Local File Inclusion in the GoodLayers Tourmaster WordPress plugin (versions <= 5.4.5) allows low-privileged authenticated users at the Subscriber level to include and read arbitrary local files from the server, exposing sensitive data such as configuration files and credentials. Reported through Patchstack and mapped to CWE-98, the flaw carries a CVSS 7.5 (High) score with high attack complexity; no public exploit code has been identified at time of analysis, and it is not listed in CISA KEV.
Uncontrolled memory consumption in open62541's OPC UA Discovery Service allows a remote, unauthenticated attacker to crash or degrade servers by abusing the GetEndpoints request handling. Because the endpointUrl field length is never validated, an attacker can advertise a string up to ~4.09 GB and stream it across incomplete message chunks that the server buffers in RAM indefinitely until the SecureChannel times out, exhausting available memory. The flaw is pre-session and works against any encryption configuration; no public exploit is identified at time of analysis, and it is not listed in CISA KEV.
Local privilege escalation in WatchGuard Mobile VPN with SSL client for Windows (versions up to and including 2026.2) lets an authenticated local attacker elevate from a low-privileged account to NT AUTHORITY\SYSTEM on any machine where the client is installed. The flaw is rooted in insecure permission assignment (CWE-732), and there is no public exploit identified at time of analysis, though the vendor-reported nature and full high-impact CVSS (7.3, CVSS 4.0) make it a meaningful endpoint-hardening concern.
Heap out-of-bounds writes in jxl-oxide's jxl-grid crate allow attacker-controlled memory corruption on 32-bit platforms when decoding a crafted JPEG XL image, potentially leading to arbitrary code execution. An integer overflow in AlignedGrid's width×height length calculation produces an undersized backing buffer for huge logical dimensions, after which rendering writes through mutable subgrids beyond the allocation. Publicly available exploit code exists in the advisory (miri/ASan PoC tests); no active exploitation is reported (not in CISA KEV) and no EPSS score was provided.
Server-Side Request Forgery in the Paid Member Subscriptions WordPress plugin (versions 3.0.4 and earlier by Cozmoslabs) lets remote unauthenticated attackers coerce the WordPress server into issuing arbitrary outbound HTTP requests. Per the CVSS vector (PR:N, S:C) the flaw is reachable without authentication and crosses a security boundary, enabling attackers to reach internal-only services, cloud metadata endpoints, or other back-end systems the WordPress host can talk to. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; EPSS was not provided.
Missing HTTP security headers in the Gardyn admin panel expose Gardyn Home Firmware, Gardyn Studio Firmware, and Gardyn Cloud API to clickjacking and cross-site scripting attacks against authenticated administrators. The absence of directives such as X-Frame-Options, Content-Security-Policy frame-ancestors, and script-source restrictions allows an attacker to embed the admin panel in a malicious iframe or inject client-side scripts into the admin session context. Reported by ICS-CERT under advisory ICSA-26-183-03, no public exploit or active exploitation has been confirmed at time of analysis.
Authentication/authorization bypass in SimpleSAMLphp's SAML Service Provider ACS handler allows a lower-trust but trusted IdP to satisfy login state that was created for a different, expected IdP. Because the ACS only logs (rather than rejects) a mismatch between the saved ExpectedIssuer and the actual response issuer, and because the code accepts an unsigned samlp:Response/@InResponseTo when the signed assertion lacks its own InResponseTo, an attacker holding a signed IdP-initiated assertion from IdP B can bind it to SP state intended for IdP A. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; impact is conditional on multi-IdP deployments where authorization depends on the selected IdP.
Arbitrary file write in electerm via path traversal in its Zmodem and Trzsz file-download handlers lets a malicious SSH server or remote shell overwrite files anywhere the client process can write. When a user accepts an incoming Zmodem (sz/rz) or Trzsz (trz/tsz) transfer, the attacker-supplied filename is passed unsanitized into path.join() with the chosen download directory, so a name like ../../.bashrc escapes that directory. No public exploit identified at time of analysis, and it is not listed in CISA KEV; exploitation requires the victim to initiate a connection to a hostile server and accept the transfer.
