PHP
Monthly
Privilege escalation via registration in Buyent Classified WordPress plugin.
The Breadcrumb NavXT plugin for WordPress is vulnerable to authorization bypass through user-controlled key in versions up to and including 7.5.0. This is due to the Gutenberg block renderer trusting the $_REQUEST['post_id'] parameter without verification in the includes/blocks/build/breadcrumb-trail/render.php file. This makes it possible for unauthenticated attackers to enumerate and view breadcrumb trails for draft or private posts by manipulating the post_id parameter, revealing post titl...
The Easy Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `ez-toc` shortcode in all versions up to, and including, 2.0.78 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The s2Member - Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 's2Eot' shortcode in all versions up to, and including, 251005 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
Apollo13 Framework Extensions (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Album and Image Gallery plus Lightbox (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
WP AUDIO GALLERY (WordPress plugin) versions up to 2.0. is affected by missing authorization (CVSS 8.8).
The Two Factor (2FA) Authentication via Email plugin for WordPress is vulnerable to Two-Factor Authentication Bypass in versions up to, and including, 1.9.8. [CVSS 6.5 MEDIUM]
Privilege escalation in Lizza LMS Pro WordPress plugin <= 1.0.3.
The Page Title, Description & Open Graph Updater plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.02. This is due to missing nonce validation on multiple AJAX actions including dieno_update_page_title. [CVSS 4.3 MEDIUM]
Country Blocker for AdSense (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
The Web Accessibility by accessiBe plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11. This is due to the `accessibe_render_js_in_footer()` function logging the complete plugin options array to the browser console on public pages, without restricting output to privileged users or checking for debug mode. This makes it possible for unauthenticated attackers to view sensitive configuration data, including email addresses, accessiBe us...
The Shopire theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the shopire_admin_install_plugin() function in all versions up to, and including, 1.0.57. [CVSS 4.3 MEDIUM]
mobile friendly marketing popups. versions up to 4.4.2. contains a security vulnerability (CVSS 5.3).
The StatCounter - Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user's Nickname in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The CTX Feed - WooCommerce Product Feed Manager plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the woo_feed_plugin_installing() function in all versions up to, and including, 6.6.11. [CVSS 7.2 HIGH]
The Advanced Ads - Ad Manager & AdSense plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 2.0.14. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `placement_update_item()` function. [CVSS 4.3 MEDIUM]
Privilege escalation in Clasifico Listing WordPress plugin <= 2.0.
The Tablesome Table - Contact Form DB - WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to unauthorized access of data that leads to privilege escalation due to a missing capability check on the get_table_data() function in versions 0.5.4 to 1.2.1. [CVSS 8.8 HIGH]
The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 0.2.5.6 to 0.2.6.1. This is due to missing or incorrect nonce validation on the newsblogger_install_and_activate_plugin() function. [CVSS 8.8 HIGH]
The Library Management System plugin for WordPress is vulnerable to SQL Injection via the 'bid' parameter in all versions up to, and including, 3.2.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]
The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to unauthenticated limited file upload in all versions up to, and including, 7.8.1. This is due to the plugin not properly verifying that a user is authorized to perform file upload actions via the "ajax_checkout_attachment_upload" function. This makes it possible for unauthenticated attackers to upload files to the server, though file types are limited to WordPress's default allowed MIME types (i...
The Smartsupp - live chat, AI shopping assistant and chatbots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'code' parameter in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Printful Integration for WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.2.11 via the advanced size chart REST API endpoint. This is due to insufficient validation of user-supplied URLs before passing them to the download_url() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application which can b...
