1000 Projects–Attendance Tracking Management System
  A vulnerability was found in 1000 Projects Attendance Tracking Management System 1.0. It has been classified as critical. Affected is the function attendance_report of the file /admin/report.php. The manipulation of the argument course_id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. 2024-12-30 6.3 CVE-2024-13037 1000 Projects–Beauty Parlour Management System
  A vulnerability was found in 1000 Projects Beauty Parlour Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/add-customer-services.php of the component Customer Detail Handler. The manipulation of the argument sids[] leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. 2024-12-31 6.3 CVE-2024-13072 10Web–10Web Map Builder for Google Maps
  Missing Authorization vulnerability in 10Web 10Web Map Builder for Google Maps allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 10Web Map Builder for Google Maps: from n/a through 1.0.73. 2025-01-02 5.4 CVE-2023-45272 10Web–10WebAnalytics
  Missing Authorization vulnerability in 10Web 10WebAnalytics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 10WebAnalytics: from n/a through 1.2.12. 2025-01-02 4.3 CVE-2023-47807 1Panel-dev–MaxKB
  MaxKB, which stands for Max Knowledge Base, is an open source knowledge base question-answering system based on a large language model and retrieval-augmented generation (RAG). Prior to version 1.9.0, a remote command execution vulnerability exists in the module of function library. The vulnerability allow privileged users to execute OS command in custom scripts. The vulnerability has been fixed in v1.9.0. 2025-01-02 6.8 CVE-2024-56137 akashmalik–Scratch & Win Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more
  The Scratch & Win – Giveaways and Contests. Boost subscribers, traffic, repeat visits, referrals, sales and more plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.1. This is due to missing nonce validation on the reset_installation() function. This makes it possible for unauthenticated attackers to reset the plugin’s installation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2025-01-04 5.4 CVE-2024-12545 Analytify–Analytify
  Missing Authorization vulnerability in Analytify.This issue affects Analytify: from n/a through 4.2.3. 2025-01-02 6.5 CVE-2022-45830 Andy Fragen–Embed PDF Viewer
  Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Andy Fragen Embed PDF Viewer allows Stored XSS.This issue affects Embed PDF Viewer: from n/a through 2.3.1. 2024-12-31 5.9 CVE-2024-56256 Antabot–White-Jotter
  A vulnerability, which was classified as problematic, was found in Antabot White-Jotter up to 0.2.2. Affected is an unknown function of the file /admin/content/book of the component Edit Book Handler. The manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. 2024-12-30 4.3 CVE-2024-13029 Apollo13Themes–Rife Free
  Cross-Site Request Forgery (CSRF) vulnerability in Apollo13Themes Rife Free allows Cross Site Request Forgery.This issue affects Rife Free: from n/a through 2.4.18. 2025-01-02 4.3 CVE-2024-37491 AtomChat–AtomChat
  Missing Authorization vulnerability in AtomChat AtomChat allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AtomChat: from n/a through 1.1.4. 2025-01-02 5.3 CVE-2023-46606 AuRise Creative, SevenSpark–Contact Form 7 Dynamic Text Extension
  Cross-Site Request Forgery (CSRF) vulnerability in AuRise Creative, SevenSpark Contact Form 7 Dynamic Text Extension allows Cross Site Request Forgery.This issue affects Contact Form 7 Dynamic Text Extension: from n/a through 5.0.1. 2024-12-31 4.3 CVE-2024-56218 Automattic–Newspack Newsletters
  Cross-Site Request Forgery (CSRF) vulnerability in Automattic Newspack Newsletters allows Cross Site Request Forgery.This issue affects Newspack Newsletters: from n/a through 2.13.2. 2025-01-02 4.3 CVE-2024-37242 Automattic–WP Job Manager – Resume Manager
  Cross-Site Request Forgery (CSRF) vulnerability in Automattic WP Job Manager – Resume Manager allows Cross Site Request Forgery.This issue affects WP Job Manager – Resume Manager: from n/a through 2.1.0. 2025-01-02 4.3 CVE-2024-37241 AWSM Innovations–WP Job Openings
  Missing Authorization vulnerability in AWSM Innovations WP Job Openings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Openings: from n/a through 3.4.1. 2025-01-02 5.3 CVE-2023-45061 AyeCode – WP Business Directory Plugins–GeoDirectory
  Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in AyeCode – WP Business Directory Plugins GeoDirectory allows Stored XSS.This issue affects GeoDirectory: from n/a through 2.3.84. 2025-01-02 6.5 CVE-2024-56259 AyeCode–AyeCode Connect
  Missing Authorization vulnerability in AyeCode AyeCode Connect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AyeCode Connect: from n/a through 1.3.8. 2025-01-02 4.3 CVE-2024-56255 basecamp–trix
  Trix is a what-you-see-is-what-you-get rich text editor for everyday writing. Versions prior to 2.1.12 are vulnerable to cross-site scripting when pasting malicious code in the link field. An attacker could trick the user to copy&paste a malicious `javascript:` URL as a link that would execute arbitrary JavaScript code within the context of the user’s session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. Users should upgrade to Trix editor version 2.1.12 or later to receive a patch. In addition to upgrading, affected users can disallow browsers that don’t support a Content Security Policy (CSP) as a workaround for this and other cross-site scripting vulnerabilities. Set CSP policies such as script-src ‘self’ to ensure that only scripts hosted on the same origin are executed, and explicitly prohibit inline scripts using script-src-elem. 2025-01-03 5.3 CVE-2025-21610 Beee–ACF City Selector
  Unrestricted Upload of File with Dangerous Type vulnerability in Beee ACF City Selector allows Upload a Web Shell to a Web Server.This issue affects ACF City Selector: from n/a through 1.14.0. 2025-01-02 6.6 CVE-2024-56264 Beijing Yunfan Internet Technology–Yunfan Learning Examination System
  A vulnerability was found in Beijing Yunfan Internet Technology Yunfan Learning Examination System 1.9.2. It has been rated as critical. This issue affects some unknown processing of the file /doc.html. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. 2025-01-02 5.3 CVE-2024-13109 Beijing Yunfan Internet Technology–Yunfan Learning Examination System
  A vulnerability classified as critical was found in Beijing Yunfan Internet Technology Yunfan Learning Examination System 1.9.2. Affected by this vulnerability is an unknown functionality of the file src/main/java/com/yf/exam/modules/sys/user/controller/SysUserControl of the component JWT Token Handler. The manipulation leads to improper authentication. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. 2025-01-02 5.6 CVE-2024-13111 Beijing Yunfan Internet Technology–Yunfan Learning Examination System
