Unauthenticated SQL injection in the Quotes llama WordPress plugin (versions 3.1.5 and earlier) lets remote attackers without credentials inject malicious SQL through plugin input handling, exposing the WordPress database. The CVSS 3.1 base score of 9.3 reflects network reachability with no authentication and a scope change, meaning impact can reach beyond the plugin into the underlying database. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.
Unauthenticated SQL injection in the WordPress payment plugin 워드프레스 결제 심플페이 (SimplePay / pgall-for-woocommerce) version 5.5.6 and earlier lets remote attackers inject arbitrary SQL against the WooCommerce database without any authentication or user interaction. Per the CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N), exploitation is trivial and network-reachable, with high confidentiality impact and a changed scope. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
SQL injection in the GeoDirectory WordPress plugin (versions up to and including 2.8.162) allows remote unauthenticated attackers to inject malicious SQL into backend queries, per Patchstack. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) with PR:N indicates exploitation requires no authentication, and the scope-changed, high-confidentiality rating (S:C/C:H) points to database disclosure beyond the plugin's own data. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
SQL injection in the Real Estate 7 WordPress theme (versions up to and including 3.5.9) lets unauthenticated remote attackers inject malicious SQL through an unsanitized parameter, exposing backend database contents. The CVSS 3.1 base score is 9.3 (S:C/C:H) driven by the scope change and high confidentiality impact, with no authentication or user interaction required. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was reported through Patchstack's vulnerability research program.
Unauthenticated SQL injection in the wpDataTables WordPress plugin (versions up to and including 7.4) lets remote attackers inject crafted SQL into database queries without any authentication or user interaction, exposing the WordPress backend database. With a CVSS 9.3 (critical) score and a CWE-89 root cause, the flaw enables extraction of sensitive data such as user credentials and configuration secrets. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated SQL injection in the JetBooking WordPress plugin (versions 4.0.4.1 and earlier) lets remote attackers inject crafted SQL into a vulnerable query without any login, exposing the WordPress database. Reported by Patchstack with a CVSS 9.3 (scope-changed, high confidentiality impact), the flaw allows extraction of sensitive data such as user credentials and booking records. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Authentication bypass in the Setracker2 Android companion app (com.tgelec.setracker) versions 3.1.5 and prior lets an attacker who possesses a user's stored password hash authenticate directly to the backend and gain full account access. Because the backend treats the password hash itself as the secret credential, the hash is password-equivalent and does not need to be cracked back to plaintext. No public exploit identified at time of analysis; the issue was disclosed through CISA/ICS-CERT (advisory VA-26-176-01) and carries a high CVSS 4.0 score of 9.2.
Arbitrary file upload in the TemplateSpare WordPress plugin (versions 4.2.0 and earlier) allows an authenticated administrator-level user to upload files of dangerous types, enabling deployment of a PHP web shell and full server compromise. The flaw was reported by Patchstack and carries a CVSS of 9.1, but exploitation requires existing high-privilege (Administrator) access. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
OS command injection in Dokku (the Docker-powered self-hosted PaaS) prior to version 0.38.2 allows an authenticated user with git push access to execute arbitrary shell commands as the privileged dokku user. The flaw stems from a permissive app-name validation regex that accepts shell metacharacters, which are then interpolated unquoted into a generated bash pre-receive hook; a semicolon in the app name terminates the intended command and runs attacker-supplied commands on git push. There is no public exploit identified at time of analysis, but the fix is confirmed in 0.38.2 and the underlying mechanics are fully documented in the GitHub advisory and PR #8590.
Remote code execution in the Cudy LT300 3.0 4G LTE router (firmware before 2.5.12) lets authenticated users run arbitrary OS commands by embedding shell metacharacters in the cbid.system.ntp.current POST parameter of the system time (NTP) configuration page. Because the CVSS 4.0 vector specifies PR:L, an attacker needs valid (low-privileged) web credentials but no user interaction, and successful injection yields full host compromise (VC/VI/VA all High). No public exploit identified at time of analysis; the flaw was reported by VulnCheck and a vendor patch is available.
