PHP
Monthly
PHP Local File Inclusion (LFI) vulnerability in thembay Fana versions through 1.1.28 that allows unauthenticated remote attackers to include and execute arbitrary files through improper control of filename parameters in PHP include/require statements. The high CVSS score of 8.1 reflects the potential for confidentiality, integrity, and availability impact, though the 'H' attack complexity suggests exploitation requires specific conditions or knowledge of the application architecture. No publicly confirmed KEV or widespread active exploitation is documented, but the 2025 CVE date indicates this is a recently disclosed vulnerability requiring immediate attention from Fana users.
Reflected Cross-Site Scripting (XSS) vulnerability in WPQuark's eForm WordPress Form Builder plugin that allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability affects the eForm plugin across unspecified version ranges and can be exploited with user interaction to compromise confidentiality, integrity, and availability. No active KEV designation or confirmed POC availability is documented, but the network-accessible nature and low attack complexity present moderate real-world exploitation risk.
A cross-site scripting vulnerability in Michal Jaworski Track (CVSS 7.1). High severity vulnerability requiring prompt remediation.
SQL injection vulnerability in WpExperts Hub's Woocommerce Partial Shipment plugin (versions up to 3.2) that allows authenticated attackers with low privileges to execute arbitrary SQL queries. The vulnerability has a CVSS score of 8.5 (High) with network accessibility and low attack complexity, enabling attackers to read sensitive database information and potentially disrupt service availability. The attack requires valid user credentials but no special interaction, making it a significant risk for multi-user WordPress/WooCommerce installations.
Cross-Site Request Forgery (CSRF) vulnerability in YITHEMES YITH PayPal Express Checkout for WooCommerce allows Cross Site Request Forgery. This issue affects YITH PayPal Express Checkout for WooCommerce: from n/a through 1.49.0.
A security vulnerability in mojoomla School Management allows PHP Local File Inclusion (CVSS 7.5). High severity vulnerability requiring prompt remediation.
A security vulnerability in mojoomla WPGYM allows PHP Local File Inclusion (CVSS 7.5). High severity vulnerability requiring prompt remediation.
Critical deserialization of untrusted data vulnerability in the yuliaz Rapyd Payment Extension for WooCommerce (versions through 1.2.0) that allows unauthenticated remote attackers to perform object injection attacks. The vulnerability has a CVSS score of 9.8 with network-accessible attack vector and no authentication required, meaning any internet-connected attacker can exploit this without user interaction. If actively exploited or proof-of-concept code is available, this represents an immediate risk to all unpatched WooCommerce installations using this payment plugin.
A blind SQL injection vulnerability exists in wpdistillery Navigation Tree Elementor plugin (versions up to 1.0.1) that allows authenticated users to extract sensitive database information through specially crafted input. The vulnerability requires user authentication but operates over the network with low attack complexity, enabling attackers with WordPress user accounts to enumerate and exfiltrate data without direct visibility of query results. No publicly disclosed proof-of-concept or active exploitation in KEV has been confirmed at this time, though the 8.5 CVSS score and SQL injection nature warrant immediate patching.
PHP Local File Inclusion (LFI) vulnerability in snstheme Simen versions through 4.6 that allows unauthenticated remote attackers to include and execute arbitrary local files via improper control of filename parameters in PHP include/require statements. With a CVSS score of 8.1 and network-based attack vector, this vulnerability enables confidentiality, integrity, and availability compromise; however, the high attack complexity suggests exploitation requires specific conditions or knowledge of the target environment.
PHP Local File Inclusion (LFI) vulnerability in the snstheme Evon WordPress theme (versions up to 3.4) that allows unauthenticated remote attackers to include and execute arbitrary local files on the server. An attacker can exploit this via a network attack with high complexity to achieve arbitrary code execution, data exfiltration, and system compromise. The vulnerability stems from improper input validation on filename parameters passed to PHP include/require statements.
Blind SQL Injection vulnerability in Suhas Surse WP Employee Attendance System affecting versions through 3.5, allowing authenticated attackers with high privileges to extract sensitive database information. While the CVSS score of 7.6 indicates moderate-to-high severity, the attack requires administrator-level credentials and the confidentiality impact is high; however, integrity and availability impacts are limited. No current KEV designation or widespread public POC availability has been reported, though the vulnerability's nature as SQL injection makes exploitation theoretically straightforward for skilled attackers.
Critical SQL injection vulnerability in the WPCRM plugin (versions up to 3.2.0) for WordPress, affecting deployments integrating Contact Form 7 and WooCommerce. An unauthenticated remote attacker can execute arbitrary SQL commands with high confidence (CVSS 9.3, EPSS score likely elevated) to extract sensitive customer relationship and transaction data, though direct data modification and system availability impacts are limited. Immediate patching is strongly recommended for all affected installations.
PHP Local File Inclusion (LFI) vulnerability in the snstheme DSK WordPress theme (versions up to 2.2) that allows unauthenticated remote attackers to include and execute arbitrary local files on the server. The vulnerability stems from improper input validation on filename parameters in PHP include/require statements, potentially enabling attackers to read sensitive files, execute code, or compromise the entire WordPress installation. This is a high-severity issue (CVSS 8.1) affecting a popular theme, though real-world exploitation requires moderate attack complexity (AC:H).
