Local File Inclusion in the WP User Manager WordPress plugin (versions through 2.9.17) allows unauthenticated remote attackers to include and execute arbitrary .php files on the server via the profile tab query parameter. The flaw stems from missing validation of the tab value before it is passed to the profile template loader, enabling path traversal to any PHP file the web server can read. No public exploit is identified at time of analysis, and the issue is not listed in CISA KEV, but POC behavior is effectively documented in the upstream fix's traversal test cases.
Stack-based buffer overflow in JingDong JD Cloud Box AX6600 firmware 4.5.3.r4546 allows authenticated remote attackers to corrupt memory via the set_macfilter function in /sbin/jdcweb_rpc, potentially achieving arbitrary code execution on the router. Publicly available exploit code exists (archive hosted on cdn2.v50to.cc), increasing the likelihood of opportunistic abuse against exposed devices. The vendor did not respond to coordinated disclosure, so no fix is currently confirmed.
Local privilege escalation in clash-verge-service-ipc before 2.3.0 allows unprivileged local users on macOS and Linux to interact with a world-reachable IPC socket exposed by the privileged Clash Verge service, enabling them to invoke service operations that run with elevated rights. The upstream fix (PR #23) restricts IPC permissions to 0750 on the directory and 0660 on the socket, and the patched dependency was incorporated into the Clash Verge Rev desktop client. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.
Denial of service in the Perl Protocol::HTTP2 module versions up to and including 1.12 lets remote unauthenticated attackers exhaust server memory by sending a small HTTP/2 request that expands massively during HPACK decoding (an 'HTTP/2 bomb'). The module advertises MAX_HEADER_LIST_SIZE in SETTINGS but never enforces it on decode, and version 1.12 made things worse by unbounded CONTINUATION-frame buffering. No public exploit identified at time of analysis, and EPSS is very low (0.02%), but CPANSec has coordinated a vendor patch.
Remote code execution in the MDJM Event Management WordPress plugin (versions through 1.7.8.3) allows authenticated administrators to upload arbitrary files, including executable PHP, via the mdjm_send_comm_email function which performs no file type, extension, or MIME validation. The flaw is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) and carries a CVSS 3.1 score of 7.2, with publicly available exploit code existing on GitHub and a detailed write-up published by the researcher. No public exploit identified in CISA KEV, and exploitation requires administrator-level privileges, limiting realistic impact to post-compromise or insider scenarios.
Stored cross-site scripting in the Integration for Freshsales WordPress plugin (versions up to and including 1.0.15) allows unauthenticated attackers to inject arbitrary JavaScript via form submission data that executes when an administrator views the failed-CRM-call error log modal in wp-admin. The flaw, reported by Wordfence and tracked as CWE-79, carries CVSS 7.2 due to scope change (S:C) since the payload escapes from the form-submission context into the privileged admin panel, though no public exploit identified at time of analysis.
Stored cross-site scripting in the All-In-One Security (AIOS) WordPress plugin through version 5.4.7 allows unauthenticated attackers to inject JavaScript that executes when administrators view the debug logs page. The flaw was reported by Wordfence and requires two specific plugin settings to be enabled simultaneously, and no public exploit identified at time of analysis. Successful exploitation enables nonce theft and privileged actions on behalf of the administrator, potentially leading to full site takeover.
Privilege escalation in the Booking Package plugin for WordPress (versions up to and including 1.7.16) allows authenticated attackers with Editor-level access or above to take over any account, including Administrator accounts, by abusing the 'updateUser' branch of the package_app_action AJAX endpoint. The handler validates only a nonce and passes a hard-coded administrator flag to Schedule::updateUser(), letting attackers supply arbitrary target user IDs to wp_update_user() and reset the email and password of any account. No public exploit identified at time of analysis, but the issue was disclosed by Wordfence and results in full site compromise once an Editor account is obtained.