  A vulnerability classified as problematic has been found in Beijing Yunfan Internet Technology Yunfan Learning Examination System 1.9.2. Affected is an unknown function of the file src/main/java/com/yf/exam/modules/paper/controller/PaperController.java， of the component Exam Answer Handler. The manipulation leads to information disclosure. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. 2025-01-02 4.3 CVE-2024-13110 BlazeThemes–Trendy News
  Cross-Site Request Forgery (CSRF) vulnerability in BlazeThemes Trendy News allows Cross Site Request Forgery.This issue affects Trendy News: from n/a through 1.0.15. 2025-01-02 4.3 CVE-2024-37473 Blossom Themes–Blossom Shop
  Cross-Site Request Forgery (CSRF) vulnerability in Blossom Themes Blossom Shop allows Cross Site Request Forgery.This issue affects Blossom Shop: from n/a through 1.1.7. 2025-01-02 4.3 CVE-2024-37412 Blossom Themes–Vandana Lite
  Cross-Site Request Forgery (CSRF) vulnerability in Blossom Themes Vandana Lite allows Cross Site Request Forgery.This issue affects Vandana Lite: from n/a through 1.1.9. 2025-01-02 4.3 CVE-2024-37243 Blossom Themes–Vilva
  Cross-Site Request Forgery (CSRF) vulnerability in Blossom Themes Vilva allows Cross Site Request Forgery.This issue affects Vilva: from n/a through 1.2.2. 2025-01-02 4.3 CVE-2024-37102 BoldThemes–Bold Timeline Lite
  Missing Authorization vulnerability in BoldThemes Bold Timeline Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bold Timeline Lite: from n/a through 1.1.9. 2025-01-02 4.3 CVE-2023-45110 BUDDYBOSS LLC–BuddyBoss Theme
  Cross-Site Request Forgery (CSRF) vulnerability in BUDDYBOSS LLC BuddyBoss Theme allows Cross Site Request Forgery.This issue affects BuddyBoss Theme: from n/a through 2.4.61. 2025-01-02 5.4 CVE-2024-37925 Campcodes–Project Management System
  A vulnerability was found in Campcodes Project Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /forms/update_forms.php?action=change_pic2&id=4. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. 2025-01-04 6.3 CVE-2025-0213 Campcodes–School Faculty Scheduling System
  A vulnerability was found in Campcodes School Faculty Scheduling System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/index.php. The manipulation of the argument page leads to file inclusion. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. 2025-01-04 6.3 CVE-2025-0211 Campcodes–Student Grading System
  A vulnerability was found in Campcodes Student Grading System 1.0. It has been classified as critical. This affects an unknown part of the file /view_students.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. 2025-01-04 6.3 CVE-2025-0212 Coachify–Coachify
  Cross-Site Request Forgery (CSRF) vulnerability in Coachify Coachify allows Cross Site Request Forgery.This issue affects Coachify: from n/a through 1.0.7. 2025-01-02 4.3 CVE-2024-37417 CoCart Headless, LLC–CoCart Headless ecommerce
  Missing Authorization vulnerability in CoCart Headless, LLC CoCart – Headless ecommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CoCart – Headless ecommerce: from n/a through 3.11.2. 2025-01-02 5.3 CVE-2023-47241 code-projects–Chat System
  A vulnerability has been found in code-projects Chat System 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/update_user.php. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. 2024-12-30 6.3 CVE-2024-13035 code-projects–Chat System
  A vulnerability was found in code-projects Chat System 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/update_room.php. The manipulation of the argument id/name/password leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. 2024-12-30 6.3 CVE-2024-13036 code-projects–Chat System
  A vulnerability, which was classified as critical, was found in code-projects Chat System 1.0. Affected is an unknown function of the file /admin/deleteuser.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. 2025-01-02 6.3 CVE-2025-0171 code-projects–Chat System
  A vulnerability has been found in code-projects Chat System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/deleteroom.php. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. 2025-01-02 6.3 CVE-2025-0172 code-projects–Job Recruitment
  A vulnerability classified as critical was found in code-projects Job Recruitment 1.0. This vulnerability affects unknown code of the file /_parse/_call_job/search_ajax.php of the component Job Post Handler. The manipulation of the argument n leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. 2025-01-02 6.3 CVE-2024-13092 code-projects–Job Recruitment
  A vulnerability, which was classified as critical, has been found in code-projects Job Recruitment 1.0. This issue affects some unknown processing of the file /_parse/_call_main_search_ajax.php of the component Seeker Profile Handler. The manipulation of the argument s1 leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. 2025-01-02 6.3 CVE-2024-13093 code-projects–Job Recruitment
  A vulnerability classified as critical has been found in code-projects Job Recruitment 1.0. This affects an unknown part of the file /_parse/_feedback_system.php. The manipulation of the argument person leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. 2025-01-01 6.3 CVE-2025-0168 code-projects–Online Shoe Store
  A vulnerability was found in code-projects Online Shoe Store 1.0. It has been rated as critical. This issue affects some unknown processing of the file /details.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. 2025-01-04 6.3 CVE-2025-0204 code-projects–Online Shoe Store
  A vulnerability classified as critical has been found in code-projects Online Shoe Store 1.0. Affected is an unknown function of the file /details2.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. 2025-01-04 6.3 CVE-2025-0205 code-projects–Online Shoe Store
  A vulnerability, which was classified as critical, was found in code-projects Online Shoe Store 1.0. This affects an unknown part of the file /summary.php. The manipulation of the argument tid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. 2025-01-04 6.3 CVE-2025-0208 code-projects–Online Shoe Store
  A vulnerability classified as critical was found in code-projects Online Shoe Store 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/index.php. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. 2025-01-04 5.3 CVE-2025-0206 code-projects–Point of Sales and Inventory Management System
  A vulnerability was found in code-projects Point of Sales and Inventory Management System 1.0. It has been classified as critical. This affects an unknown part of the file /user/search_result2.php of the component Parameter Handler. The manipulation of the argument search leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. 2025-01-03 6.3 CVE-2025-0174 code-projects–Point of Sales and Inventory Management System