The Simple Logo Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.9.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Master Slider - Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's masterslider_pb and ms_slide shortcodes in all versions up to, and including, 3.10.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Poll, Survey & Quiz Maker Plugin by Opinion Stage plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on several functions in all versions up to, and including, 19.9.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to change the email address for the account connection, and disconnect the plugin. Previously created content will still be displayed and functional if the account is disconnected.
The Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin (versions ≤1.3.8.9) contains an unrestricted file upload vulnerability allowing unauthenticated attackers to bypass file type blacklists and upload dangerous file extensions (.phar, etc.). On servers configured to execute .phar files as PHP (common in default Apache+mod_php setups), this enables remote code execution with high impact to confidentiality, integrity, and availability (CVSS 8.1). While KEV and EPSS data are not provided, the vulnerability is actively exploitable given its public disclosure and network-accessible attack vector.
A vulnerability classified as critical was found in Webkul QloApps 1.6.1. Affected by this vulnerability is an unknown functionality of the file /admin/ajax_products_list.php. The manipulation of the argument packItself leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor confirms the existence of this flaw but considers it a low-level issue due to admin privilege pre-requisites. Still, a fix is planned for a future release.
The Ivory Search WordPress plugin before 5.5.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
A remote code execution vulnerability (CVSS 7.3). Risk factors: public PoC available.
A critical SQL injection vulnerability exists in SourceCodester Client Database Management System version 1.0 affecting the /user_customer_create_order.php file, where the user_id parameter is inadequately sanitized. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. Public disclosure and proof-of-concept availability elevate exploitation risk, though the CVSS 7.3 rating indicates moderate real-world impact rather than critical severity.
Critical SQL injection vulnerability in code-projects Hostel Management System version 1.0, specifically in the /allocate_room.php file's 'search_box' parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, and system disruption. The vulnerability has been publicly disclosed with proof-of-concept code available, making it actively exploitable in the wild.
Critical SQL injection vulnerability in PHPGurukul Nipah Virus Testing Management System version 1.0, located in the /registered-user-testing.php file where the 'testtype' parameter is improperly sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially compromising data confidentiality, integrity, and availability. The vulnerability has been publicly disclosed with proof-of-concept code available, presenting immediate exploitation risk in production environments.
A vulnerability was found in PHPGurukul Nipah Virus Testing Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /bwdates-report-ds.php. The manipulation of the argument testtype leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Critical SQL injection vulnerability in PHPGurukul Hostel Management System 1.0 affecting the login functionality (/includes/login-hm.inc.php). An unauthenticated attacker can manipulate the Username parameter to execute arbitrary SQL queries remotely, potentially compromising data confidentiality, integrity, and availability. Public exploit disclosure and active exploitation potential significantly elevate real-world risk despite a moderate CVSS score of 7.3.
A SQL injection vulnerability in A vulnerability (CVSS 7.3). Risk factors: public PoC available.
A SQL injection vulnerability in A vulnerability (CVSS 7.3). Risk factors: public PoC available.
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to SQL Injection via the ‘prgSortPostType’ parameter in all versions up to, and including, 8.4.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
The WordPress Infinite Scroll - Ajax Load More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-button-label HTML attribute in all versions up to, and including, 7.4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Wise Chat WordPress plugin versions up to 3.3.4 contains a Stored Cross-Site Scripting (XSS) vulnerability in the X-Forwarded-For header processing that allows unauthenticated attackers to inject malicious scripts without authentication or user interaction. When vulnerable pages are accessed by site visitors, the injected scripts execute in their browsers, potentially enabling credential theft, session hijacking, or malware distribution. This vulnerability has a CVSS score of 7.2 (High) and affects all publicly-facing WordPress installations running the affected plugin versions.
A vulnerability was found in Projectworlds Life Insurance Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /insertPayment.php. The manipulation of the argument recipt_no leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
A vulnerability was found in Projectworlds Life Insurance Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /insertNominee.php. The manipulation of the argument client_id/nominee_id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
A vulnerability was found in Projectworlds Life Insurance Management System 1.0. It has been classified as critical. This affects an unknown part of the file /insertClient.php. The manipulation of the argument client_id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
A vulnerability was found in Projectworlds Life Insurance Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /insertagent.php. The manipulation of the argument agent_id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Critical SQL injection vulnerability in Chanjet CRM 1.0 affecting the /sysconfig/departmentsetting.php endpoint via the gblOrgID parameter. An unauthenticated remote attacker can manipulate this parameter to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has public exploit disclosure and demonstrates active exploitation potential, making it a high-priority remediation target despite the moderate CVSS score.
A vulnerability was found in PHPGurukul Nipah Virus Testing Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /search-report.php. The manipulation of the argument serachdata leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
A vulnerability was found in PHPGurukul Rail Pass Management System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /contact.php. The manipulation of the argument Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
A vulnerability was found in PHPGurukul Rail Pass Management System 1.0. It has been classified as problematic. Affected is an unknown function of the file /admin/aboutus.php. The manipulation of the argument pagedes leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Critical SQL injection vulnerability in code-projects Restaurant Order System version 1.0, affecting the /tablelow.php file's ID parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion of the restaurant database. The vulnerability has been publicly disclosed with proof-of-concept availability, increasing real-world exploitation risk.
