Unauthenticated reflected/stored cross-site scripting in the JetEngine WordPress plugin (versions <= 3.8.9.1) allows remote attackers to inject malicious script into pages rendered by the plugin, which then executes in the browser of any visitor who interacts with the crafted content. Successful exploitation enables session hijacking, credential theft, or administrative actions performed against logged-in WordPress users including site administrators. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unauthenticated reflected/stored cross-site scripting in the Cozmoslabs Profile Builder Pro WordPress plugin (versions 3.15.0 and earlier) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser after user interaction. The flaw carries a CVSS 3.1 score of 7.1 with scope change, meaning the injected script can affect resources beyond the vulnerable component (typically the WordPress admin session). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Reflected/stored cross-site scripting in the Kapee WordPress theme versions prior to 1.7.1 allows remote unauthenticated attackers to inject arbitrary script that executes in a victim's browser after user interaction, with a scope change that can impact other components beyond the vulnerable theme. No public exploit identified at time of analysis, but the vulnerability was disclosed via Patchstack with a CVSS of 7.1, reflecting the unauthenticated nature combined with required user interaction.
Unauthenticated reflected/stored cross-site scripting in the Collectchat WordPress plugin versions 2.4.9 and earlier allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or page. No public exploit identified at time of analysis, but the unauthenticated nature combined with scope change (S:C) makes this attractive for opportunistic attacks against WordPress sites running the plugin.
Reflected cross-site scripting in the WPZOOM Addons for Elementor WordPress plugin (versions 1.3.4 and earlier) allows unauthenticated remote attackers to inject arbitrary script into a victim's browser session by tricking them into following a crafted link. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 7.1 with scope change, reflecting potential impact on the broader WordPress site context; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Reflected cross-site scripting in the WPJobster WordPress theme through version 6.3.5 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. The flaw carries a CVSS 3.1 score of 7.1 with a scope change (S:C), reflecting impact on browser-side resources beyond the vulnerable application. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but Patchstack has catalogued it as a confirmed reflected XSS.
Reflected cross-site scripting in the Skillate WordPress theme versions 1.2.10 and below allows remote unauthenticated attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link. The flaw carries a CVSS 3.1 score of 7.1 with scope change (S:C), reflecting that the injected script runs in the WordPress site context and can pivot against authenticated users including administrators. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Reflected cross-site scripting in the VamTam Auto Repair WordPress theme versions 22.6 and earlier allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser after tricking them into clicking a crafted link. The flaw was disclosed via Patchstack and carries a CVSS 7.1 due to scope change impact on the WordPress admin context; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Reflected or stored cross-site scripting in the Sonaar WordPress theme versions 4.27.4 and earlier allows remote unauthenticated attackers to inject malicious script into pages rendered to victims who follow a crafted link or interact with attacker-controlled content. The CVSS scope-change vector (S:C) indicates the injected script can impact resources beyond the vulnerable component, such as the WordPress admin session of a logged-in user. No public exploit identified at time of analysis, and the issue is not on CISA's KEV list.
Denial of service in libtiff v4.7.1 and prior allows processing of a crafted TIFF file containing an abnormally large SamplesPerPixel tag value to crash or hang the affected process. Any application or service that passes attacker-controlled TIFF files through libtiff is potentially vulnerable, including web-based image processors, document converters, and media ingestion pipelines. No active exploitation has been confirmed by CISA KEV, and no public exploit code has been identified at the time of this analysis.