  A vulnerability was found in code-projects Point of Sales and Inventory Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /user/add_cart.php. The manipulation of the argument id/qty leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. 2025-01-03 6.3 CVE-2025-0176 code-projects–Point of Sales and Inventory Management System
  A vulnerability was found in code-projects Point of Sales and Inventory Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /user/del_product.php. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. 2025-01-03 6.3 CVE-2025-0195 code-projects–Point of Sales and Inventory Management System
  A vulnerability classified as critical has been found in code-projects Point of Sales and Inventory Management System 1.0. This affects an unknown part of the file /user/plist.php. The manipulation of the argument cat leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. 2025-01-03 6.3 CVE-2025-0196 code-projects–Point of Sales and Inventory Management System
  A vulnerability classified as critical was found in code-projects Point of Sales and Inventory Management System 1.0. This vulnerability affects unknown code of the file /user/search.php. The manipulation of the argument name leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. 2025-01-03 6.3 CVE-2025-0197 code-projects–Point of Sales and Inventory Management System
  A vulnerability, which was classified as critical, has been found in code-projects Point of Sales and Inventory Management System 1.0. This issue affects some unknown processing of the file /user/search_result.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. 2025-01-03 6.3 CVE-2025-0198 code-projects–Point of Sales and Inventory Management System
  A vulnerability, which was classified as critical, was found in code-projects Point of Sales and Inventory Management System 1.0. Affected is an unknown function of the file /user/minus_cart.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. 2025-01-03 6.3 CVE-2025-0199 code-projects–Point of Sales and Inventory Management System
  A vulnerability has been found in code-projects Point of Sales and Inventory Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /user/search_num.php. The manipulation of the argument search leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. 2025-01-04 6.3 CVE-2025-0200 code-projects–Point of Sales and Inventory Management System
  A vulnerability was found in code-projects Point of Sales and Inventory Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /user/update_account.php. The manipulation of the argument username leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. 2025-01-04 6.3 CVE-2025-0201 code-projects–Responsive Hotel Site
  A vulnerability, which was classified as critical, was found in code-projects Responsive Hotel Site 1.0. Affected is an unknown function of the file /admin/print.php. The manipulation of the argument pid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. 2025-01-05 6.3 CVE-2025-0230 code-projects–Simple Chat System
  A vulnerability was found in code-projects Simple Chat System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /add_user.php. The manipulation of the argument name/email/password/number leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. 2024-12-30 6.3 CVE-2024-13039 code-projects–Student Management System
  A vulnerability was found in code-projects Student Management System 1.0. It has been declared as critical. This vulnerability affects the function showSubject1 of the file /config/DbFunction.php. The manipulation of the argument sid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. 2025-01-04 6.3 CVE-2025-0203 code-projects–Travel Management System
  A vulnerability, which was classified as critical, has been found in code-projects Travel Management System 1.0. This issue affects some unknown processing of the file /enquiry.php. The manipulation of the argument pid/t1/t2/t3/t4/t5/t6/t7 leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. 2025-01-05 6.3 CVE-2025-0229 CodeAstro–Online Food Ordering System
  A vulnerability was found in CodeAstro Online Food Ordering System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/update_users.php of the component Update User Page. The manipulation of the argument user_upd leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. 2024-12-31 6.3 CVE-2024-13070 CodeAstro–Online Food Ordering System
  A vulnerability was found in CodeAstro Online Food Ordering System 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/all_users.php of the component All Users Page. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. 2024-12-31 5.3 CVE-2024-13067 Codebard–CodeBard Help Desk
  Cross-Site Request Forgery (CSRF) vulnerability in Codebard CodeBard Help Desk allows Cross Site Request Forgery.This issue affects CodeBard Help Desk: from n/a through 1.1.1. 2024-12-31 5.4 CVE-2024-56222 codedrafty–Mediabay
  Missing Authorization vulnerability in codedrafty Mediabay allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mediabay: from n/a through 1.6. 2025-01-02 4.3 CVE-2023-46612 CodePeople–Appointment Hour Booking
  Missing Authorization vulnerability in CodePeople Appointment Hour Booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Appointment Hour Booking: from n/a through 1.4.23. 2025-01-02 5.3 CVE-2023-45649 Codezips–Blood Bank Management System
  A vulnerability was found in Codezips Blood Bank Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /successadmin.php. The manipulation of the argument psw leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. 2025-01-05 6.3 CVE-2025-0232 Codezips–Gym Management System
  A vulnerability has been found in Codezips Gym Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /dashboard/admin/submit_payments.php. The manipulation of the argument m_id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. 2025-01-05 6.3 CVE-2025-0231 Contest Gallery–Contest Gallery
  Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Contest Gallery Contest Gallery allows Stored XSS.This issue affects Contest Gallery: from n/a through 24.0.3. 2025-01-02 5.9 CVE-2024-56237 ConvertCalculator–ConvertCalculator for WordPress
  Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in ConvertCalculator ConvertCalculator for WordPress allows Stored XSS.This issue affects ConvertCalculator for WordPress: from n/a through 1.1.1. 2025-01-02 6.5 CVE-2024-56302 CoolPlugins–Coins MarketCap
  Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in CoolPlugins Coins MarketCap allows DOM-Based XSS.This issue affects Coins MarketCap: from n/a through 5.5.8. 2025-01-02 6.5 CVE-2024-56257 CoSchedule–Headline Analyzer
  Missing Authorization vulnerability in CoSchedule Headline Analyzer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Headline Analyzer: from n/a through 1.3.1. 2025-01-02 6.5 CVE-2023-46195 Coupon Plugin–Coupon
  Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Coupon Plugin Coupon allows DOM-Based XSS.This issue affects Coupon: from n/a through 1.2.1. 2024-12-31 6.5 CVE-2024-56235 CreativeThemes–Blocksy