A SQL injection vulnerability in A vulnerability (CVSS 7.3). Risk factors: public PoC available.
A vulnerability, which was classified as critical, was found in code-projects Restaurant Order System 1.0. This affects an unknown part of the file /table.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Reflected Cross-Site Scripting (XSS) in /customer_support/index.php in Customer Support System v1.0, which allows remote attackers to execute arbitrary code via the page parameter.
A SQL injection vulnerability in Customer Support System (CVSS 8.8) that allows an authenticated attacker. High severity vulnerability requiring prompt remediation.
Critical OS command injection vulnerability in Wifi-soft UniBox Controller affecting versions up to 20250506. An authenticated attacker can remotely execute arbitrary operating system commands via the 'ipaddress' parameter in /billing/pms_check.php, achieving complete system compromise. Public exploit code exists, the vendor has not responded to early disclosure, and this vulnerability meets criteria for immediate exploitation in real-world environments.
A critical OS command injection vulnerability exists in Wifi-soft UniBox Controller versions up to 20250506 within the /billing/test_accesscodelogin.php file's Password parameter, allowing authenticated remote attackers to execute arbitrary system commands with high impact on confidentiality, integrity, and availability. Public exploit code has been disclosed and the vendor has not responded to early disclosure notifications, indicating active exploitation risk and lack of official patches.
Critical OS command injection vulnerability in Wifi-soft UniBox Controller affecting versions up to 20250506, exploitable through the mac_address parameter in /authentication/logout.php. An authenticated attacker can remotely execute arbitrary OS commands with high impact on confidentiality, integrity, and availability. The vulnerability has been publicly disclosed with exploit code available, and the vendor has not responded to early disclosure attempts, significantly elevating real-world risk.
A vulnerability has been found in codesiddhant Jasmin Ransomware up to 1.0.1 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /dashboard.php. The manipulation of the argument Search leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
A SQL injection vulnerability (CVSS 7.3). Risk factors: EPSS 28% exploitation probability, public PoC available.
A vulnerability, which was classified as critical, has been found in qianfox FoxCMS up to 1.2.5. This issue affects the function batchCope of the file app/admin/controller/Download.php. The manipulation of the argument ids leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
The Slider, Gallery, and Carousel by MetaSlider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘aria-label’ parameter in all versions up to, and including, 3.98.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ssa_admin_upcoming_appointments, ssa_admin_upcoming_appointments, and ssa_past_appointments shortcodes in all versions up to, and including, 1.6.8.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Restrict File Access plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.1.2 via the output() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
The Image Resizer On The Fly WordPress plugin (versions ≤1.1) contains a critical arbitrary file deletion vulnerability in its 'delete' task that allows unauthenticated attackers to remove arbitrary files from the server without authentication. This vulnerability can facilitate remote code execution by deleting critical files such as wp-config.php, leading to complete WordPress installation compromise. With a CVSS score of 9.1 and network-accessible attack vector requiring no user interaction or privileges, this represents a critical risk to all unpatched installations.
The WP URL Shortener plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the 'url_shortener_settings' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The XiSearch bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6. This is due to missing or incorrect nonce validation on the 'xisearch-key-config' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Yougler Blogger Profile Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, v1.01. This is due to missing or incorrect nonce validation on the 'yougler-plugin.php' page. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The kk Youtube Video plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'kkytv' shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Zen Sticky Social plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3. This is due to missing or incorrect nonce validation on the 'zen-social-sticky/zen-sticky-social.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Easy Flashcards plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1. This is due to missing or incorrect nonce validation on the 'ef_settings_submenu' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The StreamWeasels Kick Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘status-classic-offline-text’ parameter in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Click to Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-no_number’ parameter in all versions up to, and including, 4.22 to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The AI Image Lab - Free AI Image Generator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing or incorrect nonce validation on the 'wpz-ai-images' page. This makes it possible for unauthenticated attackers to update the plugin's API key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The DIOT SCADA with MQTT plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'diot' shortcode in all versions up to, and including, 1.0.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
A remote code execution vulnerability in all (CVSS 8.1). High severity vulnerability requiring prompt remediation.
The UserPro - Community and User Profile WordPress Plugin plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 5.1.10 via the userpro_fbconnect() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
AutomatorWP plugin for WordPress versions up to 5.2.3 contains a time-based SQL injection vulnerability in the field_conditions parameter that allows authenticated administrators and higher-privileged users to extract sensitive database information through insufficient input escaping and lack of prepared statements. While the CVSS score of 7.2 is moderately high, exploitation requires administrator-level access, significantly limiting real-world attack surface; no active exploitation in the wild has been confirmed at this time.
A remote code execution vulnerability in File Manager Pro - Filester (CVSS 7.2). High severity vulnerability requiring prompt remediation.