Cross-tenant entry takeover in Craft CMS 5.7.0 through 5.9.20 lets a low-privileged author overwrite another user's existing entry by smuggling a numeric id through the newAttributes parameter of the bulk-duplicate element action. Because the duplication routine re-applies attacker-controlled attributes after nulling the primary key, a UPDATE is executed against the victim's row instead of an INSERT, letting the attacker rewrite the victim's title, slug, authorId, postDate, and UID. No public exploit identified at time of analysis and it is not in CISA KEV; the flaw is fixed in version 5.9.21.
Reflected cross-site scripting in ThemePunch Slider Revolution (versions 7.0.0 through 7.0.16), a widely deployed premium WordPress slider/visual-builder plugin, lets a remote attacker inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Because the CVSS scope is marked Changed with low impact across confidentiality, integrity, and availability, successful exploitation can lead to session hijacking, defacement, or actions performed in the victim's authenticated context. There is no public exploit identified at time of analysis and the flaw is not on CISA KEV, but the reflected nature and no-authentication requirement make it a practical phishing-driven threat.
Stored cross-site scripting via cross-site request forgery affects the SEOWP WordPress theme by BlueAstralThemes in all versions up to and including 3.12.2, allowing a remote unauthenticated attacker who tricks a logged-in administrator into loading a malicious page to forge a state-changing request that injects persistent script into the site. The CVSS 3.1 score of 7.1 reflects a scope change (attacker-controlled JavaScript executes in the victim's browser session) with limited confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; exploitation hinges on successful social engineering of an authenticated victim (UI:R).
Stored cross-site scripting via cross-site request forgery affects the Permalink Manager for WooCommerce WordPress plugin in all versions up to and including 1.0.8.2. Because the plugin fails to validate request authenticity (CWE-352), an unauthenticated attacker who lures a logged-in administrator into loading a malicious page can forge a state-changing request that persists attacker-controlled script into the site, which later executes in the admin context. No public exploit identified at time of analysis and the flaw is not listed in CISA KEV; the CVSS 3.1 base score is 7.1 with a scope change reflecting the CSRF-to-stored-XSS impact.
Cross-Site Request Forgery in the pCloud WP Backup WordPress plugin (versions 2.0.2 and earlier) allows a remote unauthenticated attacker to trick a logged-in administrator into submitting forged requests, leading to high-confidentiality impact and limited integrity impact on the WordPress site. The CVSS 3.1 base score is 7.1 (AV:N/AC:L/PR:N/UI:R), reflecting network exploitation with no attacker privileges but required victim interaction. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Broken access control in the Booked WordPress appointment-scheduling plugin (versions <= 3.0.0, by ThemeRex) lets low-privileged authenticated users (Subscriber role) reach functionality or data they should not, resulting in high confidentiality exposure and limited integrity impact per the CVSS vector. The flaw stems from missing authorization checks (CWE-862) on plugin actions, so any registered site user can abuse it. No public exploit is identified at time of analysis and it is not listed in CISA KEV; the issue was reported through Patchstack.
Reflected cross-site scripting in the WowAddons (Product Addons) WordPress plugin through version 1.6.14 lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser session. The CVSS 3.1 vector (AV:N/PR:N/UI:R/S:C) indicates no authentication is needed but the victim must be lured into interacting with a crafted request/link, and the scope-change flag reflects script execution crossing into the browser security context. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; EPSS was not provided.
Cross-site scripting in the Simple Link Directory WordPress plugin (versions 15.0.5 and earlier, by QuantumCloud) allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser after they interact with a crafted link or page. The CVSS 3.1 vector (AV:N/PR:N/UI:R/S:C) indicates no authentication is required but a user must be lured into triggering the payload, and the changed scope reflects script execution crossing into the browser security context. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Reflected/unauthenticated Cross-Site Scripting in the WP Photo Album Plus WordPress plugin (versions <= 9.2.02.004) lets a remote attacker inject arbitrary JavaScript that executes in a victim's browser session when they interact with a crafted link or request. The CVSS 3.1 vector (PR:N, UI:R, S:C) indicates no authentication is required but the victim must be lured into triggering the payload, and the scope change reflects script execution crossing into the WordPress user's authenticated context. No public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Cross-Site Scripting in the Timetics WordPress appointment-booking plugin (by Arraytics) affects all versions up to and including 1.0.58, allowing unauthenticated remote attackers to inject script that executes in a victim's browser after the victim interacts with a crafted link or page. Because the CVSS scope is changed (S:C), a successful injection can affect resources beyond the vulnerable component, such as the browser session of a logged-in administrator. There is no public exploit identified at time of analysis, the CVE is not listed in CISA KEV, and no EPSS score was provided.
