Total
293204 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-7556 | 2025-05-17 | N/A | 4.8 MEDIUM | ||
The Simple Share WordPress plugin through 0.5.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
CVE-2024-6809 | 2025-05-17 | N/A | 9.8 CRITICAL | ||
The Simple Video Directory WordPress plugin before 1.4.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. | |||||
CVE-2024-6798 | 2025-05-17 | N/A | 4.8 MEDIUM | ||
The DL Verification WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
CVE-2024-6667 | 2025-05-17 | N/A | 6.1 MEDIUM | ||
The KBucket: Your Curated Content in WordPress plugin before 4.1.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against admin. | |||||
CVE-2024-6665 | 2025-05-17 | N/A | 4.8 MEDIUM | ||
The KBucket: Your Curated Content in WordPress plugin before 4.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
CVE-2024-6584 | 2025-05-17 | N/A | 9.1 CRITICAL | ||
The 'wp_ajax_boost_proxy_ig' action allows administrators to make GET requests to arbitrary URLs. | |||||
CVE-2023-6786 | 2025-05-17 | N/A | 6.1 MEDIUM | ||
The Payment Gateway for Telcell WordPress plugin through 2.0.1 does not validate the api_url parameter before redirecting the user to its value, leading to an Open Redirect issue | |||||
CVE-2025-4815 | 2025-05-17 | 7.5 HIGH | 7.3 HIGH | ||
A vulnerability was found in Campcodes Sales and Inventory System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /pages/supplier_update.php. The manipulation of the argument Name leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
CVE-2025-4814 | 2025-05-17 | 7.5 HIGH | 7.3 HIGH | ||
A vulnerability has been found in Campcodes Sales and Inventory System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /pages/supplier_add.php. The manipulation of the argument Name leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
CVE-2025-40906 | 2025-05-17 | N/A | 9.8 CRITICAL | ||
BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities. Those include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. BSON-XS was the official Perl XS implementation of MongoDB's BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported. | |||||
CVE-2025-32407 | 2025-05-17 | N/A | 5.9 MEDIUM | ||
Samsung Internet for Galaxy Watch version 5.0.9, available up until Samsung Galaxy Watch 3, does not properly validate TLS certificates, allowing for an attacker to impersonate any and all websites visited by the user. This is a critical misconfiguration in the way the browser validates the identity of the server. It negates the use of HTTPS as a secure channel, allowing for Man-in-the-Middle attacks, stealing sensitive information or modifying incoming and outgoing traffic. NOTE: This vulnerability is in an end-of-life product that is no longer maintained by the vendor. | |||||
CVE-2023-7088 | 2025-05-17 | N/A | 5.4 MEDIUM | ||
The Add SVG Support for Media Uploader | inventivo WordPress plugin through 1.0.5 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. | |||||
CVE-2023-7086 | 2025-05-17 | N/A | 5.4 MEDIUM | ||
The SVG Uploads Support WordPress plugin through 2.1.1 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. | |||||
CVE-2022-4363 | 2025-05-17 | N/A | 6.5 MEDIUM | ||
The Wholesale Market WordPress plugin before 2.2.2, Wholesale Market for WooCommerce WordPress plugin before 2.0.1 have a flawed CSRF check when updating their settings, which could allow attackers to make a logged in admin update them via a CSRF attack | |||||
CVE-2024-9305 | 1 Apppresser | 1 Apppresser | 2025-05-17 | N/A | 8.1 HIGH |
The AppPresser – Mobile App Framework plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.4.4. This is due to the appp_reset_password() and validate_reset_password() functions not having enough controls to prevent a successful brute force attack of the OTP to change a password, or verify that a password reset request came from an authorized user. This makes it possible for unauthenticated attackers to generate and brute force an OTP that makes it possible to change any users passwords, including an administrator. | |||||
CVE-2024-57776 | 1 Jfinaloa Project | 1 Jfinaloa | 2025-05-17 | N/A | 4.6 MEDIUM |
A cross-site scripting (XSS) vulnerability in the /apply/getEditPage?view interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
CVE-2024-57774 | 1 Jfinaloa Project | 1 Jfinaloa | 2025-05-17 | N/A | 4.8 MEDIUM |
A cross-site scripting (XSS) vulnerability in the getBusinessUploadListPage?busid interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
CVE-2024-57773 | 1 Jfinaloa Project | 1 Jfinaloa | 2025-05-17 | N/A | 4.8 MEDIUM |
A cross-site scripting (XSS) vulnerability in the openSelectManyUserPage?orgid interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
CVE-2024-57771 | 1 Jfinaloa Project | 1 Jfinaloa | 2025-05-17 | N/A | 4.8 MEDIUM |
A cross-site scripting (XSS) vulnerability in the common/getEditPage?view interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||||
CVE-2024-57772 | 1 Jfinaloa Project | 1 Jfinaloa | 2025-05-17 | N/A | 4.8 MEDIUM |
A cross-site scripting (XSS) vulnerability in the /bumph/getDraftListPage?type interface of JFinalOA before v2025.01.01 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. |