules due to failure to canonicalize addresses before matching. Denied IPv4 clients can circumvent access restrictions in Node.js dual-stack environments by presenting as IPv6-formatted addresses, and legitimate IPv4 clients may be incorrectly rejected when allowlists are used. No public exploit code identified at time of analysis, but the vulnerability enables straightforward authentication bypass with minimal complexity.
LORIS (Longitudinal Online Research and Imaging System) versions 16.1.0 through 27.0.2 and 28.0.0 allow authenticated users to bypass backend access controls in the media module and access files they should not have permission to view, provided they know the filename. The vulnerability stems from missing server-side authorization checks that should prevent unauthorized file access, enabling confidentiality and integrity compromise of sensitive neuroimaging research data. The issue is fixed in versions 27.0.3 and 28.0.1.
LORIS versions 21.0.0 through 27.0.2 and 28.0.0 suffer from broken access control in the document_repository backend endpoint, allowing authenticated users to bypass frontend restrictions and download files they should not have access to by knowing or brute-forcing filenames. CVSS 6.3 (medium severity) with confirmed patch availability in versions 27.0.3 and 28.0.1. No public exploit code or active exploitation confirmed.
Authorization bypass in rfc3161-client's TimeStamp Authority (TSA) verification allows remote attackers to impersonate any trusted TSA by exploiting a naive leaf certificate selection algorithm in the PKCS#7 certificate chain. The vulnerability enables an attacker to inject a forged certificate with a target TSA's common name and timeStamping EKU into an authentic timestamp response, causing the library to validate authorization checks against the fake certificate while the cryptographic signatu
Insufficient policy enforcement in History Navigation in Google Chrome prior to version 147.0.7727.55 enables cross-site scripting (UXSS) attacks when users perform specific UI gestures on attacker-controlled pages, allowing injection of arbitrary scripts or HTML with potential impact on user data confidentiality and integrity. The vulnerability affects all Chrome versions before 147.0.7727.55 across all platforms, requires user interaction with specific UI gestures but no authentication, and carries a low Chromium severity rating despite a moderate CVSS score. No public exploit code has been identified at the time of analysis, though the vulnerability was tracked via Chromium issue tracking.
Server-side request forgery (SSRF) in bigsk1 openai-realtime-ui allows authenticated remote attackers to manipulate API proxy endpoint query parameters in server.js, enabling the server to make arbitrary requests to internal or external resources. The vulnerability affects all versions up to commit 188ccde27fdf3d8fab8da81f3893468f53b2797c, has publicly available exploit code, and carries a CVSS 5.3 score reflecting moderate impact with authentication required. A fix is available via commit 54f8f50f43af97c334a881af7b021e84b5b8310f.
Unauthenticated remote attackers can manipulate the txtqty POST parameter in SourceCodester Pharmacy Product Management System 1.0's add-sales.php to trigger business logic errors and cause data integrity violations. The vulnerability affects an unknown component of the POST parameter handler and allows modification of sales quantity values, resulting in integrity and availability impacts. Publicly available exploit code exists, and the flaw requires user authentication but is trivially exploitable with low attack complexity.
SourceCodester Online Food Ordering System 1.0 allows authenticated remote attackers to manipulate product pricing through the save_product function in Actions.php, leading to business logic errors including potential negative or arbitrary price values. The vulnerability affects the POST parameter handler and carries a CVSS score of 5.3 with publicly available exploit code; while not in CISA's KEV catalog, the public exploit availability and disclosure via vuldb indicate real-world exposure.
Google Chrome prior to version 147.0.7727.55 contains a sandbox bypass vulnerability in the Audio subsystem that allows remote attackers to circumvent download policy restrictions by convincing users to perform specific UI gestures on a crafted HTML page. The vulnerability has low practical exploitability (EPSS 0.02%) and requires active user interaction, limiting real-world risk despite cross-origin scope impact.
Cross-site scripting (XSS) vulnerability in Go's html/template package allows incorrect escaping of template actions within JavaScript template literals, enabling attackers to inject malicious scripts when template branches and brace-depth tracking are mishandled. Affects html/template versions prior to 1.26.2 and 1.25.9. The vulnerability requires user interaction (UI:R) and is not actively exploited based on available intelligence, though the low EPSS score (0.01%) indicates minimal real-world exploitation likelihood despite the network-accessible attack vector.