  Cross-Site Request Forgery (CSRF) vulnerability in CreativeThemes Blocksy allows Cross Site Request Forgery.This issue affects Blocksy: from n/a through 2.0.22. 2025-01-02 5.4 CVE-2024-37469 Creativthemes–Point
  Cross-Site Request Forgery (CSRF) vulnerability in Creativthemes Point allows Cross Site Request Forgery.This issue affects Point: from n/a through 1.1. 2025-01-02 4.3 CVE-2024-37931 CusRev–Customer Reviews for WooCommerce
  Missing Authorization vulnerability in CusRev Customer Reviews for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Customer Reviews for WooCommerce: from n/a through 5.36.0. 2025-01-02 4.3 CVE-2023-45101 Cyberlord92–Broken Link Checker | Finder
  Missing Authorization vulnerability in Cyberlord92 Broken Link Checker | Finder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Broken Link Checker | Finder: from n/a through 2.4.2. 2025-01-02 5.3 CVE-2023-46082 D-Link–DIR-816 A2
  A vulnerability classified as critical was found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210. This vulnerability affects unknown code of the file /goform/DDNS of the component DDNS Service. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. 2025-01-02 5.3 CVE-2024-13102 D-Link–DIR-816 A2
  A vulnerability, which was classified as critical, has been found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210. This issue affects some unknown processing of the file /goform/form2AddVrtsrv.cgi of the component Virtual Service Handler. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. 2025-01-02 5.3 CVE-2024-13103 D-Link–DIR-816 A2
  A vulnerability, which was classified as critical, was found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210. Affected is an unknown function of the file /goform/form2AdvanceSetup.cgi of the component WiFi Settings Handler. The manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. 2025-01-02 5.3 CVE-2024-13104 D-Link–DIR-816 A2
  A vulnerability has been found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /goform/form2Dhcpd.cgi of the component DHCPD Setting Handler. The manipulation leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. 2025-01-02 5.3 CVE-2024-13105 D-Link–DIR-816 A2
  A vulnerability was found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210 and classified as critical. Affected by this issue is some unknown functionality of the file /goform/form2IPQoSTcAdd of the component IP QoS Handler. The manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. 2025-01-02 5.3 CVE-2024-13106 D-Link–DIR-816 A2
  A vulnerability was found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210. It has been classified as critical. This affects an unknown part of the file /goform/form2LocalAclEditcfg.cgi of the component ACL Handler. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. 2025-01-02 5.3 CVE-2024-13107 D-Link–DIR-816 A2
  A vulnerability was found in D-Link DIR-816 A2 1.10CNB05_R1B011D88210. It has been declared as critical. This vulnerability affects unknown code of the file /goform/form2NetSniper.cgi. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. 2025-01-02 5.3 CVE-2024-13108 Dahua–IPC-HFW1200S
  A vulnerability classified as problematic has been found in Dahua IPC-HFW1200S, IPC-HFW2300R-Z, IPC-HFW5220E-Z and IPC-HDW1200S up to 20241222. This affects an unknown part of the file /web_caps/webCapsConfig of the component Web Interface. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2025-01-05 5.3 CVE-2024-13131 Dahua–IPC-HFW1200S
  A vulnerability was found in Dahua IPC-HFW1200S, IPC-HFW2300R-Z, IPC-HFW5220E-Z and IPC-HDW1200S up to 20241222. It has been rated as problematic. Affected by this issue is some unknown functionality of the file ../mtd/Config/Sha1Account1 of the component Web Interface. The manipulation leads to path traversal: ‘../filedir’. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2025-01-05 4.3 CVE-2024-13130 Daniel Sderstrm / Sidney van de Stouwe–Subscribe to Category
  Missing Authorization vulnerability in Daniel Söderström / Sidney van de Stouwe Subscribe to Category allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Subscribe to Category: from n/a through 2.7.4. 2025-01-02 4.3 CVE-2022-43476 David de Boer–Paytium
  Missing Authorization vulnerability in David de Boer Paytium.This issue affects Paytium: from n/a through 4.4.10. 2024-12-31 4.3 CVE-2024-51667 Debuggers Studio–SaasPricing
  Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Debuggers Studio SaasPricing allows DOM-Based XSS.This issue affects SaasPricing: from n/a through 1.1.4. 2024-12-31 6.5 CVE-2024-56231 DesertThemes–NewsMash
  Cross-Site Request Forgery (CSRF) vulnerability in DesertThemes NewsMash allows Cross Site Request Forgery.This issue affects NewsMash: from n/a through 1.0.34. 2025-01-02 4.3 CVE-2024-37441 dglingren–Media Library Assistant
  The Media Library Assistant plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘smc_settings_tab’, ‘unattachfixit-action’, and ‘woofixit-action’ parameters in all versions up to, and including, 3.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. 2025-01-04 6.1 CVE-2024-11974 Dragfy–Dragfy Addons for Elementor
  Missing Authorization vulnerability in Dragfy Dragfy Addons for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Dragfy Addons for Elementor: from n/a through 1.0.2. 2025-01-02 5.4 CVE-2023-47661 Ecreate Infotech–Auto Tag Creator
  Missing Authorization vulnerability in Ecreate Infotech Auto Tag Creator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Auto Tag Creator: from n/a through 1.0.2. 2025-01-02 4.3 CVE-2023-47523 Elicus–WPMozo Addons Lite for Elementor
  Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Elicus WPMozo Addons Lite for Elementor allows Stored XSS.This issue affects WPMozo Addons Lite for Elementor: from n/a through 1.2.0. 2024-12-31 6.5 CVE-2024-56221 Epsiloncool–WP Fast Total Search
  Cross-Site Request Forgery (CSRF) vulnerability in Epsiloncool WP Fast Total Search.This issue affects WP Fast Total Search: from n/a through 1.69.234. 2025-01-02 4.3 CVE-2024-38778 Event Espresso–Event Espresso 4 Decaf
  Cross-Site Request Forgery (CSRF) vulnerability in Event Espresso Event Espresso 4 Decaf allows Cross Site Request Forgery.This issue affects Event Espresso 4 Decaf: from n/a through 5.0.28.decaf. 2025-01-02 4.3 CVE-2024-56251 ExtendThemes–Highlight
  Cross-Site Request Forgery (CSRF) vulnerability in ExtendThemes Highlight allows Cross Site Request Forgery.This issue affects Highlight: from n/a through 1.0.29. 2025-01-02 4.3 CVE-2024-37458 Faboba–Falang multilanguage
  Cross-Site Request Forgery (CSRF) vulnerability in Faboba Falang multilanguage allows Cross Site Request Forgery.This issue affects Falang multilanguage: from n/a through 1.3.51. 2025-01-02 4.3 CVE-2024-37240 FameThemes–OnePress