Mailchimp List Subscribe Form (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
The Renden theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Drift theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The ACF Photo Gallery Field plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the "acf_photo_gallery_edit_save" function in all versions up to, and including, 3.0. [CVSS 4.3 MEDIUM]
The Mesmerize Companion plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the "openPageInCustomizer" and "openPageInDefaultEditor" functions in all versions up to, and including, 1.6.158. [CVSS 4.3 MEDIUM]
The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and including, 4.1.2. [CVSS 7.5 HIGH]
Aruba HiSpeed Cache (WordPress plugin) versions up to 3.0.2. is affected by missing authorization (CVSS 6.5).
The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the dbstatus parameter in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]
Remote Code Execution in InvoicePlane self-hosted invoicing application through code injection. PoC and patch available.
MajorDoMo home automation platform is vulnerable to unauthenticated remote code execution through supply chain compromise via update URL poisoning. The saverestore module exposes its admin() method without authentication due to improper use of gr() (which reads from $_REQUEST), allowing attackers to redirect update URLs and push malicious code packages.
Unauthenticated SQL injection in MajorDoMo's commands module allows remote attackers to extract database contents including unsalted MD5 password hashes without authentication, enabling credential compromise and admin panel access. The vulnerability stems from unsanitized $_GET parameters in SQL queries accessible via the /objects/?module=commands endpoint, and public exploit code is available. Affected versions lack a patch and impact both MajorDoMo and PHP installations running this software.
MajorDomo's shoutbox feature is vulnerable to stored XSS due to unsanitized user input in the /objects/?method= endpoint, allowing unauthenticated attackers to inject malicious scripts that persist in the database. When administrators access the auto-refreshing dashboard, the stored payload executes automatically, enabling session hijacking and cookie theft. Public exploit code exists for this vulnerability, and no patch is currently available.
MajorDoMo's unauthenticated /objects/?op=set endpoint fails to sanitize property values, allowing remote attackers to inject stored XSS payloads that execute when administrators access the property editor, with public exploit code available. The vulnerability is compounded by session cookies lacking HttpOnly protection, enabling attackers to enumerate properties via the /api.php/data/ endpoint and hijack admin sessions through JavaScript exfiltration.
Reflected XSS in MajorDoMo's command.php allows remote attackers to inject arbitrary JavaScript through an unsanitized qry parameter, affecting users who click malicious links. Public exploit code exists for this vulnerability, and no patch is currently available.
Unauthenticated OS command injection in MajorDoMo via rc/index.php. EPSS 41.7% — the $param variable is passed unsanitized to shell commands. PoC available.
MajorDoMo home automation platform allows unauthenticated remote code execution through the admin panel's PHP console. An include order bug in panel.class.php causes execution to continue past a redirect() call that lacks an exit statement, allowing unauthenticated requests to reach the PHP code execution functionality in inc_panel_ajax.php.
Hospital Management System versions up to 4.0 is affected by cross-site request forgery (csrf) (CVSS 6.5).
SQL injection in code-projects Community Project Scholars Tracking System 1.0 admin user management. Allows database compromise via admin panel. PoC available.
Scholars Tracking System versions up to 1.0 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
Missing authentication in CodeAstro Membership Management System 1.0 delete_members.php allows unauthenticated deletion of member records. PoC available.
Missing authentication and authorization in print_membership_card.php in CodeAstro Membership Management System 1.0 allows unauthenticated attackers to access membership card data of arbitrary users via direct requests with a manipulated id parameter, resulting in insecure direct object reference (IDOR). [CVSS 7.5 HIGH]
SQL injection in CodeAstro Membership Management System 1.0 via ID parameter in print_membership_card.php enables unauthenticated database access. PoC available.
Online Time Table Generator versions up to 1.0 is affected by missing authentication for critical function (CVSS 7.5).
Incorrect access control in SourceCodester Customer Support System 1.0 allows unauthenticated access to AJAX dispatcher, enabling full system compromise. PoC available.
Command injection in ZoneMinder v1.36.34 video surveillance system via web/views/image.php. Unsanitized user input enables unauthenticated remote code execution. PoC available.
