Account takeover in the Invoice Generator (Pravel) plugin for WordPress through version 1.0.0 lets unauthenticated attackers hijack any account, including administrators. The pravel_invoice_edit_account() AJAX handler is registered for unauthenticated users and calls wp_update_user() with attacker-supplied user_id and user_email without any capability check, nonce, or ownership verification, so an attacker can overwrite an admin's email and then drive the password-reset flow to seize the account. Rated CVSS 9.8 and reported by Wordfence; no public exploit identified at time of analysis and it is not in CISA KEV.
Broken access control (Insecure Direct Object Reference) in the Paid Member Subscriptions WordPress plugin before 4.16.17 lets any authenticated low-privileged user (Subscriber or above) cancel arbitrary other users' active subscriptions by manipulating the subscription identifier in a subscription-action request. The plugin fails to verify that the requesting account owns the targeted subscription. No public exploit identified at time of analysis, EPSS is low at 0.14% (3rd percentile), and the issue is not in CISA KEV, but the attack is trivial to perform once any account exists on the site.
Local privilege escalation in the FreeBSD kernel sound subsystem lets an unprivileged user map kernel memory outside the audio buffer via an integer-overflow flaw in dsp_mmap_single(). Because /dev/dsp device nodes are world-accessible by default, any local user on a system with an audio device can read and write arbitrary kernel memory, enabling full system compromise or a kernel panic (DoS). No public exploit identified at time of analysis; EPSS is low (0.19%, 9th percentile), and FreeBSD has released errata patches.
Local privilege escalation in the FreeBSD kernel's vt(4) console driver stems from an integer overflow in the CONS_HISTORY ioctl handler, where an unvalidated history-size value undersizes a heap allocation and a subsequent buffer initialization writes past its end. Any unprivileged local user with access to a vt(4) terminal device can corrupt kernel heap memory and potentially escalate to root. Exploitation is local (PR:L) with no public exploit identified at time of analysis and a low EPSS of 0.18% (8th percentile).
Local ASLR bypass in the FreeBSD ELF image activator (kernel) lets an unprivileged user neutralize address-space layout randomization for setuid PIE binaries. By calling procctl(2) to request ASLR disablement before execve(2), the per-process disable flag remains active when the PIE base address is computed, because the activator clears the flag too late. This is a mitigation-weakening flaw that materially eases exploitation of any separate memory-corruption bug in those privileged binaries; there is no public exploit identified at time of analysis and EPSS is low (0.18%, 8th percentile).
Local privilege escalation in the FreeBSD kernel arises from a use-after-free in the IPv6 multicast source-filter handler (IPV6_MSFILTER), affecting FreeBSD 14.3, 14.4, and 15.0 releases before their respective patch levels. An unprivileged local user can win a race against the handler's dropped-then-reacquired serializing lock to free the multicast filter structure out from under the kernel, corrupting memory to gain root-level control. There is no public exploit identified at time of analysis, and EPSS is very low (0.13%), consistent with CISA SSVC marking exploitation as 'none' and not automatable.
Out-of-bounds heap write in the Zephyr RTOS IP socket stack (recvmsg/insert_pktinfo) lets an unprivileged local userspace thread corrupt kernel-heap memory on builds using CONFIG_USERSPACE. Affecting Zephyr v3.6.0 through v4.4.0, the flaw is triggered when an application calls recvmsg() with an undersized ancillary (msg_control) buffer on a UDP/IP socket that has IP_PKTINFO/IPV6_RECVPKTINFO (or hoplimit/timestamping) enabled and a datagram arrives. There is no public exploit identified at time of analysis and EPSS is low (0.12%), but the memory-corruption primitive gives full C/I/A impact locally.
HCL Traveler for Microsoft Outlook (HTMO) is susceptible to vulnerabilities due to .NET Framework 4.5 being out of service. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.
The Linuxulator determined whether a binary was set-user-ID or set-group-ID by checking the P_SUGID process flag. During execve(2), this flag is not yet set at the point where the auxiliary vector is constructed, so AT_SECURE was incorrectly set to zero for set-user-ID and set-group-ID executables. An unprivileged local user can inject a shared library via LD_PRELOAD into a set-user-ID or set-group-ID Linux binary, gaining the privileges of that binary.