  Cross-Site Request Forgery (CSRF) vulnerability in FameThemes OnePress allows Cross Site Request Forgery.This issue affects OnePress: from n/a through 2.3.6. 2025-01-02 4.3 CVE-2024-37448 Farhan Noor–ApplyOnline Application Form Builder and Manager
  Missing Authorization vulnerability in Farhan Noor ApplyOnline – Application Form Builder and Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ApplyOnline – Application Form Builder and Manager: from n/a through 2.5.3. 2025-01-02 4.3 CVE-2023-46080 Fatcat Apps–Landing Page Cat
  Missing Authorization vulnerability in Fatcat Apps Landing Page Cat.This issue affects Landing Page Cat: from n/a through 1.7.4. 2024-12-31 5.4 CVE-2024-49686 FeedbackWP–kk Star Ratings
  Missing Authorization vulnerability in FeedbackWP kk Star Ratings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects kk Star Ratings: from n/a through 5.4.5. 2025-01-02 5.3 CVE-2023-46639 FeedFocal–FeedFocal
  Missing Authorization vulnerability in FeedFocal FeedFocal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FeedFocal: from n/a through 1.2.2. 2025-01-02 6.5 CVE-2023-46609 Flothemes–Flo Forms
  Missing Authorization vulnerability in Flothemes Flo Forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flo Forms: from n/a through 1.0.41. 2025-01-02 4.3 CVE-2023-47692 Freelancelot–Oceanic
  Cross-Site Request Forgery (CSRF) vulnerability in Freelancelot Oceanic allows Cross Site Request Forgery.This issue affects Oceanic: from n/a through 1.0.48. 2025-01-02 4.3 CVE-2024-38765 Freshlight Lab–WP Mobile Menu
  Cross-Site Request Forgery (CSRF) vulnerability in Freshlight Lab WP Mobile Menu allows Cross Site Request Forgery.This issue affects WP Mobile Menu: from n/a through 2.8.4.3. 2025-01-02 4.3 CVE-2024-37274 FS-code–FS Poster
  Cross-Site Request Forgery (CSRF) vulnerability in FS-code FS Poster allows Cross Site Request Forgery.This issue affects FS Poster: from n/a through 6.5.8. 2025-01-02 4.3 CVE-2024-37237 Galleryape–Gallery Images Ape
  Missing Authorization vulnerability in Galleryape Gallery Images Ape allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gallery Images Ape: from n/a through 2.2.8. 2025-01-02 4.3 CVE-2022-41995 Gavin Rehkemper–Inline Footnotes
  Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Gavin Rehkemper Inline Footnotes allows Stored XSS.This issue affects Inline Footnotes: from n/a through 2.3.0. 2025-01-02 6.5 CVE-2024-56019 Gfazioli–WP Cleanfix
  Missing Authorization vulnerability in Gfazioli WP Cleanfix allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Cleanfix: from n/a through 5.6.2. 2024-12-31 5.3 CVE-2023-48775 GiveWP–GiveWP
  Missing Authorization vulnerability in GiveWP GiveWP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GiveWP: from n/a through 2.33.1. 2025-01-02 5.3 CVE-2023-47183 Google–Android
  In wbrc_bt_dev_write of wb_regon_coordinator.c, there is a possible out of bounds write due to a buffer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. 2025-01-03 6.7 CVE-2024-53836 Google–Android
  In GetCellInfoList() of protocolnetadapter.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with baseband firmware compromise required. User Interaction is not needed for exploitation. 2025-01-03 5.5 CVE-2024-53839 Greg Winiarski–WPAdverts Classifieds Plugin
  Cross-Site Request Forgery (CSRF) vulnerability in Greg Winiarski WPAdverts – Classifieds Plugin allows Cross Site Request Forgery.This issue affects WPAdverts – Classifieds Plugin: from n/a through 2.1.2. 2025-01-02 4.3 CVE-2024-37238 Groundhogg Inc.–Groundhogg
  Cross-Site Request Forgery (CSRF) vulnerability in Groundhogg Inc. Groundhogg allows Cross Site Request Forgery.This issue affects Groundhogg: from n/a through 3.4.2.3. 2025-01-02 4.3 CVE-2024-37235 GS Plugins–GS Coaches
  Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in GS Plugins GS Coaches allows Stored XSS.This issue affects GS Coaches: from n/a through 1.1.0. 2025-01-02 6.5 CVE-2024-56262 GS Plugins–GS Shots for Dribbble
  Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in GS Plugins GS Shots for Dribbble allows DOM-Based XSS.This issue affects GS Shots for Dribbble: from n/a through 1.2.0. 2025-01-02 6.5 CVE-2024-56263 GS Plugins–Project Showcase
  Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in GS Plugins Project Showcase allows Stored XSS.This issue affects Project Showcase: from n/a through 1.1.1. 2025-01-02 6.5 CVE-2024-56261 gVectors Team–wpDiscuz
  Missing Authorization vulnerability in gVectors Team wpDiscuz allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects wpDiscuz: from n/a through 7.6.10. 2025-01-02 5.3 CVE-2023-46309 gVectors Team–wpDiscuz
  Missing Authorization vulnerability in gVectors Team wpDiscuz allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects wpDiscuz: from n/a through 7.6.3. 2025-01-02 4.3 CVE-2023-45760 Horea Radu–Mesmerize
  Cross-Site Request Forgery (CSRF) vulnerability in Horea Radu Mesmerize allows Cross Site Request Forgery.This issue affects Mesmerize: from n/a through 1.6.120. 2025-01-02 4.3 CVE-2024-37431 IBM–Engineering Lifecycle Optimization Publishing
  IBM Engineering Lifecycle Optimization – Publishing 7.0.2 and 7.0.3 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing “dot dot” sequences (/../) to view arbitrary files on the system. 2025-01-04 6.5 CVE-2024-41765 IBM–Engineering Lifecycle Optimization Publishing
  IBM Engineering Lifecycle Optimization – Publishing 7.0.2 and 7.0.3 could allow a remote attacker to cause an unhandled SSL exception which could leave the connection in an unexpected or insecure state. 2025-01-04 6.5 CVE-2024-41768 IBM–Engineering Lifecycle Optimization Publishing
  IBM Engineering Lifecycle Optimization – Publishing 7.0.2 and 7.0.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. 2025-01-04 5.9 CVE-2024-41763 IBM–i
  IBM PowerHA SystemMirror for i 7.4 and 7.5 contains improper restrictions when rendering content via iFrames.  This vulnerability could allow an attacker to gain improper access and perform unauthorized actions on the system. 2025-01-03 5.4 CVE-2024-55896 IBM–i
  IBM PowerHA SystemMirror for i 7.4 and 7.5 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. 2025-01-03 4.3 CVE-2024-55897 IBM–Jazz Foundation
  IBM Jazz Foundation 7.0.2, 7.0.3, and 7.1.0 could could allow a physical user to obtain sensitive information due to not masking passwords during entry. 2025-01-03 4.2 CVE-2024-41780 IBM–Jazz Foundation
  IBM Jazz Foundation 7.0.2, 7.0.3, and 7.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. 2025-01-03 4.3 CVE-2024-5591 ibnuyahya–Category Post Shortcode
  Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in ibnuyahya Category Post Shortcode allows Stored XSS.This issue affects Category Post Shortcode: from n/a through 2.4. 2025-01-01 6.5 CVE-2024-56021 IDX–IMPress Listings
  Missing Authorization vulnerability in IDX IMPress Listings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects IMPress Listings: from n/a through 2.6.2. 2025-01-02 6.5 CVE-2023-45633 imw3–My Wp Brand Hide menu & Hide Plugin