PHP Object Injection in the Advanced AJAX Product Filters plugin for WordPress (versions up to 3.1.9.6) allows authenticated authors and above to deserialize malicious objects through the Live Composer compatibility layer. While the plugin itself lacks a gadget chain for exploitation, the vulnerability can enable arbitrary file deletion, data theft, or remote code execution if a POP chain exists in installed themes or plugins. No patch is currently available, and exploitation requires valid WordPress user credentials.
The WP All Export plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.14 via the export download endpoint. This is due to a PHP type juggling vulnerability in the security token comparison which uses loose comparison (==) instead of strict comparison (===). This makes it possible for unauthenticated attackers to bypass authentication using "magic hash" values when the expected MD5 hash prefix happens to be numeric-looking (matching pa...
SQL injection in the WP Import - Ultimate CSV Importer plugin for WordPress (versions up to 7.37) allows authenticated subscribers and higher-privileged users to inject malicious SQL commands through specially crafted filenames during file uploads. When the Single Import/Export feature is enabled on PHP versions below 8.0, attackers can extract sensitive database information by exploiting insufficient input validation. The vulnerability requires valid WordPress credentials but poses a medium risk due to its direct access to database contents.
The Bookster - WordPress Appointment Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘raw’ parameter in all versions up to, and including, 2.1.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 4.9 MEDIUM]
The Brevo - Email, SMS, Web Push, Chat, and more. plugin for WordPress is vulnerable to authorization bypass due to type juggling in all versions up to, and including, 3.3.0. This is due to the use of loose comparison (==) instead of strict comparison (===) when validating the installation ID in the `/wp-json/mailin/v1/mailin_disconnect` REST API endpoint. This makes it possible for unauthenticated attackers to disconnect the Brevo integration, delete the API key, remove all subscription form...
Arbitrary file deletion in WP-DownloadManager plugin versions up to 1.69 allows high-privileged WordPress administrators to bypass path validation and remove critical system files through directory traversal in the file deletion parameter. Deletion of essential files like wp-config.php can result in remote code execution or complete site compromise. No patch is currently available.
The RegistrationMagic - Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to payment bypass due to insufficient verification of data authenticity on the 'process_paypal_sdk_payment' function in all versions up to, and including, 6.0.6.9. [CVSS 5.3 MEDIUM]
The Video Share VOD - Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 2.7.11 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]
The Complianz - GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cmplz-accept-link shortcode in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
Arbitrary PHP code execution in Product Addons for WooCommerce plugin (versions up to 3.1.0) through unsafe use of eval() on unsanitized conditional logic operators allows Shop Manager-level and higher-privileged WordPress users to execute malicious code on affected servers. The vulnerability stems from insufficient input validation in the evalConditions() function where user-supplied operator parameters are passed directly to PHP's eval() without sanitization. No patch is currently available.
Cart All In One For WooCommerce (WordPress plugin) versions up to 1.1.21. contains a security vulnerability (CVSS 7.2).
The Tickera - Sell Tickets & Manage Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_change_ticket_status' AJAX endpoint in all versions up to, and including, 3.5.6.4. [CVSS 4.3 MEDIUM]
The Popup Box - Easily Create WordPress Popups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'iframeBox' shortcode in all versions up to, and including, 3.2.12 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
VK All in One Expansion Unit (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Display During Conditional Shortcode (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
The Filestack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'filepicker' shortcode in all versions up to, and including, 2.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The Order Splitter for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wos_troubleshooting' AJAX endpoint in all versions up to, and including, 5.3.5. [CVSS 4.3 MEDIUM]
The Context Blog theme for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.5 via the 'context_blog_modal_popup' due to insufficient restrictions on which posts can be included. [CVSS 5.3 MEDIUM]
Frontend User Notes (WordPress plugin) versions up to 2.1.0 is affected by authorization bypass through user-controlled key (CVSS 4.3).