Remote code execution in Revive Adserver is reachable by authenticated low-privilege users who bypass the prior fix for CVE-2026-34916, either by supplying a disallowed-but-valid plugin identifier in the `type` parameter or by abusing the `ox.setChannelTargeting` XML-RPC API method. The flaw lets an attacker inject and execute arbitrary code (CWE-94) on the server, fully compromising confidentiality, integrity, and availability. Reported via HackerOne by multiple researchers (including phucrio and offsetmd); no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Privilege escalation in the Fusion Builder WordPress plugin (versions 3.15.4 and earlier) lets a low-privileged authenticated user, such as a Contributor, gain capabilities far beyond their role and effectively act as an administrator. The flaw was reported by Patchstack and carries a CVSS 8.8; no public exploit identified at time of analysis and it is not listed in CISA KEV. Because Fusion Builder is the page builder bundled with the widely sold Avada theme, the exposure spans a large number of WordPress sites that allow self-registration or untrusted contributor accounts.
Local privilege escalation or denial of service in the Linux kernel's Intel VT-d IOMMU driver (iommu/vt-d) arises from incomplete handling of a missing dev_pasid entry during PASID teardown; an authenticated low-privileged actor able to drive IOMMU/PASID detach operations can trigger a NULL pointer dereference or unbalanced refcount that may decay into a use-after-free. This completes an earlier partial fix (commit 60f030f7418d) and is tagged as Denial of Service. There is no public exploit identified at time of analysis, and EPSS exploitation probability is low at 0.17% (6th percentile).
Resource access-after-free in the Linux kernel's vfio/pci subsystem allows a local user with device access to read or corrupt PCI device resources during a race window on device shutdown, because vfio_pci_core_close_device() disabled the function before tearing down DMABUF exports. During the window the function's Memory Space Enable bit is cleared and its BARs (and their backing resources) are freed and reassignable to another driver, while stale DMABUF mappings still reference them. EPSS is low (0.14%, 4th percentile) and there is no public exploit identified at time of analysis; the upstream fix reorders cleanup to revoke DMABUF access first.
Cross-operator authorization bypass in juev/nebula-mesh (<= 0.3.4) lets any authenticated non-admin operator read and mutate resources owned by other operators through the web UI (/ui/*), which-unlike the JSON API fixed in GHSA-598g-never applies per-operator CA scoping. An attacker with a low-privileged operator account can enumerate every operator's hosts and networks (names, Nebula/public IPs, certificate fingerprints, CIDRs) and can block (revoke certificates) or delete any host in the deployment, causing cross-operator denial of service. No public exploit identified at time of analysis and the issue is not in CISA KEV, but exploitation is trivial for any non-admin user once one exists.
Privilege escalation in OpenProject before 17.3.3 and 17.4.1 lets an attacker forge a cross-site request to /users/:id carrying the POST parameter user[admin], coercing a logged-in privileged user's browser into granting administrator rights to an arbitrary account. The flaw (CWE-352) rates CVSS 8.8 because a successful forgery yields full administrative control over the instance; no public exploit is identified at time of analysis and it is not listed in CISA KEV. Both the 17.3.x and 17.4.x maintenance lines are affected, with fixes shipped in 17.3.3 and 17.4.1.
Arbitrary file write in Dokku before 0.38.2 lets an attacker with deploy-level access escalate to full shell access on the host. The git:from-archive and certs:add commands extract attacker-supplied tar/zip archives without sanitizing member paths, and because GNU tar creates and then follows symlinks during extraction, a crafted archive can plant files anywhere the dokku user can write - most damagingly ~/.ssh/authorized_keys. There is no public exploit identified at time of analysis and CISA SSVC records exploitation as none, but the technical impact is rated total.