Stored/reflected Cross-Site Scripting in the Optimole WordPress image-optimization plugin (versions 4.2.7 and earlier) lets remote unauthenticated attackers inject arbitrary JavaScript that executes in the browser of any user who views the affected content. Reported by Patchstack and classified CWE-79 with a CVSS 3.1 score of 7.1, the flaw carries a scope-changing impact (S:C) but requires victim interaction (UI:R). At the time of analysis there is no public exploit identified and the issue is not listed in CISA KEV; no EPSS value was supplied.
Reflected/stored cross-site scripting in the wpDataTables WordPress plugin (versions 6.5.1.1 and earlier) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they view a crafted page or follow a malicious link. The scope-change (S:C) rating in the CVSS vector indicates the injected script can affect resources beyond the vulnerable component - for example the wider WordPress site context - enabling session/cookie theft or admin-panel actions. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was disclosed through Patchstack's vulnerability database.
Cross-site scripting in the Perfmatters WordPress performance plugin (versions 2.6.4 and earlier) allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser when they interact with a crafted request or link. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C) confirms network-reachable, no-authentication exploitation gated by user interaction, with a scope change into the victim's browser context. There is no public exploit identified at time of analysis and the issue is not in CISA KEV.
Stored/reflected Cross-Site Scripting in the Google Maps CP WordPress plugin (versions 1.2.5 and earlier, vendor CodePeople) lets an unauthenticated attacker inject malicious script that executes in a victim's browser after they interact with a crafted link or page. The flaw carries a CVSS 3.1 base score of 7.1 with a scope change, reflecting impact beyond the vulnerable component into the wider WordPress session. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Cross-site scripting in the Modula PRO WordPress gallery plugin (versions through 2.10.8) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they view or interact with attacker-influenced content. Reported by Patchstack and rated CVSS 7.1 with a scope change, the flaw requires user interaction but no authentication; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Reflected/unauthenticated Cross-Site Scripting in the WPAdverts WordPress classifieds plugin (versions 2.3.1 and earlier) lets a remote, unauthenticated attacker inject arbitrary JavaScript that executes in a victim's browser when they open a crafted link or view attacker-controlled input. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C) reflects a low-complexity network attack needing only user interaction, with a scope change into the browser security context. No public exploit was identified at time of analysis and the flaw is not listed in CISA KEV; EPSS data was not provided.
Reflected cross-site scripting in the QuantumCloud ChatBot WordPress plugin (versions 8.3.2 and earlier) lets unauthenticated remote attackers inject malicious script that executes in a victim's browser when they follow a crafted link. The CVSS 3.1 score is 7.1 with a scope change (S:C), reflecting that injected script runs in the security context of the WordPress site rather than the vulnerable component alone. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Stored/reflected cross-site scripting in the Survey Maker WordPress plugin (versions 5.2.2.5 and earlier by AYS Pro) lets unauthenticated remote attackers inject JavaScript that executes in a victim's browser after they interact with a crafted page or survey. The CVSS scope-change flag (S:C) indicates the injected script escapes the plugin's context to affect the wider WordPress site, potentially reaching authenticated admin sessions. This is a Patchstack-reported issue with no public exploit identified at time of analysis and no CISA KEV listing.
Cross-site scripting in the implecode eCommerce Product Catalog WordPress plugin (all versions through 3.5.4) lets unauthenticated remote attackers inject malicious script that executes in a victim's browser session, with no login required (PR:N) but a user interaction step to trigger the payload (UI:R). Reported by Patchstack and rated CVSS 7.1, the scope-changing flaw can hijack administrator or shopper sessions on affected online stores. There is no public exploit identified at time of analysis and no CISA KEV listing, so this is a plausible-impact issue rather than a confirmed active-exploitation event.
Reflected/stored Cross-Site Scripting in the ReviewX WordPress plugin (versions 2.3.10 and earlier) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted request or page. The scope-changed CVSS 3.1 score of 7.1 (PR:N/UI:R) reflects that no authentication is required but a victim must be lured into triggering the payload. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, so this is a disclosed-but-not-yet-actively-exploited plugin flaw reported by Patchstack.