Stored cross-site scripting (XSS) in SourceCodester Sales and Inventory System 1.0 allows authenticated remote attackers to inject malicious scripts via the ID parameter in /delete.php, which are executed in the context of other users' browsers when they interact with the affected page. The vulnerability requires user interaction (clicking a malicious link) but has a published proof-of-concept and CVSS 5.1 score reflecting moderate impact on data integrity; exploitation is confirmed possible but not currently in CISA KEV.
Stored cross-site scripting (XSS) in code-projects Easy Blog Site 1.0 allows authenticated remote attackers to inject malicious scripts via the postTitle parameter in /posts/update.php, potentially compromising user sessions and data integrity. The vulnerability requires user interaction (UI:P) and authentication (PR:L), but carries published exploit code and a moderate CVSS score of 5.1, indicating practical exploitation risk in multi-user blog environments.
Server-Side Request Forgery (SSRF) in Brecht Visual Link Preview WordPress plugin versions through 2.3.0 allows authenticated attackers with low privileges to make arbitrary network requests from the affected server, potentially accessing internal resources, metadata services, or performing actions on behalf of the server. No public exploit code identified at time of analysis, though the vulnerability carries low real-world exploitation probability (EPSS 0.02%) despite moderate CVSS scoring.
Path traversal via backslash bypass in NiceGUI file upload sanitization allows arbitrary file write on Windows systems. The vulnerability exploits a cross-platform path handling inconsistency where PurePosixPath fails to strip backslash-based path traversal sequences, enabling attackers to write files outside the intended upload directory when applications construct paths using the sanitized filename. Windows deployments are exclusively affected; potential remote code execution is possible if executables or application files can be overwritten. No public exploit code identified at time of analysis, though the vulnerability is confirmed in NiceGUI versions prior to 3.10.0.
Saleor e-commerce platform (versions 2.10.0 through 3.23.0a2) contains an authentication bypass vulnerability in the account email change workflow that allows authenticated attackers to change another user's email address by replaying a valid email-change confirmation token issued for a different account. The flaw stems from the confirmation flow's failure to verify that the token was issued for the requesting user, enabling token reuse across accounts with low attack complexity. The vulnerability affects millions of potential e-commerce deployments and is fixed in versions 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118; no public exploit code or active exploitation in the wild has been identified at the time of analysis.
DOM-based cross-site scripting in fesomia FSM Custom Featured Image Caption WordPress plugin versions up to 1.25.1 allows authenticated administrators with high privileges to inject malicious scripts via improper input neutralization during featured image caption generation. The vulnerability requires user interaction (UI:R) and high administrator privileges (PR:H), limiting real-world risk despite the network-accessible attack vector. EPSS exploitation probability is very low at 0.03% percentile rank, and no public exploit code or active exploitation has been identified.
DOM-based cross-site scripting (XSS) in Chief Gnome Garden Gnome Package through version 2.4.1 allows authenticated high-privilege users to inject malicious scripts via improper input neutralization during web page generation. An attacker with administrative credentials can craft requests that execute arbitrary JavaScript in the browsers of other users when they view affected pages. The vulnerability requires user interaction (UI:R) and high-privilege authentication (PR:H), significantly limiting real-world exploitation scope. EPSS exploitation probability is minimal at 0.03% (8th percentile), and no public exploit code has been identified.
DOM-based cross-site scripting (XSS) in Jongmyoung Kim's Korea SNS WordPress plugin versions up to 1.7.0 allows authenticated high-privilege users to inject malicious scripts into web pages viewed by others. The vulnerability requires user interaction (UI:R) and high-privilege authentication (PR:H), limiting real-world exploitability to scenarios where administrative or editor-level WordPress accounts are compromised or misused. EPSS exploitation probability is minimal at 0.03% (8th percentile), indicating low technical likelihood despite the network-accessible attack vector.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ashish Ajani WP Simple HTML Sitemap wp-simple-html-sitemap allows DOM-Based XSS.This issue affects WP Simple HTML Sitemap: from n/a through <= 3.8.
Stored cross-site scripting (XSS) in Themeum Qubely WordPress plugin version 1.8.14 and earlier allows authenticated high-privilege users to inject malicious scripts that execute in the browsers of other site visitors, compromising session integrity and enabling credential theft or malware distribution. The vulnerability requires administrator authentication and user interaction (UI:R), limiting immediate risk, but stored persistence means injected payloads remain active until remediated. EPSS exploitation probability is extremely low at 0.03%, suggesting minimal real-world targeting despite public disclosure.