The Seraphinite Accelerator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.27.21. This is due to missing or incorrect nonce validation on the 'OnAdminApi_CacheOpBegin' function. This makes it possible for unauthenticated attackers to perform several administrative actions, including deleting the cache, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Stored/Reflected Cross-Site Scripting (XSS) vulnerability in the Drupal etracker module that allows unauthenticated remote attackers to inject malicious scripts into web pages without requiring user interaction. The vulnerability affects etracker versions prior to 3.1.0, enabling attackers to steal session tokens, perform unauthorized actions, or redirect users to malicious sites. The CVSS 7.3 score and network-accessible attack vector indicate this is a significant vulnerability affecting any Drupal installation with the vulnerable etracker module enabled.
Stored/Reflected Cross-Site Scripting (XSS) vulnerability in Drupal Simple Klaro module versions before 1.10.0 that fails to properly neutralize user input during web page generation. An unauthenticated remote attacker can inject malicious scripts that execute in victims' browsers with high impact on confidentiality and integrity, though the attack requires user interaction (clicking a malicious link). The vulnerability has a high CVSS score of 8.8 due to its network-based attack vector and broad scope, but real-world exploitation likelihood depends on KEV/EPSS data not provided in available intelligence.
Cross-Site Scripting (XSS) vulnerability in Drupal's COOKiES Consent Management module that allows unauthenticated remote attackers to inject and execute malicious scripts during web page generation. All versions from 0.0.0 before 1.2.15 are affected. The vulnerability has a high CVSS score of 8.6 with no authentication or user interaction required, enabling attackers to compromise confidentiality, modify page content, and degrade availability. The network-based attack vector and low complexity indicate this is likely actively exploitable in real-world deployments.
Stored/Reflected Cross-Site Scripting (XSS) vulnerability in Drupal's COOKiES Consent Management module (versions before 1.2.15) that allows unauthenticated attackers to inject malicious scripts into web pages due to improper input neutralization. The vulnerability has a CVSS score of 8.6 (High severity) with network-based attack vector requiring no privileges or user interaction, enabling attackers to compromise confidentiality, integrity, and availability of affected sites. No active KEV or widespread public PoC data is available in standard vulnerability databases, suggesting limited real-world exploitation at time of analysis, though the high CVSS and ease of exploitation (AV:N/AC:L/PR:N/UI:N) warrant immediate patching.
A SQL injection vulnerability (CWE-89) exists in the No Boss Calendar Joomla component versions prior to 5.0.7, allowing authenticated users with high privileges to execute arbitrary SQL commands through the id_module parameter. The vulnerability has a CVSS 4.0 score of 8.6 with high impact on confidentiality, integrity, and availability of the database. While the attack requires high-privilege authenticated access, successful exploitation could lead to complete database compromise, data exfiltration, or system takeover.
The Auto Attachments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.8.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
The Game Review Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 4.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
A security vulnerability in all (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
The WP Travel Engine plugin for WordPress contains a missing capability check in the delete_package() function, allowing unauthenticated attackers to delete arbitrary posts without authentication. This vulnerability affects all versions up to and including 6.5.1 and results in unauthorized data loss with a CVSS score of 7.5. The vulnerability is network-accessible with no user interaction required, making it a significant integrity risk for WordPress installations running vulnerable plugin versions.
The Telegram for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
The Digital Marketing and Agency Templates Addons for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on the import_templates() function. This makes it possible for unauthenticated attackers to trigger an import via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The WP Sliding Login/Dashboard Panel plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the wp_sliding_panel_user_options() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Link Shield plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5.4. This is due to missing or incorrect nonce validation on the link_shield_menu_options() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The ACF Onyx Poll plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class’ parameter in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The REST API | Custom API Generator For Cross Platform And Import Export plugin for WordPress (versions 1.0.0-2.0.3) contains a critical privilege escalation vulnerability where the process_handler() function lacks capability checks, allowing unauthenticated attackers to create administrator accounts via malicious JSON imports. With a CVSS score of 9.8 and network-based attack vector requiring no user interaction, this is a severe, likely actively exploited vulnerability affecting any WordPress installation using vulnerable plugin versions.
The Color Palette plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hex’ parameter in all versions up to, and including, 4.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Contact Us Page - Contact People plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style’ parameter in all versions up to, and including, 3.7.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Multiple SQL injection vulnerabilities in the EuroInformation MoneticoPaiement module before 1.1.1 for PrestaShop allow remote attackers to execute arbitrary SQL commands via the TPE, societe, MAC, reference, or aliascb parameter to transaction.php, validation.php, or callback.php.
Critical unauthenticated SQL injection vulnerability in the JEvents component for Joomla that allows remote attackers to execute arbitrary SQL queries through publicly accessible date range filtering actions. The vulnerability affects JEvents versions before 3.6.88 and 3.6.82.1, enabling attackers to extract sensitive database information, modify data, or potentially achieve remote code execution. With a CVSS score of 9.3 and network-based attack vector requiring no privileges or user interaction, this represents a severe risk to all unpatched Joomla installations using vulnerable JEvents versions.
The WordPress Single Sign-On (SSO) plugin for WordPress is vulnerable to unauthorized access due to a misconfigured capability check on a function in all versions up to, and including, the *.5.3 versions of the plugin. This makes it possible for unauthenticated attackers to extract sensitive data including site content that has been restricted to certain users and/or roles.