WP 404 Auto Redirect to Similar Post (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).
phpgurukul Student Management System 1.0 is vulnerable to SQL Injection in studentms/admin/search.php via the searchdata parameter. [CVSS 8.8 HIGH]
Gym Management System versions up to 1.0 is affected by cross-site request forgery (csrf) (CVSS 3.5).
The WP Maps - Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8.6 via the fc_load_template function. [CVSS 8.8 HIGH]
OS command injection in Kodbox up to version 1.64.05 allows remote authenticated attackers to execute arbitrary commands through the localFile parameter in the Media File Preview Plugin's VideoResize class. Public exploit code exists for this vulnerability, and the vendor has not provided patches or responded to disclosure efforts. The attack requires valid credentials but does not need user interaction and can fully compromise affected systems through command execution.
SQL injection in the Hotel-Management-System /home.php POST handler allows authenticated remote attackers to manipulate Name/Email parameters and execute arbitrary database queries. Public exploit code exists for this vulnerability, which affects PHP-based deployments with no available patch. An attacker with login credentials can leverage this flaw to read or modify sensitive database records.
Path traversal in ZenTao's editor component (versions up to 21.7.8) allows authenticated attackers to manipulate the filePath parameter and access files outside intended directories. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected systems vulnerable to unauthorized file access and potential information disclosure.
ZenTao versions up to 21.7.8 contain a path traversal vulnerability in the backup handler that allows authenticated attackers to manipulate file parameters and access or delete arbitrary files on the affected system. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but can be executed remotely without user interaction.
A vulnerability was identified in vichan-devel vichan versions up to 5.1.5. contains a security vulnerability (CVSS 2.7).
Tosei Self-service Washing Machine 4.02 contains an unauthenticated command injection vulnerability in the adr_txt_1 parameter of /cgi-bin/tosei_datasend.php, allowing remote attackers to execute arbitrary commands with limited confidentiality, integrity, and availability impact. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.
OPNsense 19.1 contains a reflected cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attackers to inject malicious scripts via the value parameter. [CVSS 5.4 MEDIUM]
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting the passthrough_networks parameter in vpn_ipsec_settings.php. [CVSS 6.1 MEDIUM]
OPNsense 19.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the category parameter. [CVSS 6.4 MEDIUM]
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation in the host parameter. [CVSS 6.1 MEDIUM]
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation in the host parameter. [CVSS 6.1 MEDIUM]
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input through multiple parameters. [CVSS 6.1 MEDIUM]
OPNsense 19.1 contains a stored cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attackers to inject persistent malicious scripts via the tunable parameter. [CVSS 6.4 MEDIUM]
OPNsense 19.1 contains multiple cross-site scripting vulnerabilities in the diag_backup.php endpoint that allow attackers to inject malicious scripts through multiple parameters including GDrive_GDriveEmail, GDrive_GDriveFolderID, GDrive_GDriveBackupCount, Nextcloud_url, Nextcloud_user, Nextcloud_password, Nextcloud_password_encryption, and Nextcloud_backupdir. [CVSS 5.4 MEDIUM]
Privilege escalation in Truelysell Core WordPress plugin <= 1.8.7. Insufficient role validation allows elevation.
Arbitrary PHP code execution in the Flexi Product Slider and Grid for WooCommerce WordPress plugin through version 1.0.5 allows authenticated contributors to exploit unsanitized file path parameters in the flexipsg_carousel shortcode to include and execute arbitrary files on the server. The vulnerability requires an attacker with Contributor-level access or above to create posts containing malicious shortcodes, but carries high risk due to lack of input validation on the theme parameter enabling local file inclusion attacks. No patch is currently available for this vulnerability.
One to one user Chat by WPGuppy (WordPress plugin) is affected by missing authentication for critical function (CVSS 5.3).
The Link Hopper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hop_name’ parameter in all versions up to, and including, 2.5 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]
Privilege escalation via registration in Buyent Classified WordPress plugin.