Reflected Cross-Site Scripting in the Customize My Account for WooCommerce WordPress plugin (versions 4.3.9 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. The flaw carries a CVSS 7.1 rating driven by a scope change (S:C), meaning script execution crosses the plugin's security boundary into the wider WordPress session context. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Reflected cross-site scripting in the Search Atlas SEO WordPress plugin (versions 2.6.6 and earlier, distributed under the 'metasync' slug) lets an unauthenticated attacker inject script that executes in a victim's browser session when they follow a crafted link. Rated CVSS 7.1 with an elevated score due to a scope change, the flaw affects any WordPress site running the vulnerable plugin and can lead to session hijacking, admin action forgery, or redirection. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Reflected/stored cross-site scripting in the MC WooCommerce Wishlist WordPress plugin (also distributed as 'Smart Wishlist for MoreConvert') affects all versions up to and including 1.9.19, letting remote unauthenticated attackers inject malicious script that executes in a victim's browser after the victim interacts with a crafted link or request. The scope-changed CVSS 3.1 score of 7.1 reflects that injected script runs in the WordPress site's origin, enabling session/cookie theft or actions against other users. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Stored/reflected cross-site scripting in the HandL UTM Grabber WordPress plugin (versions 2.9.2 and earlier) allows remote unauthenticated attackers to inject malicious JavaScript that executes in a victim's browser after user interaction, per PR:N/UI:R in the CVSS vector. The scope-change flag (S:C) indicates injected script can affect resources beyond the vulnerable component, such as authenticated admin sessions. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Reflected cross-site scripting in the WP Debugging WordPress plugin (versions 2.12.2 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser after they interact with a crafted link or request. Reported by Patchstack and classified CWE-79 with a CVSS 7.1, the flaw carries a scope-change impact meaning injected script can affect the wider WordPress session context. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Stored/reflected Cross-Site Scripting in the WPeMatico RSS Feed Fetcher WordPress plugin (versions 2.8.17 and earlier) allows unauthenticated remote attackers to inject malicious script that executes in the browser of a victim who interacts with crafted content. The CVSS:3.1 vector (AV:N/PR:N/UI:R/S:C) indicates network-reachable, no-authentication exploitation with a scope change, meaning injected script can affect the wider WordPress context beyond the vulnerable component. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; EPSS data was not provided.
Cross-Site Scripting in the Internal Links Manager WordPress plugin (versions 3.0.3 and earlier, by webraketen) lets an unauthenticated remote attacker inject arbitrary JavaScript that executes in a victim's browser when the victim interacts with a crafted link or page. Because the CVSS scope is changed (S:C), the injected script escapes the vulnerable component's boundary and can act against other WordPress users, including administrators. There is no public exploit identified and it is not on CISA KEV, though Patchstack has publicly documented the flaw.
Cross-site scripting in the Classified Listing WordPress plugin (by RadiusTheme) versions 5.4.2 and earlier lets a remote, unauthenticated attacker inject malicious script that executes in a victim's browser when they interact with a crafted link or page. Reported by Patchstack and rated CVSS 7.1, the flaw carries a scope change (S:C) meaning the injected script can act beyond the vulnerable component into the wider browsing context. There is no public exploit identified at time of analysis and no active exploitation reported.
Reflected/stored Cross-Site Scripting in the Real Estate 7 WordPress theme (contempoinc) versions 3.5.9 and earlier lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or page. The scope-changing flaw (CVSS 3.1 7.1) can hijack sessions or perform actions in the victim's authenticated context, including administrators. Reported by Patchstack; no public exploit code has been identified and it is not on the CISA KEV list.
Reflected cross-site scripting in the TheFox WordPress theme (versions 3.9.76 and earlier) lets an unauthenticated remote attacker inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Reported through Patchstack and scoped to the ThemeForest 'tranmautritam:thefox' theme, the flaw carries a CVSS 3.1 base score of 7.1 driven largely by a changed scope. There is no public exploit identified at time of analysis and no CISA KEV listing, so risk hinges on tricking a user into clicking a malicious URL.
Reflected cross-site scripting in the Automotive Car Dealership Business WordPress theme (versions 13.3.3 and earlier by ThemeSuite) lets unauthenticated attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. The CVSS 3.1 vector (AV:N/PR:N/UI:R/S:C) confirms network-based, unauthenticated exploitation that requires user interaction and crosses a security scope boundary. There is no public exploit identified at time of analysis and the flaw is not on CISA KEV.