PHP Local File Inclusion (LFI) vulnerability in thembay Fana versions through 1.1.28 that allows unauthenticated remote attackers to include and execute arbitrary files through improper control of filename parameters in PHP include/require statements. The high CVSS score of 8.1 reflects the potential for confidentiality, integrity, and availability impact, though the 'H' attack complexity suggests exploitation requires specific conditions or knowledge of the application architecture. No publicly confirmed KEV or widespread active exploitation is documented, but the 2025 CVE date indicates this is a recently disclosed vulnerability requiring immediate attention from Fana users.
Reflected Cross-Site Scripting (XSS) vulnerability in WPQuark's eForm WordPress Form Builder plugin that allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability affects the eForm plugin across unspecified version ranges and can be exploited with user interaction to compromise confidentiality, integrity, and availability. No active KEV designation or confirmed POC availability is documented, but the network-accessible nature and low attack complexity present moderate real-world exploitation risk.
A cross-site scripting vulnerability in Michal Jaworski Track (CVSS 7.1). High severity vulnerability requiring prompt remediation.
SQL injection vulnerability in WpExperts Hub's Woocommerce Partial Shipment plugin (versions up to 3.2) that allows authenticated attackers with low privileges to execute arbitrary SQL queries. The vulnerability has a CVSS score of 8.5 (High) with network accessibility and low attack complexity, enabling attackers to read sensitive database information and potentially disrupt service availability. The attack requires valid user credentials but no special interaction, making it a significant risk for multi-user WordPress/WooCommerce installations.
Cross-Site Request Forgery (CSRF) vulnerability in YITHEMES YITH PayPal Express Checkout for WooCommerce allows Cross Site Request Forgery. This issue affects YITH PayPal Express Checkout for WooCommerce: from n/a through 1.49.0.
A security vulnerability in mojoomla School Management allows PHP Local File Inclusion (CVSS 7.5). High severity vulnerability requiring prompt remediation.
A security vulnerability in mojoomla WPGYM allows PHP Local File Inclusion (CVSS 7.5). High severity vulnerability requiring prompt remediation.
Critical deserialization of untrusted data vulnerability in the yuliaz Rapyd Payment Extension for WooCommerce (versions through 1.2.0) that allows unauthenticated remote attackers to perform object injection attacks. The vulnerability has a CVSS score of 9.8 with network-accessible attack vector and no authentication required, meaning any internet-connected attacker can exploit this without user interaction. If actively exploited or proof-of-concept code is available, this represents an immediate risk to all unpatched WooCommerce installations using this payment plugin.
A blind SQL injection vulnerability exists in wpdistillery Navigation Tree Elementor plugin (versions up to 1.0.1) that allows authenticated users to extract sensitive database information through specially crafted input. The vulnerability requires user authentication but operates over the network with low attack complexity, enabling attackers with WordPress user accounts to enumerate and exfiltrate data without direct visibility of query results. No publicly disclosed proof-of-concept or active exploitation in KEV has been confirmed at this time, though the 8.5 CVSS score and SQL injection nature warrant immediate patching.
PHP Local File Inclusion (LFI) vulnerability in snstheme Simen versions through 4.6 that allows unauthenticated remote attackers to include and execute arbitrary local files via improper control of filename parameters in PHP include/require statements. With a CVSS score of 8.1 and network-based attack vector, this vulnerability enables confidentiality, integrity, and availability compromise; however, the high attack complexity suggests exploitation requires specific conditions or knowledge of the target environment.
PHP Local File Inclusion (LFI) vulnerability in the snstheme Evon WordPress theme (versions up to 3.4) that allows unauthenticated remote attackers to include and execute arbitrary local files on the server. An attacker can exploit this via a network attack with high complexity to achieve arbitrary code execution, data exfiltration, and system compromise. The vulnerability stems from improper input validation on filename parameters passed to PHP include/require statements.
Blind SQL Injection vulnerability in Suhas Surse WP Employee Attendance System affecting versions through 3.5, allowing authenticated attackers with high privileges to extract sensitive database information. While the CVSS score of 7.6 indicates moderate-to-high severity, the attack requires administrator-level credentials and the confidentiality impact is high; however, integrity and availability impacts are limited. No current KEV designation or widespread public POC availability has been reported, though the vulnerability's nature as SQL injection makes exploitation theoretically straightforward for skilled attackers.
Critical SQL injection vulnerability in the WPCRM plugin (versions up to 3.2.0) for WordPress, affecting deployments integrating Contact Form 7 and WooCommerce. An unauthenticated remote attacker can execute arbitrary SQL commands with high confidence (CVSS 9.3, EPSS score likely elevated) to extract sensitive customer relationship and transaction data, though direct data modification and system availability impacts are limited. Immediate patching is strongly recommended for all affected installations.
PHP Local File Inclusion (LFI) vulnerability in the snstheme DSK WordPress theme (versions up to 2.2) that allows unauthenticated remote attackers to include and execute arbitrary local files on the server. The vulnerability stems from improper input validation on filename parameters in PHP include/require statements, potentially enabling attackers to read sensitive files, execute code, or compromise the entire WordPress installation. This is a high-severity issue (CVSS 8.1) affecting a popular theme, though real-world exploitation requires moderate attack complexity (AC:H).