  Missing Authorization vulnerability in imw3 My Wp Brand – Hide menu & Hide Plugin.This issue affects My Wp Brand – Hide menu & Hide Plugin: from n/a through 1.1.2. 2024-12-31 5.3 CVE-2024-49694 IOBit–Protected Folder
  A vulnerability has been found in IOBit Protected Folder up to 1.3.0 and classified as problematic. This vulnerability affects the function 0x22200c in the library pffilter.sys of the component IOCTL Handler. The manipulation leads to null pointer dereference. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2025-01-05 5.5 CVE-2025-0221 IObit–Protected Folder
  A vulnerability was found in IObit Protected Folder up to 13.6.0.5 and classified as problematic. This issue affects the function 0x8001E000/0x8001E004 in the library IUProcessFilter.sys of the component IOCTL Handler. The manipulation leads to null pointer dereference. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2025-01-05 5.5 CVE-2025-0222 IObit–Protected Folder
  A vulnerability was found in IObit Protected Folder up to 13.6.0.5. It has been classified as problematic. Affected is the function 0x8001E000/0x8001E00C/0x8001E004/0x8001E010 in the library IURegistryFilter.sys of the component IOCTL Handler. The manipulation leads to null pointer dereference. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. 2025-01-05 5.5 CVE-2025-0223 Jakob Bouchard–Hestia Nginx Cache
  Missing Authorization vulnerability in Jakob Bouchard Hestia Nginx Cache allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hestia Nginx Cache: from n/a through 2.4.0. 2025-01-02 4.3 CVE-2024-56236 JoomUnited–WP Table Manager
  Missing Authorization vulnerability in JoomUnited WP Table Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Table Manager: from n/a through 3.5.2. 2025-01-02 5.3 CVE-2022-47601 Jose Mortellaro–Freesoul Deactivate Plugins Plugin manager and cleanup
  Missing Authorization vulnerability in Jose Mortellaro Freesoul Deactivate Plugins – Plugin manager and cleanup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Freesoul Deactivate Plugins – Plugin manager and cleanup: from n/a through 2.1.3. 2025-01-02 4.3 CVE-2023-46188 JS Morisset–WPSSO Core
  Missing Authorization vulnerability in JS Morisset WPSSO Core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPSSO Core: from n/a through 18.18.1. 2025-01-02 4.3 CVE-2024-56243 JustCoded / Alex Prokopenko–Just Custom Fields
  Missing Authorization vulnerability in JustCoded / Alex Prokopenko Just Custom Fields allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Just Custom Fields: from n/a through 3.3.2. 2025-01-02 4.3 CVE-2023-46203 justin_k–WP Social AutoConnect
  The WP Social AutoConnect plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. 2025-01-04 6.1 CVE-2024-12279 KaizenCoders–Short URL
  Missing Authorization vulnerability in KaizenCoders Short URL allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Short URL: from n/a through 1.6.8. 2025-01-02 5.4 CVE-2023-47225 Kali Forms–Contact Form builder with drag & drop – Kali Forms
  Missing Authorization vulnerability in Kali Forms Contact Form builder with drag & drop – Kali Forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form builder with drag & drop – Kali Forms: from n/a through 2.3.28. 2025-01-02 6.5 CVE-2023-45275 Kali Forms–Contact Form builder with drag & drop – Kali Forms
  Missing Authorization vulnerability in Kali Forms Contact Form builder with drag & drop – Kali Forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form builder with drag & drop – Kali Forms: from n/a through 2.3.27. 2025-01-02 5.3 CVE-2023-46083 khoj-ai–khoj
  Khoj is a self-hostable artificial intelligence app. Prior to version 1.29.10, an Insecure Direct Object Reference (IDOR) vulnerability in the update_subscription endpoint allows any authenticated user to manipulate other users’ Stripe subscriptions by simply modifying the email parameter in the request. The vulnerability exists in the subscription endpoint at `/api/subscription`. The endpoint uses an email parameter as a direct reference to user subscriptions without verifying object ownership. While authentication is required, there is no authorization check to verify if the authenticated user owns the referenced subscription. The issue was fixed in version 1.29.10. Support for arbitrarily presenting an email for update has been deprecated. 2024-12-30 4.3 CVE-2024-52294 Kishor Khambu–WP Custom Widget area
  Missing Authorization vulnerability in Kishor Khambu WP Custom Widget area allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Custom Widget area: from n/a through 1.2.5. 2025-01-02 5.4 CVE-2023-45045 Labib Ahmed–Animated Rotating Words
  Missing Authorization vulnerability in Labib Ahmed Animated Rotating Words allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Animated Rotating Words: from n/a through 5.4. 2025-01-02 5.4 CVE-2023-47187 Labib Ahmed–Animated Rotating Words
  Cross-Site Request Forgery (CSRF) vulnerability in Labib Ahmed Animated Rotating Words allows Cross Site Request Forgery.This issue affects Animated Rotating Words: from n/a through 5.6. 2025-01-02 4.3 CVE-2024-38753 Leaky Paywall–Leaky Paywall
  Cross-Site Request Forgery (CSRF) vulnerability in Leaky Paywall Leaky Paywall allows Cross Site Request Forgery.This issue affects Leaky Paywall: from n/a through 4.21.2. 2025-01-02 4.3 CVE-2024-37540 Leap13–Premium Addons for Elementor
  Missing Authorization vulnerability in Leap13 Premium Addons for Elementor allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Premium Addons for Elementor: from n/a through 4.10.56. 2024-12-31 5.4 CVE-2024-56225 Leap13–Premium Blocks Gutenberg Blocks for WordPress
  Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Leap13 Premium Blocks – Gutenberg Blocks for WordPress allows Stored XSS.This issue affects Premium Blocks – Gutenberg Blocks for WordPress: from n/a through 2.1.42. 2025-01-02 6.5 CVE-2024-56245 LearningTimes–BadgeOS
  Missing Authorization vulnerability in LearningTimes BadgeOS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BadgeOS: from n/a through 3.7.1.6. 2025-01-02 4.3 CVE-2023-47647 Ledenbeheer–Ledenbeheer
  Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Ledenbeheer allows Stored XSS.This issue affects Ledenbeheer: from n/a through 2.1.0. 2024-12-31 6.5 CVE-2024-56224 Liquid Web / StellarWP–GiveWP
  Missing Authorization vulnerability in Liquid Web / StellarWP GiveWP.This issue affects GiveWP: from n/a through 2.25.1. 2025-01-02 5.4 CVE-2023-23672 LuckyWP–LuckyWP Scripts Control
  Missing Authorization vulnerability in LuckyWP LuckyWP Scripts Control allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LuckyWP Scripts Control: from n/a through 1.2.1. 2025-01-02 4.3 CVE-2023-47778 Magazine3–Google Adsense & Banner Ads by AdsforWP