Second, the audio buffer backing a mapping could be freed when the device was closed even though the mapping remained valid. The freed memory could then be reused elsewhere while still accessible through the stale mapping. The /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS).
SQL Injection in the Groundhogg WordPress CRM plugin (all versions through 4.5.5) allows authenticated attackers holding Sales Representative-level access or above to extract arbitrary data from the underlying WordPress database via the `query[select]` REST API parameter. The vulnerability is exploitable through a deliberate sanitization bypass: submitting an invalid filter type in `query[filters]` triggers a FilterException that silently redirects execution from the protected `Contact_Query` path to the unprotected `Legacy_Contact_Query` path. No CISA KEV listing or confirmed public exploit code exists at time of analysis, though Wordfence's advisory directly references vulnerable source lines at plugin version 4.5.5, materially lowering the barrier to independent PoC development.
SQL injection in the Groundhogg CRM, Newsletters, and Marketing Automation WordPress plugin exposes the underlying WordPress database to authenticated attackers holding marketer-level access or higher. The 'search' parameter is insufficiently escaped across at least five distinct code paths - spanning db/db.php, db/steps.php, and api/v4/base-object-api.php - allowing appended SQL payloads to exfiltrate sensitive data including contact records, campaign data, and potentially WordPress user credentials. No public exploit code or CISA KEV listing has been identified at the time of analysis, but the vulnerability is straightforward to exploit with valid credentials given the low complexity rating.
Unauthorized data modification in the Frisbii Pay WordPress plugin (versions up to and including 1.8.9) allows authenticated attackers at Subscriber level or above to overwrite WooCommerce payment tokens, postmeta, and order meta records via unprotected AJAX endpoints. The root cause is CWE-862 (Missing Authorization) - the plugin's `upload_csv` and `process_batch` functions in the `MigrationMobilepayToVipps` class perform no WordPress capability checks before processing caller-supplied CSV data. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low privilege barrier (Subscriber) makes it meaningful in multi-tenant or open-registration WordPress environments.
Capsicum sandbox escape in FreeBSD allows a compromised capability-mode process to send arbitrary signals - including SIGKILL and SIGSTOP - to processes outside its sandbox, undermining Capsicum's core isolation guarantee. Affected are FreeBSD 14.3-RELEASE through 15.0-RELEASE in versions prior to their respective patch levels; the root cause is a 2011-era omission in kern_sigqueue that never enforced a PID self-restriction when a process operates in capability mode. EPSS is 0.14% (4th percentile), SSVC marks exploitation as none and non-automatable, and no public exploit has been identified at time of analysis.
Stored Cross-Site Scripting in the Page Builder by SiteOrigin WordPress plugin (all versions through 2.34.3) allows authenticated contributors to persist arbitrary JavaScript into post meta and execute it in any visitor's browser. The vulnerability bypasses WordPress's native content-filtering mechanisms because panels_data is stored as raw post meta rather than post content, placing it outside the scope of the unfiltered_html capability carve-out and the wp_kses fallback that would otherwise sanitize WP_Widget_Custom_HTML widget content. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar (Contributor level) makes this a realistic threat on any multi-author or open-registration WordPress installation.
Stored Cross-Site Scripting in the Dokan WooCommerce Multivendor Marketplace plugin for WordPress (all versions through 5.0.4) allows any authenticated vendor-level user to permanently inject arbitrary JavaScript into product SKU fields, which then executes in the browsers of all site visitors - including unauthenticated users - via the store search widget's AJAX response path. The scope change (S:C in CVSS) is critical: the attacker plants the payload once as a vendor, but impact is borne by an unbounded population of end users who trigger the search widget. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; however, the attack surface is wide on marketplaces with open vendor registration.