OS command execution on the Dokku host is possible through the openresty-vhosts plugin in versions prior to 0.38.2, where custom OpenResty include filenames from an app's git repository are interpolated unescaped into a single-quoted shell string that is later run through eval. An attacker who can deploy a Dokku app with the openresty proxy enabled can plant a file whose name contains a single quote to break the quoting and inject a command substitution, executing arbitrary commands as the dokku user on the next deploy. There is no public exploit identified at time of analysis and it is not in CISA KEV, though the upstream advisory and a security regression test document the mechanism precisely.
Cross-Site Request Forgery in the WordPress plugin 'Paid Memberships Pro - Add Member From Admin' (versions 0.7.2 and earlier) lets a remote attacker forge privileged member-management actions by tricking a logged-in administrator into loading a malicious page. Because the plugin's member-add functionality lacks valid CSRF nonce protection (CWE-352), an attacker can abuse the admin's authenticated session to create or modify membership records, yielding high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not supplied.
Authenticated PHP object injection in the RealHomes WordPress theme (versions 4.5.3 and earlier) lets a low-privileged Subscriber-level account inject crafted serialized objects into an unsafe deserialization sink (CWE-502). Because WordPress applications and plugins commonly contain POP gadget chains, this can escalate to arbitrary file operations, SQL injection, or remote code execution, which is reflected in the high CVSS 8.8 (C:H/I:H/A:H). Reported by Patchstack; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Privilege escalation in the Frisbii Pay (reepay-checkout-gateway) WordPress plugin through version 1.8.2 allows a low-privileged authenticated user holding a Contributor role to elevate to higher privileges due to a missing authorization check. Reported through Patchstack's audit program and tagged as both Authentication Bypass and Privilege Escalation, the flaw carries a CVSS 8.8 and full confidentiality, integrity, and availability impact, meaning a successful actor can effectively take administrative control of the affected WordPress site. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Privilege escalation in the Abandoned Cart Pro for WooCommerce plugin (versions <= 10.4.0) allows an authenticated low-privileged user (Subscriber) to elevate their own permissions and gain higher-privileged capabilities within the WordPress site. The flaw, reported by Patchstack and classified as CWE-266 (Incorrect Privilege Assignment), carries a CVSS 8.8 and is network-exploitable with low complexity once an attacker holds any minimal account. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Cross-Site Request Forgery in the Eagle Booking WordPress plugin (versions 1.3.4.3 and earlier) lets an unauthenticated attacker forge state-changing requests that execute with a logged-in victim's privileges when that victim is lured into triggering a malicious page. Reported through Patchstack and tracked as CVE-2025-68052 (CWE-352) with a CVSS 8.8 score, it has no public exploit identified at time of analysis and is not listed in CISA KEV. Because exploitation hinges on tricking an authenticated user (UI:R), real-world impact depends on which privileged user is targeted.
Arbitrary code execution in the OWASP ZAP ViewState add-on (versions before 4) lets a malicious or attacker-controlled proxied web server compromise the security tester's own ZAP instance. By embedding a crafted serialized Java object in the javax.faces.ViewState response parameter, an attacker triggers unsafe Java deserialization inside the ZAP JVM the moment the operator views the ViewState panel in the Desktop UI. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the vendor has published an advisory and shipped a fix (viewstate-v4) that disables JSF support entirely.
Broken access control in Teable's v2 REST API lets any authenticated user bypass authorization and act across bases and tables they should not reach. Because the ORPC controller endpoints (e.g. GET /api/v2/tables/get, POST /api/v2/tables/updateRecords) ship without the required @Permissions metadata, an attacker holding even a low-privileged account can enumerate schemas, create tables, and modify or delete arbitrary records. No public exploit is identified at time of analysis, and the issue is not on CISA KEV, but a vendor fix (PR #3285) and patched release are available.