  Cross-Site Request Forgery (CSRF) vulnerability in Magazine3 Google Adsense & Banner Ads by AdsforWP allows Cross Site Request Forgery.This issue affects Google Adsense & Banner Ads by AdsforWP: from n/a through 1.9.28. 2025-01-02 4.3 CVE-2024-38751 Marco Milesi–Telegram Bot & Channel
  Cross-Site Request Forgery (CSRF) vulnerability in Marco Milesi Telegram Bot & Channel allows Cross Site Request Forgery.This issue affects Telegram Bot & Channel: from n/a through 3.8.2. 2025-01-02 5.4 CVE-2024-38789 Mario Di Pasquale–SvegliaT Buttons
  Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Mario Di Pasquale SvegliaT Buttons allows Stored XSS.This issue affects SvegliaT Buttons: from n/a through 1.3.0. 2025-01-01 6.5 CVE-2024-56020 MarketingFire–Widget Options
  Missing Authorization vulnerability in MarketingFire Widget Options allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Widget Options: from n/a through 4.0.6.1. 2024-12-31 4.3 CVE-2024-56219 Marsian–i-amaze
  Cross-Site Request Forgery (CSRF) vulnerability in Marsian i-amaze allows Cross Site Request Forgery.This issue affects i-amaze: from n/a through 1.3.7. 2025-01-02 4.3 CVE-2024-38731 Marsian–i-transform
  Cross-Site Request Forgery (CSRF) vulnerability in Marsian allows Cross Site Request Forgery.This issue affects i-transform: from n/a through 3.0.9. 2025-01-02 4.3 CVE-2024-38764 Martin Gibson–WP Custom Admin Interface
  Missing Authorization vulnerability in Martin Gibson WP Custom Admin Interface allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Custom Admin Interface: from n/a through 7.32. 2025-01-02 4.3 CVE-2023-44988 Mashov–Mashov
  Mashov – CWE-200: Exposure of Sensitive Information to an Unauthorized Actor 2024-12-30 5.3 CVE-2024-47923 Matomo–Matomo Analytics
  Cross-Site Request Forgery (CSRF) vulnerability in Matomo Matomo Analytics allows Cross Site Request Forgery.This issue affects Matomo Analytics: from n/a through 5.1.1. 2025-01-02 4.3 CVE-2024-38766 MBE Worldwide S.p.A.–MBE eShip
  Cross-Site Request Forgery (CSRF) vulnerability in MBE Worldwide S.p.A. MBE eShip allows Cross Site Request Forgery.This issue affects MBE eShip: from n/a through 2.1.2. 2025-01-02 5.4 CVE-2024-38729 Metorik–Metorik Reports & Email Automation for WooCommerce
  Cross-Site Request Forgery (CSRF) vulnerability in Metorik Metorik – Reports & Email Automation for WooCommerce allows Cross Site Request Forgery.This issue affects Metorik – Reports & Email Automation for WooCommerce: from n/a through 1.7.1. 2025-01-02 4.3 CVE-2024-38691 moveaddons–Move Addons for Elementor
  Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in moveaddons Move Addons for Elementor allows Stored XSS.This issue affects Move Addons for Elementor: from n/a through 1.3.6. 2025-01-02 6.5 CVE-2024-56254 MyThemeShop–Schema Lite
  Cross-Site Request Forgery (CSRF) vulnerability in MyThemeShop Schema Lite allows Cross Site Request Forgery.This issue affects Schema Lite: from n/a through 1.2.2. 2025-01-02 4.3 CVE-2024-37452 n/a–n/a
  FFmpeg n6.1.1 has a vulnerability in the DXA demuxer of the libavformat library allowing for an integer overflow, potentially resulting in a denial-of-service (DoS) condition or other undefined behavior. 2025-01-03 6.2 CVE-2024-36613 n/a–n/a
  The Net::EasyTCP package before 0.15 for Perl always uses Perl’s builtin rand(), which is not a strong random number generator, for cryptographic keys. 2025-01-02 5.4 CVE-2002-20002 n/a–n/a
  The Net::EasyTCP package 0.15 through 0.26 for Perl uses Perl’s builtin rand() if no strong randomization module is present. 2025-01-02 5.4 CVE-2024-56830 n/a–n/a
  Cross Site Scripting vulnerability in Audiocodes MP-202b v.4.4.3 allows a remote attacker to escalate privileges via the login page of the web interface. 2025-01-02 4.7 CVE-2024-48197 n/a–n/a
  Landray EIS 2001 through 2006 allows Message/fi_message_receiver.aspx?replyid= SQL injection. 2025-01-02 4.3 CVE-2025-22214 nik00726–Photo Gallery Slideshow & Masonry Tiled Gallery
  The Photo Gallery Slideshow & Masonry Tiled Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.15 via the rjg_get_youtube_info_justified_gallery_callback function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to retrieve limited information from internal services. 2025-01-03 4.3 CVE-2024-12237 Nitesh Singh–Ultimate Auction
  Cross-Site Request Forgery (CSRF) vulnerability in Nitesh Singh Ultimate Auction allows Cross Site Request Forgery.This issue affects Ultimate Auction : from n/a through 4.2.5. 2025-01-02 4.3 CVE-2024-37543 nofearinc–DX Delete Attached Media
  Missing Authorization vulnerability in nofearinc DX Delete Attached Media allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DX Delete Attached Media: from n/a through 2.0.5.1. 2025-01-02 5.3 CVE-2023-46073 NSquared–Draw Attention
  Missing Authorization vulnerability in NSquared Draw Attention allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Draw Attention: from n/a through 2.0.15. 2025-01-02 5.4 CVE-2023-46616 pglombardo–PasswordPusher
  Password Pusher is an open source application to communicate sensitive information over the web. A vulnerability has been reported in versions 1.50.3 and prior where an attacker can copy the session cookie before a user logs out, potentially allowing session hijacking. Although the session token is replaced and invalidated upon logout, if an attacker manages to capture the session cookie before this process, they can use the token to gain unauthorized access to the user’s session until the token expires or is manually cleared. This vulnerability hinges on the attacker’s ability to access the session cookie during an active session, either through a man-in-the-middle attack, by exploiting another vulnerability like XSS, or via direct access to the victim’s device. Although there is no direct resolution to this vulnerability, it is recommended to always use the latest version of Password Pusher to best mitigate risk. If self-hosting, ensure Password Pusher is hosted exclusively over SSL connections to encrypt traffic and prevent session cookies from being intercepted in transit. Additionally, implement best practices in local security to safeguard user systems, browsers, and data against unauthorized access. 2024-12-30 5.7 CVE-2024-56733 PHPGurukul–Land Record System
  A vulnerability has been found in PHPGurukul Land Record System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument searchdata leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. 2024-12-31 6.3 CVE-2024-13078 PHPGurukul–Land Record System
  A vulnerability was found in PHPGurukul Land Record System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/property-details.php. The manipulation of the argument editid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. 2024-12-31 6.3 CVE-2024-13079 PHPGurukul–Land Record System
  A vulnerability classified as critical was found in PHPGurukul Land Record System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/search-property.php. The manipulation of the argument searchdata leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. 2024-12-31 6.3 CVE-2024-13084 Poll Maker Team–Poll Maker