Stored Cross-Site Scripting in the CodePeople Post Map for Google Maps WordPress plugin (versions through 1.2.6) permits authenticated Contributor-level users to persist malicious JavaScript payloads via the 'cpm_point' post meta field. The CVSS S:C (Scope Changed) flag confirms the injected scripts execute in victim browser sessions beyond the plugin's own context, enabling session hijacking, credential theft, or unauthorized admin actions against any user who visits an injected page. No confirmed active exploitation appears in CISA KEV, and no public exploit code has been identified at time of analysis.
Stored Cross-Site Scripting in the Surbma | Infusionsoft Shortcode WordPress plugin (versions ≤ 2.0.1) allows authenticated contributors to inject persistent malicious scripts that execute in any visitor's browser. The flaw originates in the surbma_infusionsoft_shortcode_shortcode() function, where the 'account' and 'id' shortcode attributes are concatenated without sanitization directly into a <script> tag's src attribute - a particularly dangerous injection point because it bypasses many output-escaping checks that target HTML attribute or element contexts. No public exploit code has been identified at time of analysis, and no CISA KEV listing is present.
Reflected Cross-Site Scripting in the MaxButtons - Create buttons WordPress plugin (versions up to and including 9.8.5) allows unauthenticated attackers to inject arbitrary JavaScript via the unsanitized 'view' parameter, executing in the victim's browser context when a crafted URL is clicked. The flaw is traced to insufficient input sanitization in listController.php and maxbuttons-list.php, as confirmed by Wordfence and source-level references in the WordPress plugin repository. No public exploit code or CISA KEV listing has been identified at time of analysis, though the low attack complexity and zero-privilege requirement make social-engineering-based exploitation straightforward.
Sensitive application data exposure in HCL Traveler for Microsoft Outlook (HTMO) allows a local low-privileged attacker to read sensitive information - likely credentials, tokens, or session data written to application log files (CWE-532) - potentially enabling follow-on attacks against connected systems. The CVSS vector confirms local access with low privileges is sufficient to achieve high confidentiality impact, with no integrity or availability consequences. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.
Payment record manipulation in the WP Full Stripe Free WordPress plugin (versions ≤ 8.4.3) allows unauthenticated remote attackers to overwrite payment status in the site database. The vulnerability stems from the wpfs_update_failed_payment_status AJAX handler being registered under both wp_ajax_ and wp_ajax_nopriv_ hooks with zero authorization controls - no capability check, no nonce, no session validation - enabling any caller to invoke it. An attacker who has legitimately initiated a checkout on the target site (and thereby obtained a Stripe Payment Intent ID from the browser-visible Stripe.js flow) can send a crafted POST request to mark a previously successful payment as failed, potentially blocking order fulfillment, triggering disputes, or corrupting financial records. No public exploit code has been identified at the time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Unauthenticated form submission data exfiltration in NEX-Forms - Ultimate Forms Plugin for WordPress (all versions through 9.2.2) exposes sensitive PII and payment details to any remote attacker. Missing authorization checks on report download endpoints allow sequential enumeration of report IDs without any credentials, enabling mass harvesting of names, email addresses, phone numbers, postal addresses, payment details, and file paths from every saved form report on the site. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though the low attack complexity and zero authentication requirement make opportunistic exploitation straightforward.
Authentication bypass in the RegistrationMagic WordPress plugin (all versions through 6.0.8.6) permits an unauthenticated attacker with a prior legitimate payment transaction on the target site to obtain real WordPress session cookies for any user account, including administrators. The flaw exploits a fatally inverted processing order in the PayPal IPN callback handler: attacker-controlled POST data including the target user_id is written to the payment log database before PayPal IPN validation is performed, and the database poisoning persists even after validation subsequently rejects the forged notification. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the account-takeover impact makes this a critical priority for any site running the plugin with active PayPal payment integration.