Cleartext recovery of Setracker2 GPS-watch traffic is possible because the com.tgelec.setracker Android companion app (versions 3.1.5 and prior) protects watch-to-backend requests with static, hardcoded AES keys and initialization vectors. Any attacker who can observe the encrypted traffic - or who extracts the keys from the freely distributed APK - can decrypt communications between the wearable tracker and its cloud backend, exposing location and account data of the (frequently child) wearers. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.
Session hijacking in the Setracker2 Android companion app (com.tgelec.setracker) version 3.1.5 and earlier stems from the use of MD5 to generate the request signature that authenticates traffic between the mobile client and the backend REST API. Because MD5 is cryptographically broken, an attacker who can observe a signed request may reverse the signature to recover the embedded session ID and then impersonate the legitimate user, issuing authenticated API calls against the kids'/GPS-tracker backend. Reported by CISA ICS-CERT (DHS) and tracked in a CSAF advisory; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Offline administrator password recovery in Kestra OSS (versions prior to 1.3.24) stems from its BasicAuth component storing the admin credential as a fast SHA-512 hash. An attacker who already holds read access to the backing PostgreSQL database can extract that hash and crack it offline at high speed, then log in as administrator; in Kubernetes deployments this further exposes the cluster ServiceAccount token and all K8s Secrets, enabling vertical privilege escalation. No public exploit identified at time of analysis and not on CISA KEV; EPSS data was not provided.
Arbitrary file read/write in the Node.js extract-zip library (max-mapper/extract-zip) arises because symlink entries inside zip archives are extracted without validating their targets. An attacker who supplies a crafted archive containing a symlink with a traversal target such as '../../../../etc/passwd' can cause files to be placed or resolved outside the intended extraction directory, leading to disclosure or modification of sensitive files depending on how the host application uses the extracted output. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV, though the CVSS 4.0 base score of 8.6 reflects high confidentiality and integrity impact.
Cross-tenant object injection in RustFS 1.0.0-beta.4 lets a tenant holding only PutObject rights on their own bucket write arbitrary objects into other tenants' buckets, fully breaking multi-tenant isolation. The flaw lives in the Snowball auto-extract feature and chains three weaknesses (unsanitized tar entry keys, IAM wildcard matching on raw paths, and filesystem path cleaning that resolves ../ across bucket boundaries). No public exploit is identified at time of analysis, and it is not listed in CISA KEV.
Unauthenticated format string flaw in the vlsvr service of GeoVision GV-LPC2011 and GV-LPC2211 license plate recognition cameras (firmware V1.12 and earlier) lets remote attackers send crafted login data that the device passes unsanitized into a log-formatting routine. Successful exploitation can leak memory contents, corrupt memory, or crash the service, with the high availability impact (CVSS 8.6) reflecting denial of service as the most reliable outcome. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Information disclosure and related weaknesses in the BitFire Security WordPress firewall plugin (versions 5.0.3 and earlier) let remote unauthenticated attackers extract sensitive data and tamper with limited integrity, per a Patchstack-reported advisory. The CVSS 3.1 base score of 8.6 reflects network-reachable, no-privilege exploitation (AV:N/AC:L/PR:N/UI:N) with high confidentiality impact, ironic for a product whose purpose is to harden WordPress sites. No public exploit code has been identified at time of analysis, and the issue is not on the CISA KEV list; EPSS data was not provided.
SQL injection in the Groundhogg WordPress CRM/marketing-automation plugin (versions <= 4.5) allows an authenticated low-privileged user holding the Sales Representative role to inject arbitrary SQL into a database query, exposing sensitive data across the WordPress installation. The CVSS 3.1 base score is 8.5 (High) with a scope change, reflecting that compromise of the plugin's data layer reaches beyond its own privilege boundary. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS value supplied in the source data.