Stored XSS in Shahjada Download Manager WordPress plugin versions up to 3.3.53 allows authenticated administrators with high privileges to inject malicious scripts that execute in users' browsers. The vulnerability requires user interaction (UI:R) and high administrative privileges (PR:H), limiting real-world attack surface; EPSS exploitation probability is exceptionally low at 0.03% (8th percentile), indicating minimal practical risk despite the stored nature of the vulnerability.
MyBookTable Bookstore WordPress plugin versions 3.6.0 and earlier allow authenticated high-privilege users to inject malicious scripts that are stored and executed in the browsers of other users, enabling stored cross-site scripting (XSS) attacks. The vulnerability requires admin-level authentication and user interaction from victims to trigger, limiting real-world exploitation scope despite network accessibility. EPSS probability is exceptionally low at 0.03%, reflecting the authentication and interaction barriers.
Stored cross-site scripting (XSS) in Themefic Hydra Booking WordPress plugin through version 1.1.38 allows authenticated attackers with high privileges to inject malicious scripts that execute in users' browsers with user interaction. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to compromise user sessions or steal sensitive data from booking-related functionality. EPSS probability of exploitation is very low at 0.03% (8th percentile), and no public exploit code or active exploitation has been confirmed.
Cross-site request forgery in Zammad OAuth callback endpoints for Microsoft, Google, and Facebook authentication allows authenticated attackers to hijack user sessions by crafting malicious requests that bypass CSRF state validation, potentially granting unauthorized access to user accounts and helpdesk data. The vulnerability affects Zammad versions prior to 7.0.1 and 6.5.4, and while no public exploit code has been identified, the attack requires user interaction and moderate attacker effort to execute successfully.
Path traversal in Hono's toSSG() function allows attackers to write files outside the configured output directory during static site generation by injecting traversal sequences into ssgParams dynamic route values. The vulnerability is limited to build-time operations and does not affect runtime request handling. A vendor-released patch is available in Hono v4.12.12.
Denial of service in Axios HTTP/2 client before version 1.13.2 allows unauthenticated remote attackers to crash Node.js applications through malicious HTTP/2 server responses that trigger state corruption during concurrent session closures. The vulnerability exploits a control flow error in session cleanup logic with high attack complexity, making real-world exploitation require specific server-side conditions but posing significant risk to applications relying on HTTP/2.
CoolerControl's coolercontrold daemon versions before 4.0.0 lack proper authentication controls, allowing unauthenticated local attackers to view and modify sensitive system data through unprotected HTTP API endpoints. The vulnerability affects coolercontrold 0.14.0 through 3.x, with CVSS 5.9 reflecting local attack vector and low-complexity exploitation; no public exploit code or active KEV status identified at time of analysis.
Use of a default cryptographic key in Intel Pentium Processor Silver Series, Celeron Processor J Series, and Celeron Processor N Series hardware allows privilege escalation when a hardware reverse engineer with privileged user access performs a high-complexity physical attack with special internal knowledge. The vulnerability has a CVSS score of 5.8 with physical attack vector (AV:P) and high attack complexity (AC:H), requiring privileged access (PR:H) and special attack time requirements (AT:P). No public exploit code or active CISA KEV designation has been identified.
Monetr allows authenticated tenant users to soft-delete protected synced transactions through the PUT update endpoint by directly setting the deletedAt field, bypassing the explicit DELETE protection that prevents such operations. This authorization bypass compromises transaction history integrity and audit trail reliability for imported transactions that should be immutable. The vulnerability requires authentication and user interaction but enables attackers to hide critical financial records from normal views while the soft-deleted data remains accessible via direct retrieval, affecting any Monetr deployment relying on synced transaction immutability.
Authenticated users can leak IP addresses of other users viewing Code Quality reports in GitLab EE through specially crafted malicious content injection. The vulnerability affects GitLab EE versions 18.0.0 through 18.10.2, requires user interaction (report viewing), and has been patched in versions 18.8.9, 18.9.5, and 18.10.3. No public exploit code or active exploitation has been confirmed; the vulnerability was discovered and reported through the GitLab responsible disclosure program.