The Breadcrumb NavXT plugin for WordPress is vulnerable to authorization bypass through user-controlled key in versions up to and including 7.5.0. This is due to the Gutenberg block renderer trusting the $_REQUEST['post_id'] parameter without verification in the includes/blocks/build/breadcrumb-trail/render.php file. This makes it possible for unauthenticated attackers to enumerate and view breadcrumb trails for draft or private posts by manipulating the post_id parameter, revealing post titl...
The Easy Table of Contents plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `ez-toc` shortcode in all versions up to, and including, 2.0.78 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The s2Member - Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 's2Eot' shortcode in all versions up to, and including, 251005 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
Apollo13 Framework Extensions (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Album and Image Gallery plus Lightbox (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
WP AUDIO GALLERY (WordPress plugin) versions up to 2.0. is affected by missing authorization (CVSS 8.8).
The Two Factor (2FA) Authentication via Email plugin for WordPress is vulnerable to Two-Factor Authentication Bypass in versions up to, and including, 1.9.8. [CVSS 6.5 MEDIUM]
Privilege escalation in Lizza LMS Pro WordPress plugin <= 1.0.3.
The Page Title, Description & Open Graph Updater plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.02. This is due to missing nonce validation on multiple AJAX actions including dieno_update_page_title. [CVSS 4.3 MEDIUM]
Country Blocker for AdSense (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
The Web Accessibility by accessiBe plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11. This is due to the `accessibe_render_js_in_footer()` function logging the complete plugin options array to the browser console on public pages, without restricting output to privileged users or checking for debug mode. This makes it possible for unauthenticated attackers to view sensitive configuration data, including email addresses, accessiBe us...
The Shopire theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the shopire_admin_install_plugin() function in all versions up to, and including, 1.0.57. [CVSS 4.3 MEDIUM]
mobile friendly marketing popups. versions up to 4.4.2. contains a security vulnerability (CVSS 5.3).
The StatCounter - Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user's Nickname in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The CTX Feed - WooCommerce Product Feed Manager plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the woo_feed_plugin_installing() function in all versions up to, and including, 6.6.11. [CVSS 7.2 HIGH]
The Advanced Ads - Ad Manager & AdSense plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 2.0.14. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `placement_update_item()` function. [CVSS 4.3 MEDIUM]
Privilege escalation in Clasifico Listing WordPress plugin <= 2.0.
The Tablesome Table - Contact Form DB - WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to unauthorized access of data that leads to privilege escalation due to a missing capability check on the get_table_data() function in versions 0.5.4 to 1.2.1. [CVSS 8.8 HIGH]
The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 0.2.5.6 to 0.2.6.1. This is due to missing or incorrect nonce validation on the newsblogger_install_and_activate_plugin() function. [CVSS 8.8 HIGH]
The Library Management System plugin for WordPress is vulnerable to SQL Injection via the 'bid' parameter in all versions up to, and including, 3.2.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]
The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to unauthenticated limited file upload in all versions up to, and including, 7.8.1. This is due to the plugin not properly verifying that a user is authorized to perform file upload actions via the "ajax_checkout_attachment_upload" function. This makes it possible for unauthenticated attackers to upload files to the server, though file types are limited to WordPress's default allowed MIME types (i...
The Smartsupp - live chat, AI shopping assistant and chatbots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'code' parameter in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Printful Integration for WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.2.11 via the advanced size chart REST API endpoint. This is due to insufficient validation of user-supplied URLs before passing them to the download_url() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application which can b...
Mailchimp List Subscribe Form (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
The Renden theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The Drift theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
The ACF Photo Gallery Field plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the "acf_photo_gallery_edit_save" function in all versions up to, and including, 3.0. [CVSS 4.3 MEDIUM]
The Mesmerize Companion plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the "openPageInCustomizer" and "openPageInDefaultEditor" functions in all versions up to, and including, 1.6.158. [CVSS 4.3 MEDIUM]
The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and including, 4.1.2. [CVSS 7.5 HIGH]
Aruba HiSpeed Cache (WordPress plugin) versions up to 3.0.2. is affected by missing authorization (CVSS 6.5).