SQL injection in the WordPress 'Gallery' plugin (gallery-plugin) through version 4.7.8 lets authenticated low-privilege users (Contributor role and above) inject crafted SQL via plugin-handled parameters, exposing the WordPress database. Tracked as CVE-2026-57642 (CWE-89) and reported by Patchstack, the flaw carries a CVSS 3.1 base score of 8.5; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. A Contributor account is required, which limits exploitation to sites that allow self-registration or otherwise provision contributor-level access.
Cross-tenant VM compromise in KubeVirt (and Red Hat OpenShift Virtualization 4) occurs when spec.configuration.migrations.disableTLS is set to true, causing virt-handler to expose an unauthenticated plaintext TCP proxy into a virt-launcher's virtqemud control socket on all interfaces. An authenticated tenant who can run any pod on the cluster network can reach this listener and issue arbitrary libvirt RPC commands against another tenant's virtual machine - reading guest memory, altering VM state via QMP, or destroying the VM. No public exploit identified at time of analysis; not listed in CISA KEV, and no EPSS score was provided.
Local privilege escalation in NEC's ExpressUpdate Agent for Windows allows a low-privileged user who can already access the host to execute arbitrary code with SYSTEM privileges, owing to insufficient access controls on the agent. Reported by NEC under advisory NV26-004, the flaw carries a CVSS 4.0 base score of 8.5 (High) and maps to CWE-782 (exposed IOCTL with insufficient access control). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Server-side request forgery in the AutoGPT Platform (versions prior to 0.6.52) lets an authenticated user abuse the SendWebRequestBlock to reach internal network services that the private-IP filter is supposed to protect. The flaw stems from _is_ip_blocked() in backend/backend/util/request.py failing to normalize IPv4-mapped IPv6 addresses and omitting RFC 6598 CGNAT space (100.64.0.0/10), so a hostname resolving to a mapped address passes validation and the request hits the embedded internal IPv4 endpoint. No public exploit identified at time of analysis; this affects all AutoGPT Platform deployments and is fixed in 0.6.52.
SQL injection in the Zip Recipes (Recipe Maker For Your Food Blog) WordPress plugin lets an authenticated Contributor-level user inject arbitrary SQL through the plugin in versions 8.2.7 and earlier, exposing the full WordPress database. Reported by Patchstack, the flaw carries a CVSS 3.1 score of 8.5 with a scope change (S:C) reflecting access beyond the plugin's own data. No public exploit identified at time of analysis, and the issue is not in CISA KEV.
SQL injection in the Contest Gallery WordPress plugin (versions <= 30.0.0) allows an authenticated user with Contributor-level access to inject arbitrary SQL through unsanitized input, exposing the contents of the WordPress database. The flaw was disclosed via Patchstack and carries a CVSS 8.5; no public exploit code has been identified at time of analysis and it is not listed in CISA KEV. The CVSS vector indicates a scope change (S:C), meaning the impact reaches beyond the vulnerable component into the underlying database.
SQL injection in the WP Job Portal WordPress plugin (versions 2.5.2 and earlier) lets a low-privileged Contributor-level user inject arbitrary SQL into a backend query, exposing the WordPress database. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H) reflects high confidentiality impact with a scope change, and the issue was reported by Patchstack. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
SQL injection in the Restaurant Menu by MotoPress WordPress plugin (versions 2.4.10 and earlier) lets users holding Contributor-level accounts inject crafted SQL into backend database queries. Reported by Patchstack and classified as CWE-89, the flaw carries CVSS 8.5 and primarily threatens confidentiality, allowing a low-privileged authenticated user to read arbitrary data from the WordPress database. No public exploit identified at time of analysis, and EPSS/KEV data were not provided in the source intelligence.
SQL injection in the WP Post Author WordPress plugin (versions 3.9.1 and earlier) allows authenticated users with Contributor-level access to inject arbitrary SQL into the site database. Because exploitation requires only a low-privilege account (PR:L) over the network with no user interaction, any site that permits self-registration or has untrusted contributors is at material risk of database content disclosure. There is no public exploit identified at time of analysis and the issue is not in CISA KEV, but Patchstack-reported WordPress plugin SQLi flaws are commonly weaponized after disclosure.