The Simple Logo Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.9.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Master Slider - Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's masterslider_pb and ms_slide shortcodes in all versions up to, and including, 3.10.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Poll, Survey & Quiz Maker Plugin by Opinion Stage plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on several functions in all versions up to, and including, 19.9.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to change the email address for the account connection, and disconnect the plugin. Previously created content will still be displayed and functional if the account is disconnected.
The Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin (versions ≤1.3.8.9) contains an unrestricted file upload vulnerability allowing unauthenticated attackers to bypass file type blacklists and upload dangerous file extensions (.phar, etc.). On servers configured to execute .phar files as PHP (common in default Apache+mod_php setups), this enables remote code execution with high impact to confidentiality, integrity, and availability (CVSS 8.1). While KEV and EPSS data are not provided, the vulnerability is actively exploitable given its public disclosure and network-accessible attack vector.
A vulnerability classified as critical was found in Webkul QloApps 1.6.1. Affected by this vulnerability is an unknown functionality of the file /admin/ajax_products_list.php. The manipulation of the argument packItself leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor confirms the existence of this flaw but considers it a low-level issue due to admin privilege pre-requisites. Still, a fix is planned for a future release.
The Ivory Search WordPress plugin before 5.5.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
A remote code execution vulnerability (CVSS 7.3). Risk factors: public PoC available.
A critical SQL injection vulnerability exists in SourceCodester Client Database Management System version 1.0 affecting the /user_customer_create_order.php file, where the user_id parameter is inadequately sanitized. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. Public disclosure and proof-of-concept availability elevate exploitation risk, though the CVSS 7.3 rating indicates moderate real-world impact rather than critical severity.
Critical SQL injection vulnerability in code-projects Hostel Management System version 1.0, specifically in the /allocate_room.php file's 'search_box' parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, and system disruption. The vulnerability has been publicly disclosed with proof-of-concept code available, making it actively exploitable in the wild.
Critical SQL injection vulnerability in PHPGurukul Nipah Virus Testing Management System version 1.0, located in the /registered-user-testing.php file where the 'testtype' parameter is improperly sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially compromising data confidentiality, integrity, and availability. The vulnerability has been publicly disclosed with proof-of-concept code available, presenting immediate exploitation risk in production environments.
A vulnerability was found in PHPGurukul Nipah Virus Testing Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /bwdates-report-ds.php. The manipulation of the argument testtype leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Critical SQL injection vulnerability in PHPGurukul Hostel Management System 1.0 affecting the login functionality (/includes/login-hm.inc.php). An unauthenticated attacker can manipulate the Username parameter to execute arbitrary SQL queries remotely, potentially compromising data confidentiality, integrity, and availability. Public exploit disclosure and active exploitation potential significantly elevate real-world risk despite a moderate CVSS score of 7.3.
A SQL injection vulnerability in A vulnerability (CVSS 7.3). Risk factors: public PoC available.
A SQL injection vulnerability in A vulnerability (CVSS 7.3). Risk factors: public PoC available.
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to SQL Injection via the ‘prgSortPostType’ parameter in all versions up to, and including, 8.4.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
The WordPress Infinite Scroll - Ajax Load More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-button-label HTML attribute in all versions up to, and including, 7.4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Wise Chat WordPress plugin versions up to 3.3.4 contains a Stored Cross-Site Scripting (XSS) vulnerability in the X-Forwarded-For header processing that allows unauthenticated attackers to inject malicious scripts without authentication or user interaction. When vulnerable pages are accessed by site visitors, the injected scripts execute in their browsers, potentially enabling credential theft, session hijacking, or malware distribution. This vulnerability has a CVSS score of 7.2 (High) and affects all publicly-facing WordPress installations running the affected plugin versions.
A vulnerability was found in Projectworlds Life Insurance Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /insertPayment.php. The manipulation of the argument recipt_no leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
A vulnerability was found in Projectworlds Life Insurance Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /insertNominee.php. The manipulation of the argument client_id/nominee_id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
A vulnerability was found in Projectworlds Life Insurance Management System 1.0. It has been classified as critical. This affects an unknown part of the file /insertClient.php. The manipulation of the argument client_id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
A vulnerability was found in Projectworlds Life Insurance Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /insertagent.php. The manipulation of the argument agent_id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Critical SQL injection vulnerability in Chanjet CRM 1.0 affecting the /sysconfig/departmentsetting.php endpoint via the gblOrgID parameter. An unauthenticated remote attacker can manipulate this parameter to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has public exploit disclosure and demonstrates active exploitation potential, making it a high-priority remediation target despite the moderate CVSS score.
A vulnerability was found in PHPGurukul Nipah Virus Testing Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /search-report.php. The manipulation of the argument serachdata leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
A vulnerability was found in PHPGurukul Rail Pass Management System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /contact.php. The manipulation of the argument Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
A vulnerability was found in PHPGurukul Rail Pass Management System 1.0. It has been classified as problematic. Affected is an unknown function of the file /admin/aboutus.php. The manipulation of the argument pagedes leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Critical SQL injection vulnerability in code-projects Restaurant Order System version 1.0, affecting the /tablelow.php file's ID parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion of the restaurant database. The vulnerability has been publicly disclosed with proof-of-concept availability, increasing real-world exploitation risk.