The Aruba HiSpeed Cache plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the dbstatus parameter in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]
Remote Code Execution in InvoicePlane self-hosted invoicing application through code injection. PoC and patch available.
MajorDoMo home automation platform is vulnerable to unauthenticated remote code execution through supply chain compromise via update URL poisoning. The saverestore module exposes its admin() method without authentication due to improper use of gr() (which reads from $_REQUEST), allowing attackers to redirect update URLs and push malicious code packages.
Unauthenticated SQL injection in MajorDoMo's commands module allows remote attackers to extract database contents including unsalted MD5 password hashes without authentication, enabling credential compromise and admin panel access. The vulnerability stems from unsanitized $_GET parameters in SQL queries accessible via the /objects/?module=commands endpoint, and public exploit code is available. Affected versions lack a patch and impact both MajorDoMo and PHP installations running this software.
MajorDomo's shoutbox feature is vulnerable to stored XSS due to unsanitized user input in the /objects/?method= endpoint, allowing unauthenticated attackers to inject malicious scripts that persist in the database. When administrators access the auto-refreshing dashboard, the stored payload executes automatically, enabling session hijacking and cookie theft. Public exploit code exists for this vulnerability, and no patch is currently available.
MajorDoMo's unauthenticated /objects/?op=set endpoint fails to sanitize property values, allowing remote attackers to inject stored XSS payloads that execute when administrators access the property editor, with public exploit code available. The vulnerability is compounded by session cookies lacking HttpOnly protection, enabling attackers to enumerate properties via the /api.php/data/ endpoint and hijack admin sessions through JavaScript exfiltration.
Reflected XSS in MajorDoMo's command.php allows remote attackers to inject arbitrary JavaScript through an unsanitized qry parameter, affecting users who click malicious links. Public exploit code exists for this vulnerability, and no patch is currently available.
Unauthenticated OS command injection in MajorDoMo via rc/index.php. EPSS 41.7% — the $param variable is passed unsanitized to shell commands. PoC available.
MajorDoMo home automation platform allows unauthenticated remote code execution through the admin panel's PHP console. An include order bug in panel.class.php causes execution to continue past a redirect() call that lacks an exit statement, allowing unauthenticated requests to reach the PHP code execution functionality in inc_panel_ajax.php.
Hospital Management System versions up to 4.0 is affected by cross-site request forgery (csrf) (CVSS 6.5).
SQL injection in code-projects Community Project Scholars Tracking System 1.0 admin user management. Allows database compromise via admin panel. PoC available.
Scholars Tracking System versions up to 1.0 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
Missing authentication in CodeAstro Membership Management System 1.0 delete_members.php allows unauthenticated deletion of member records. PoC available.
Missing authentication and authorization in print_membership_card.php in CodeAstro Membership Management System 1.0 allows unauthenticated attackers to access membership card data of arbitrary users via direct requests with a manipulated id parameter, resulting in insecure direct object reference (IDOR). [CVSS 7.5 HIGH]
SQL injection in CodeAstro Membership Management System 1.0 via ID parameter in print_membership_card.php enables unauthenticated database access. PoC available.
Online Time Table Generator versions up to 1.0 is affected by missing authentication for critical function (CVSS 7.5).
Incorrect access control in SourceCodester Customer Support System 1.0 allows unauthenticated access to AJAX dispatcher, enabling full system compromise. PoC available.
Command injection in ZoneMinder v1.36.34 video surveillance system via web/views/image.php. Unsanitized user input enables unauthenticated remote code execution. PoC available.