The Shariff for WordPress Shariff for WordPress plugin through 1.0.11 does not sanitize or escape the shariff_infourl setting before outputting it in the frontend HTML via the generateshariff() function, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Stored cross-site scripting in Ivory Search - WordPress Search Plugin (all versions through 5.5.15) allows authenticated WordPress administrators to implant persistent JavaScript payloads via the `menu_title` and `menu_magnifier_color` settings fields, which execute in the browsers of any site visitor loading a page that renders the affected search widget. The root cause is insufficient input sanitization and output escaping in both the admin settings handler (class-is-settings-fields.php:249) and public-facing output routines (class-is-public.php:222, 263, 1199), confirmed via plugin source references on WordPress Trac. No public exploit code has been identified at time of analysis, CISA KEV does not list this CVE, and the CVSS score of 4.4 reflects the high privilege prerequisite rather than the cross-site impact scope.
Stored Cross-Site Scripting in the Gutenverse WordPress Blocks, Page Builder & Site Editor plugin (all versions through 3.8.0) enables authenticated editor-level users to persist arbitrary JavaScript into pages served to any site visitor. The vulnerability is constrained to WordPress multi-site installations or single-site deployments where unfiltered_html has been explicitly disabled. No public exploit has been identified at time of analysis, and a upstream fix commit (changeset 3578328) has been published to the WordPress plugin repository.
Authorization bypass in the Quiz and Survey Master (QSM) WordPress plugin (all versions through 11.1.4) allows authenticated contributors to create, modify, and delete quiz output templates in the mlw_quiz_output_templates database table without proper capability checks. Because template content is stored without sanitization, this grants contributor-level users the practical ability to inject arbitrary script tags into templates viewable by higher-privileged users such as administrators. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists, but the low privilege requirement makes this accessible to any registered contributor on affected WordPress installations.
Insecure Direct Object Reference in Dokan WooCommerce Multivendor Marketplace plugin (all versions through 5.0.4) enables horizontal privilege escalation across vendor accounts via the REST API 'id' parameter. Authenticated attackers holding any vendor-level or subscriber-level account can retrieve full product records belonging to competing vendors, including unpublished draft and pending-review listings that expose product names, prices, SKUs, and descriptions. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.
Unauthorized taxonomy manipulation in the Product Specifications for WooCommerce WordPress plugin (versions up to and including 0.8.9) exposes AJAX endpoints that any authenticated subscriber can invoke without authorization checks or CSRF protection, enabling arbitrary creation, modification, and deletion of product specification groups and attributes. The affected AJAX actions 'dwps_modify_groups' and 'dwps_modify_attributes' - bound to the __invoke() methods of AttributeGroupController and AttributeController - operate on 'spec-group' and attribute taxonomy terms, meaning successful exploitation directly corrupts WooCommerce store business data and breaks frontend product display. No public exploit code has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.
Unauthorized plugin activation in the Spexo WordPress theme (all versions through 2.0.11) is possible due to a missing capability check on the theme's activate_plugin function, exposing sites to integrity compromise by low-privileged authenticated users. Attackers holding Subscriber-level accounts or higher can trigger plugin activation outside of WordPress's native authorization controls, bypassing the intended administrator-only restriction. No public exploit code or active exploitation has been identified at time of analysis, and no EPSS data was provided.
Cross-Site Request Forgery in the HD Quiz WordPress plugin versions 2.2.0 and 2.2.1 enables unauthenticated attackers to manipulate quiz content and plugin settings by tricking a logged-in administrator into clicking a crafted link. The flaw originates in the `hdq_validate_nonce` function (`includes/functions.php:39`), which fails to properly validate WordPress nonces across at least six distinct AJAX action handlers in `includes/actions-ajax.php`. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though Wordfence has published a detailed advisory with source code references for both affected versions.
Authorization bypass in the Masteriyo LMS WordPress plugin (all versions through 2.2.1) allows authenticated users with student-level access to overwrite the post content of course announcements created by instructors or administrators. The flaw is rooted in missing authorization checks (CWE-862) inside the CourseAnnouncementController addon, meaning any enrolled student can tamper with official communications - exam instructions, policy notices, deadlines - without being detected by the LMS. No public exploit code or active exploitation has been identified at time of analysis; CVSS rates this 4.3 (Medium) reflecting limited integrity-only impact with no confidentiality or availability consequence.