A SQL injection vulnerability in A vulnerability (CVSS 7.3). Risk factors: public PoC available.
A vulnerability, which was classified as critical, was found in code-projects Restaurant Order System 1.0. This affects an unknown part of the file /table.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Reflected Cross-Site Scripting (XSS) in /customer_support/index.php in Customer Support System v1.0, which allows remote attackers to execute arbitrary code via the page parameter.
A SQL injection vulnerability in Customer Support System (CVSS 8.8) that allows an authenticated attacker. High severity vulnerability requiring prompt remediation.
Critical OS command injection vulnerability in Wifi-soft UniBox Controller affecting versions up to 20250506. An authenticated attacker can remotely execute arbitrary operating system commands via the 'ipaddress' parameter in /billing/pms_check.php, achieving complete system compromise. Public exploit code exists, the vendor has not responded to early disclosure, and this vulnerability meets criteria for immediate exploitation in real-world environments.
A critical OS command injection vulnerability exists in Wifi-soft UniBox Controller versions up to 20250506 within the /billing/test_accesscodelogin.php file's Password parameter, allowing authenticated remote attackers to execute arbitrary system commands with high impact on confidentiality, integrity, and availability. Public exploit code has been disclosed and the vendor has not responded to early disclosure notifications, indicating active exploitation risk and lack of official patches.
Critical OS command injection vulnerability in Wifi-soft UniBox Controller affecting versions up to 20250506, exploitable through the mac_address parameter in /authentication/logout.php. An authenticated attacker can remotely execute arbitrary OS commands with high impact on confidentiality, integrity, and availability. The vulnerability has been publicly disclosed with exploit code available, and the vendor has not responded to early disclosure attempts, significantly elevating real-world risk.
A vulnerability has been found in codesiddhant Jasmin Ransomware up to 1.0.1 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /dashboard.php. The manipulation of the argument Search leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
A SQL injection vulnerability (CVSS 7.3). Risk factors: EPSS 28% exploitation probability, public PoC available.
A vulnerability, which was classified as critical, has been found in qianfox FoxCMS up to 1.2.5. This issue affects the function batchCope of the file app/admin/controller/Download.php. The manipulation of the argument ids leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
The Slider, Gallery, and Carousel by MetaSlider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘aria-label’ parameter in all versions up to, and including, 3.98.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Appointment Booking Calendar - Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ssa_admin_upcoming_appointments, ssa_admin_upcoming_appointments, and ssa_past_appointments shortcodes in all versions up to, and including, 1.6.8.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Restrict File Access plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.1.2 via the output() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
The Image Resizer On The Fly WordPress plugin (versions ≤1.1) contains a critical arbitrary file deletion vulnerability in its 'delete' task that allows unauthenticated attackers to remove arbitrary files from the server without authentication. This vulnerability can facilitate remote code execution by deleting critical files such as wp-config.php, leading to complete WordPress installation compromise. With a CVSS score of 9.1 and network-accessible attack vector requiring no user interaction or privileges, this represents a critical risk to all unpatched installations.
The WP URL Shortener plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the 'url_shortener_settings' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The XiSearch bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6. This is due to missing or incorrect nonce validation on the 'xisearch-key-config' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Yougler Blogger Profile Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, v1.01. This is due to missing or incorrect nonce validation on the 'yougler-plugin.php' page. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The kk Youtube Video plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'kkytv' shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Zen Sticky Social plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3. This is due to missing or incorrect nonce validation on the 'zen-social-sticky/zen-sticky-social.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Easy Flashcards plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1. This is due to missing or incorrect nonce validation on the 'ef_settings_submenu' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The StreamWeasels Kick Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘status-classic-offline-text’ parameter in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Click to Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-no_number’ parameter in all versions up to, and including, 4.22 to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The AI Image Lab - Free AI Image Generator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing or incorrect nonce validation on the 'wpz-ai-images' page. This makes it possible for unauthenticated attackers to update the plugin's API key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The DIOT SCADA with MQTT plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'diot' shortcode in all versions up to, and including, 1.0.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
A remote code execution vulnerability in all (CVSS 8.1). High severity vulnerability requiring prompt remediation.
The UserPro - Community and User Profile WordPress Plugin plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 5.1.10 via the userpro_fbconnect() function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
AutomatorWP plugin for WordPress versions up to 5.2.3 contains a time-based SQL injection vulnerability in the field_conditions parameter that allows authenticated administrators and higher-privileged users to extract sensitive database information through insufficient input escaping and lack of prepared statements. While the CVSS score of 7.2 is moderately high, exploitation requires administrator-level access, significantly limiting real-world attack surface; no active exploitation in the wild has been confirmed at this time.
A remote code execution vulnerability in File Manager Pro - Filester (CVSS 7.2). High severity vulnerability requiring prompt remediation.