SQL injection in the wpForo Forum plugin for WordPress (versions 3.0.9 and earlier) allows users holding low-privileged Contributor accounts to inject arbitrary SQL into backend database queries. Reported by Patchstack, the flaw (CWE-89) carries a CVSS 8.5 and a scope-changing vector, meaning an authenticated forum contributor can read sensitive database contents beyond the plugin's own data. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Remote code execution in Blocksy Companion Pro (the premium add-on plugin for the Blocksy WordPress theme) versions 2.1.45 and earlier allows authenticated users holding only the low-privilege Contributor role to inject and execute arbitrary PHP code on the host. The flaw, reported by Patchstack and tracked under CWE-94, carries a CVSS 3.1 base score of 8.5 with a changed scope, meaning successful exploitation can impact components beyond the WordPress application itself. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; no EPSS score was provided in the source data.
SQL injection in the Tourfic WordPress plugin (versions 2.22.5 and earlier) lets authenticated subscriber-level users inject arbitrary SQL through a vulnerable parameter, exposing the WordPress database. Because only a low-privilege account is required and registration is often open on WordPress sites, an attacker can read sensitive data such as user records and credential hashes. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unauthorized device enrollment in the Setracker2 Android companion app (com.tgelec.setracker) versions 3.1.5 and prior lets remote attackers hijack other users' GPS smartwatches by guessing their registration ID. The registration ID is predictably derived from the device IMEI, and the enrollment workflow performs no secondary authentication before binding a watch to an account, so an attacker who learns or calculates the ID can take over the target's tracker. No public exploit has been identified at time of analysis, and the issue carries a CVSS 4.0 base score of 8.3 with high confidentiality impact, reflecting exposure of a child's or wearer's location data.
Broken access control in the WordPress "MailChimp Block" plugin (versions 1.1.15 and earlier) lets unauthenticated remote attackers invoke protected plugin functionality without any authorization check, per the CVSS:3.1 vector (AV:N/PR:N/UI:N) and Patchstack's CWE-862 classification. The scope-changed vector (S:C) with low confidentiality, integrity, and availability impact indicates the missing authorization can affect resources beyond the vulnerable component itself. No public exploit is identified at time of analysis, and it is not listed in CISA KEV; EPSS data was not provided.
Cleartext credential disclosure in OpenProject's Storages module (versions prior to 17.3.3 and 17.4.1) writes the userless OneDrive/SharePoint OAuth access_token in plaintext to Rails.cache under the deterministic key storage.<id>.httpx_access_token, refreshed by an hourly cron and every userless-OAuth call. Because none of the supported cache backends (file_store, memcache, redis) encrypts at rest, an attacker who can read the cache backend retrieves the Azure-AD application-tier bearer token via an anonymous memcached/Redis get. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.
Information disclosure in RustFS, a Rust-based distributed object storage system, lets any authenticated user with no effective bucket or admin permissions read remote replication target configuration via the bucket replication admin API. Because the returned BucketTarget objects embed remote credentials, an attacker can harvest replication access keys and secret keys for downstream systems. The flaw affects 1.0.0-alpha.1 through versions prior to 1.0.0-beta.9 and is fixed in 1.0.0-beta.9; no public exploit identified at time of analysis.
Cross-Site Request Forgery in the Child Theme Wizard WordPress plugin (versions 1.4 and earlier) lets a remote, unauthenticated attacker trick a logged-in administrator into submitting forged state-changing requests, allowing unauthorized actions on the WordPress site without the victim's consent. The CVSS 3.1 score is 8.2 with a scope-change (S:C) and high integrity impact, reflecting that the forged action can affect resources beyond the vulnerable component. There is no public exploit identified at time of analysis, the flaw is not listed in CISA KEV, and no EPSS score was supplied.