Reflected Cross-Site Scripting in the Automotive Listings WordPress plugin (versions 18.6 and earlier) lets remote unauthenticated attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Reported by Patchstack and classified CWE-79 with a CVSS 3.1 score of 7.1 (scope-changed, low impact across confidentiality, integrity, and availability), the flaw requires user interaction but no authentication. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.
Reflected cross-site scripting in the NativeChurch WordPress theme (versions 4.8.8.2 and earlier, by imithemes) allows unauthenticated attackers to inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. The CVSS 3.1 vector (7.1) reflects a scope change with limited confidentiality, integrity, and availability impact, and requires victim interaction. No public exploit identified at time of analysis and it is not listed in CISA KEV; the issue was disclosed through Patchstack's WordPress vulnerability database.
Reflected Cross-Site Scripting in the designthemes LMS WordPress theme (versions 9.7 and earlier) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they open a crafted link. Reported by Patchstack, the flaw carries CVSS 7.1 with a scope change, reflecting cross-context impact; no public exploit is identified at time of analysis and it is not listed in CISA KEV.
Reflected/stored cross-site scripting in the DesignThemes 'Kids Life | Children School' WordPress theme (versions 5.2 and earlier) allows unauthenticated remote attackers to inject arbitrary web script that executes in a victim's browser when they interact with a crafted link or input. The CVSS vector (PR:N, UI:R, Scope Changed) indicates no authentication is needed but the victim must be lured into interaction, and the injected script can cross into other security contexts. No public exploit code has been identified at time of analysis, and it is not listed in CISA KEV.
Reflected cross-site scripting in the Kids Zone - Children WordPress Theme (versions 5.4 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser session when the victim opens a crafted link or page. The CVSS 3.1 base score is 7.1, elevated by a scope change (S:C) reflecting that injected script escapes the vulnerable theme context into the visitor's authenticated browser session. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; no EPSS value was supplied with the input.
Reflected/unauthenticated Cross-Site Scripting in the Fitness Zone WordPress theme (versions 5.7 and earlier) by designthemes allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or request. The scope-change (S:C) rating indicates the injected script can affect resources beyond the vulnerable component, such as hijacking authenticated admin sessions. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the flaw was reported by Patchstack.
Reflected/unauthenticated Cross-Site Scripting in the designthemes SpaLab | Beauty Salon WordPress theme (all versions up to and including 6.7) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted request or link. The CVSS 3.1 score of 7.1 reflects a scope-changing (S:C) client-side impact requiring no authentication (PR:N) but user interaction (UI:R). No public exploit identified at time of analysis, and it is not listed in CISA KEV; EPSS was not supplied in the input.
Reflected cross-site scripting in the Trendy Travel WordPress theme (versions 6.7 and earlier) by designthemes lets remote unauthenticated attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Rated CVSS 7.1 with a scope change (S:C), reflecting that injected script can act across the WordPress security boundary. No public exploit identified at time of analysis, and no EPSS score was supplied.
Reflected/stored Cross-Site Scripting in the Artale Wedding Photography WordPress theme (versions 2.2.2 and earlier) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser after they follow a crafted link or load a poisoned page. Reported by Patchstack and rated CVSS 7.1 with a scope change, it primarily threatens site visitors and administrators through session/context theft rather than direct server compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Information disclosure and denial of service in JuiceFS through 1.3.1 lets remote attackers reach Go pprof debug and Prometheus metrics endpoints that are inadvertently exposed because handlers are registered on the shared http.DefaultServeMux. By fetching /debug/pprof/cmdline an attacker recovers the process command line, which embeds the metadata engine connection string and its database credentials, effectively yielding full read/write control over filesystem metadata; other pprof and profiling handlers leak internal state and can be abused to exhaust resources. Reported by VulnCheck with an upstream fix in commit a46979c; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Stored cross-site scripting in the TP-Link Archer C5 v6.8 router web management interface lets an authenticated administrator inject persistent HTML/JavaScript into a user-controlled field that later executes in another administrator's browser session. The flaw affects ISP-managed firmware variants and can be leveraged for session hijacking and unauthorized modification of router configuration. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; exploitation requires existing admin access, sharply limiting real-world impact.