The Seraphinite Accelerator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.27.21. This is due to missing or incorrect nonce validation on the 'OnAdminApi_CacheOpBegin' function. This makes it possible for unauthenticated attackers to perform several administrative actions, including deleting the cache, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Stored/Reflected Cross-Site Scripting (XSS) vulnerability in the Drupal etracker module that allows unauthenticated remote attackers to inject malicious scripts into web pages without requiring user interaction. The vulnerability affects etracker versions prior to 3.1.0, enabling attackers to steal session tokens, perform unauthorized actions, or redirect users to malicious sites. The CVSS 7.3 score and network-accessible attack vector indicate this is a significant vulnerability affecting any Drupal installation with the vulnerable etracker module enabled.
Stored/Reflected Cross-Site Scripting (XSS) vulnerability in Drupal Simple Klaro module versions before 1.10.0 that fails to properly neutralize user input during web page generation. An unauthenticated remote attacker can inject malicious scripts that execute in victims' browsers with high impact on confidentiality and integrity, though the attack requires user interaction (clicking a malicious link). The vulnerability has a high CVSS score of 8.8 due to its network-based attack vector and broad scope, but real-world exploitation likelihood depends on KEV/EPSS data not provided in available intelligence.
Cross-Site Scripting (XSS) vulnerability in Drupal's COOKiES Consent Management module that allows unauthenticated remote attackers to inject and execute malicious scripts during web page generation. All versions from 0.0.0 before 1.2.15 are affected. The vulnerability has a high CVSS score of 8.6 with no authentication or user interaction required, enabling attackers to compromise confidentiality, modify page content, and degrade availability. The network-based attack vector and low complexity indicate this is likely actively exploitable in real-world deployments.
Stored/Reflected Cross-Site Scripting (XSS) vulnerability in Drupal's COOKiES Consent Management module (versions before 1.2.15) that allows unauthenticated attackers to inject malicious scripts into web pages due to improper input neutralization. The vulnerability has a CVSS score of 8.6 (High severity) with network-based attack vector requiring no privileges or user interaction, enabling attackers to compromise confidentiality, integrity, and availability of affected sites. No active KEV or widespread public PoC data is available in standard vulnerability databases, suggesting limited real-world exploitation at time of analysis, though the high CVSS and ease of exploitation (AV:N/AC:L/PR:N/UI:N) warrant immediate patching.
A SQL injection vulnerability (CWE-89) exists in the No Boss Calendar Joomla component versions prior to 5.0.7, allowing authenticated users with high privileges to execute arbitrary SQL commands through the id_module parameter. The vulnerability has a CVSS 4.0 score of 8.6 with high impact on confidentiality, integrity, and availability of the database. While the attack requires high-privilege authenticated access, successful exploitation could lead to complete database compromise, data exfiltration, or system takeover.
The Auto Attachments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.8.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
The Game Review Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 4.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
A security vulnerability in all (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
The WP Travel Engine plugin for WordPress contains a missing capability check in the delete_package() function, allowing unauthenticated attackers to delete arbitrary posts without authentication. This vulnerability affects all versions up to and including 6.5.1 and results in unauthorized data loss with a CVSS score of 7.5. The vulnerability is network-accessible with no user interaction required, making it a significant integrity risk for WordPress installations running vulnerable plugin versions.
The Telegram for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
The Digital Marketing and Agency Templates Addons for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on the import_templates() function. This makes it possible for unauthenticated attackers to trigger an import via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The WP Sliding Login/Dashboard Panel plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the wp_sliding_panel_user_options() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The Link Shield plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5.4. This is due to missing or incorrect nonce validation on the link_shield_menu_options() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
The ACF Onyx Poll plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class’ parameter in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The REST API | Custom API Generator For Cross Platform And Import Export plugin for WordPress (versions 1.0.0-2.0.3) contains a critical privilege escalation vulnerability where the process_handler() function lacks capability checks, allowing unauthenticated attackers to create administrator accounts via malicious JSON imports. With a CVSS score of 9.8 and network-based attack vector requiring no user interaction, this is a severe, likely actively exploited vulnerability affecting any WordPress installation using vulnerable plugin versions.
The Color Palette plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hex’ parameter in all versions up to, and including, 4.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Contact Us Page - Contact People plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style’ parameter in all versions up to, and including, 3.7.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Multiple SQL injection vulnerabilities in the EuroInformation MoneticoPaiement module before 1.1.1 for PrestaShop allow remote attackers to execute arbitrary SQL commands via the TPE, societe, MAC, reference, or aliascb parameter to transaction.php, validation.php, or callback.php.
Critical unauthenticated SQL injection vulnerability in the JEvents component for Joomla that allows remote attackers to execute arbitrary SQL queries through publicly accessible date range filtering actions. The vulnerability affects JEvents versions before 3.6.88 and 3.6.82.1, enabling attackers to extract sensitive database information, modify data, or potentially achieve remote code execution. With a CVSS score of 9.3 and network-based attack vector requiring no privileges or user interaction, this represents a severe risk to all unpatched Joomla installations using vulnerable JEvents versions.
The WordPress Single Sign-On (SSO) plugin for WordPress is vulnerable to unauthorized access due to a misconfigured capability check on a function in all versions up to, and including, the *.5.3 versions of the plugin. This makes it possible for unauthenticated attackers to extract sensitive data including site content that has been restricted to certain users and/or roles.