PHP Object Injection in the Advanced AJAX Product Filters plugin for WordPress (versions up to 3.1.9.6) allows authenticated authors and above to deserialize malicious objects through the Live Composer compatibility layer. While the plugin itself lacks a gadget chain for exploitation, the vulnerability can enable arbitrary file deletion, data theft, or remote code execution if a POP chain exists in installed themes or plugins. No patch is currently available, and exploitation requires valid WordPress user credentials.
The WP All Export plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.14 via the export download endpoint. This is due to a PHP type juggling vulnerability in the security token comparison which uses loose comparison (==) instead of strict comparison (===). This makes it possible for unauthenticated attackers to bypass authentication using "magic hash" values when the expected MD5 hash prefix happens to be numeric-looking (matching pa...
SQL injection in the WP Import - Ultimate CSV Importer plugin for WordPress (versions up to 7.37) allows authenticated subscribers and higher-privileged users to inject malicious SQL commands through specially crafted filenames during file uploads. When the Single Import/Export feature is enabled on PHP versions below 8.0, attackers can extract sensitive database information by exploiting insufficient input validation. The vulnerability requires valid WordPress credentials but poses a medium risk due to its direct access to database contents.
The Bookster - WordPress Appointment Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘raw’ parameter in all versions up to, and including, 2.1.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 4.9 MEDIUM]
The Brevo - Email, SMS, Web Push, Chat, and more. plugin for WordPress is vulnerable to authorization bypass due to type juggling in all versions up to, and including, 3.3.0. This is due to the use of loose comparison (==) instead of strict comparison (===) when validating the installation ID in the `/wp-json/mailin/v1/mailin_disconnect` REST API endpoint. This makes it possible for unauthenticated attackers to disconnect the Brevo integration, delete the API key, remove all subscription form...
Arbitrary file deletion in WP-DownloadManager plugin versions up to 1.69 allows high-privileged WordPress administrators to bypass path validation and remove critical system files through directory traversal in the file deletion parameter. Deletion of essential files like wp-config.php can result in remote code execution or complete site compromise. No patch is currently available.
The RegistrationMagic - Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to payment bypass due to insufficient verification of data authenticity on the 'process_paypal_sdk_payment' function in all versions up to, and including, 6.0.6.9. [CVSS 5.3 MEDIUM]
The Video Share VOD - Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 2.7.11 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]
The Complianz - GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cmplz-accept-link shortcode in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
Arbitrary PHP code execution in Product Addons for WooCommerce plugin (versions up to 3.1.0) through unsafe use of eval() on unsanitized conditional logic operators allows Shop Manager-level and higher-privileged WordPress users to execute malicious code on affected servers. The vulnerability stems from insufficient input validation in the evalConditions() function where user-supplied operator parameters are passed directly to PHP's eval() without sanitization. No patch is currently available.
Cart All In One For WooCommerce (WordPress plugin) versions up to 1.1.21. contains a security vulnerability (CVSS 7.2).
The Tickera - Sell Tickets & Manage Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_change_ticket_status' AJAX endpoint in all versions up to, and including, 3.5.6.4. [CVSS 4.3 MEDIUM]
The Popup Box - Easily Create WordPress Popups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'iframeBox' shortcode in all versions up to, and including, 3.2.12 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
VK All in One Expansion Unit (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Display During Conditional Shortcode (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
The Filestack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'filepicker' shortcode in all versions up to, and including, 2.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]
The Order Splitter for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wos_troubleshooting' AJAX endpoint in all versions up to, and including, 5.3.5. [CVSS 4.3 MEDIUM]
The Context Blog theme for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.5 via the 'context_blog_modal_popup' due to insufficient restrictions on which posts can be included. [CVSS 5.3 MEDIUM]
Frontend User Notes (WordPress plugin) versions up to 2.1.0 is affected by authorization bypass through user-controlled key (CVSS 4.3).
WP 404 Auto Redirect to Similar Post (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).
phpgurukul Student Management System 1.0 is vulnerable to SQL Injection in studentms/admin/search.php via the searchdata parameter. [CVSS 8.8 HIGH]
Gym Management System versions up to 1.0 is affected by cross-site request forgery (csrf) (CVSS 3.5).
The WP Maps - Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8.6 via the fc_load_template function. [CVSS 8.8 HIGH]
OS command injection in Kodbox up to version 1.64.05 allows remote authenticated attackers to execute arbitrary commands through the localFile parameter in the Media File Preview Plugin's VideoResize class. Public exploit code exists for this vulnerability, and the vendor has not provided patches or responded to disclosure efforts. The attack requires valid credentials but does not need user interaction and can fully compromise affected systems through command execution.
SQL injection in the Hotel-Management-System /home.php POST handler allows authenticated remote attackers to manipulate Name/Email parameters and execute arbitrary database queries. Public exploit code exists for this vulnerability, which affects PHP-based deployments with no available patch. An attacker with login credentials can leverage this flaw to read or modify sensitive database records.
Path traversal in ZenTao's editor component (versions up to 21.7.8) allows authenticated attackers to manipulate the filePath parameter and access files outside intended directories. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected systems vulnerable to unauthorized file access and potential information disclosure.
ZenTao versions up to 21.7.8 contain a path traversal vulnerability in the backup handler that allows authenticated attackers to manipulate file parameters and access or delete arbitrary files on the affected system. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but can be executed remotely without user interaction.
A vulnerability was identified in vichan-devel vichan versions up to 5.1.5. contains a security vulnerability (CVSS 2.7).
Tosei Self-service Washing Machine 4.02 contains an unauthenticated command injection vulnerability in the adr_txt_1 parameter of /cgi-bin/tosei_datasend.php, allowing remote attackers to execute arbitrary commands with limited confidentiality, integrity, and availability impact. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.
OPNsense 19.1 contains a reflected cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attackers to inject malicious scripts via the value parameter. [CVSS 5.4 MEDIUM]
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by exploiting the passthrough_networks parameter in vpn_ipsec_settings.php. [CVSS 6.1 MEDIUM]
OPNsense 19.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the category parameter. [CVSS 6.4 MEDIUM]
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation in the host parameter. [CVSS 6.1 MEDIUM]
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by exploiting insufficient input validation in the host parameter. [CVSS 6.1 MEDIUM]
OPNsense 19.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted input through multiple parameters. [CVSS 6.1 MEDIUM]
OPNsense 19.1 contains a stored cross-site scripting vulnerability in the system_advanced_sysctl.php endpoint that allows attackers to inject persistent malicious scripts via the tunable parameter. [CVSS 6.4 MEDIUM]
OPNsense 19.1 contains multiple cross-site scripting vulnerabilities in the diag_backup.php endpoint that allow attackers to inject malicious scripts through multiple parameters including GDrive_GDriveEmail, GDrive_GDriveFolderID, GDrive_GDriveBackupCount, Nextcloud_url, Nextcloud_user, Nextcloud_password, Nextcloud_password_encryption, and Nextcloud_backupdir. [CVSS 5.4 MEDIUM]
Privilege escalation in Truelysell Core WordPress plugin <= 1.8.7. Insufficient role validation allows elevation.
Arbitrary PHP code execution in the Flexi Product Slider and Grid for WooCommerce WordPress plugin through version 1.0.5 allows authenticated contributors to exploit unsanitized file path parameters in the flexipsg_carousel shortcode to include and execute arbitrary files on the server. The vulnerability requires an attacker with Contributor-level access or above to create posts containing malicious shortcodes, but carries high risk due to lack of input validation on the theme parameter enabling local file inclusion attacks. No patch is currently available for this vulnerability.
One to one user Chat by WPGuppy (WordPress plugin) is affected by missing authentication for critical function (CVSS 5.3).
The Link Hopper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hop_name’ parameter in all versions up to, and including, 2.5 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]