  Missing Authorization vulnerability in Poll Maker Team Poll Maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Poll Maker: from n/a through 4.7.1. 2025-01-02 5.3 CVE-2023-45766 Porthas Inc.–Contact Form, Survey & Form Builder MightyForms
  Missing Authorization vulnerability in Porthas Inc. Contact Form, Survey & Form Builder – MightyForms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form, Survey & Form Builder – MightyForms: from n/a through 1.3.9. 2024-12-31 6.4 CVE-2024-56002 Porto Theme–Porto Theme – Functionality
  Missing Authorization vulnerability in Porto Theme Porto Theme – Functionality allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Porto Theme – Functionality: from n/a before 2.12.1. 2025-01-02 5.3 CVE-2023-48739 POSIMYTH–Nexter Blocks
  Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in POSIMYTH Nexter Blocks allows DOM-Based XSS.This issue affects Nexter Blocks: from n/a through 4.0.4. 2025-01-02 6.5 CVE-2024-56246 PressTigers–Simple Job Board
  Missing Authorization vulnerability in PressTigers Simple Job Board allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Job Board: from n/a through 2.10.5. 2025-01-02 5.3 CVE-2023-47188 PriceListo–Best Restaurant Menu by PriceListo
  Missing Authorization vulnerability in PriceListo Best Restaurant Menu by PriceListo.This issue affects Best Restaurant Menu by PriceListo: from n/a through 1.4.2. 2024-12-31 4.3 CVE-2024-49698 Progress Software Corporation–WhatsUp Gold
  In WhatsUp Gold versions released before 2024.0.2, an authenticated user can use a specially crafted HTTP request that can lead to information disclosure. 2024-12-31 6.5 CVE-2024-12105 Pronamic–Pronamic Google Maps
  Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Pronamic Pronamic Google Maps allows Stored XSS.This issue affects Pronamic Google Maps: from n/a through 2.3.2. 2025-01-02 6.5 CVE-2024-56240 Provision-ISR–SH-4050A-2
  A vulnerability was found in Provision-ISR SH-4050A-2, SH-4100A-2L(MM), SH-8100A-2L(MM), SH-16200A-2(1U), SH-16200A-5(1U) and NVR5-8200PX up to 20241220. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /server.js. The manipulation leads to information disclosure. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. 2025-01-05 5.3 CVE-2025-0224 Putler / Storeapps–Putler Connector for WooCommerce
  Missing Authorization vulnerability in Putler / Storeapps Putler Connector for WooCommerce.This issue affects Putler Connector for WooCommerce: from n/a through 2.12.0. 2025-01-02 6.5 CVE-2023-40327 quillforms.com–Quill Forms
  Missing Authorization vulnerability in quillforms.com Quill Forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Quill Forms: from n/a through 3.3.0. 2025-01-02 6.5 CVE-2023-46610 QunatumCloud–Floating Action Buttons
  Missing Authorization vulnerability in QunatumCloud Floating Action Buttons allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Floating Action Buttons: from n/a through 0.9.1. 2025-01-02 5.3 CVE-2024-56238 Rara Theme–Benevolent
  Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Benevolent allows Cross Site Request Forgery.This issue affects Benevolent: from n/a through 1.3.4. 2025-01-02 4.3 CVE-2024-37450 Rara Theme–Chic Lite
  Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Chic Lite allows Cross Site Request Forgery.This issue affects Chic Lite: from n/a through 1.1.3. 2025-01-02 4.3 CVE-2024-37104 Rara Theme–Construction Landing Page
  Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Construction Landing Page allows Cross Site Request Forgery.This issue affects Construction Landing Page: from n/a through 1.3.5. 2025-01-02 4.3 CVE-2024-37508 Rara Theme–Education Zone
  Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Education Zone allows Cross Site Request Forgery.This issue affects Education Zone: from n/a through 1.3.4. 2025-01-02 4.3 CVE-2024-37103 Rara Theme–Elegant Pink
  Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Elegant Pink allows Cross Site Request Forgery.This issue affects Elegant Pink: from n/a through 1.3.0. 2025-01-02 4.3 CVE-2024-37426 Rara Theme–JobScout
  Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme JobScout allows Cross Site Request Forgery.This issue affects JobScout: from n/a through 1.1.4. 2025-01-02 4.3 CVE-2024-37421 Rara Theme–Lawyer Landing Page
  Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Lawyer Landing Page allows Cross Site Request Forgery.This issue affects Lawyer Landing Page: from n/a through 1.2.4. 2025-01-02 4.3 CVE-2024-37503 Rara Theme–Perfect Portfolio
  Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Perfect Portfolio allows Cross Site Request Forgery.This issue affects Perfect Portfolio: from n/a through 1.2.0. 2025-01-02 4.3 CVE-2024-37435 Rara Theme–Preschool and Kindergarten
  Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Preschool and Kindergarten allows Cross Site Request Forgery.This issue affects Preschool and Kindergarten: from n/a through 1.2.1. 2025-01-02 4.3 CVE-2024-37413 Rara Theme–Rara Business
  Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Rara Business allows Cross Site Request Forgery.This issue affects Rara Business: from n/a through 1.2.5. 2025-01-02 4.3 CVE-2024-37937 Rara Theme–Travel Agency
  Cross-Site Request Forgery (CSRF) vulnerability in Rara Theme Travel Agency allows Cross Site Request Forgery.This issue affects Travel Agency: from n/a through 1.4.9. 2025-01-02 4.3 CVE-2024-37451 Red Hat–Red Hat Fuse 7
  A flaw was found in FFmpeg’s TTY Demuxer. This vulnerability allows possible data exfiltration via improper parsing of non-TTY-compliant input files in HLS playlists. 2024-12-31 5.3 CVE-2023-6602 Red Hat–Red Hat Fuse 7
  A security issue was discovered in the LRA Coordinator component of Narayana. When Cancel is called in LRA, an execution time of approximately 2 seconds occurs. If Join is called with the same LRA ID within that timeframe, the application may crash or hang indefinitely, leading to a denial of service. 2025-01-02 5.9 CVE-2024-8447 RedLettuce Plugins–WP Word Count
  Missing Authorization vulnerability in RedLettuce Plugins WP Word Count allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Word Count: from n/a through 3.2.4. 2025-01-02 4.3 CVE-2023-46628 Repuso–Social proof testimonials and reviews by Repuso
  Missing Authorization vulnerability in Repuso Social proof testimonials and reviews by Repuso allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Social proof testimonials and reviews by Repuso: from n/a through 4.97. 2025-01-02 4.3 CVE-2023-46196 Repute InfoSystems–ARMember Premium
  Missing Authorization vulnerability in Repute InfoSystems ARMember Premium allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ARMember Premium: from n/a through 5.9.2. 2025-01-02 4.3 CVE-2023-39994 RevenueHunt–Product Recommendation Quiz for eCommerce
  Missing Authorization vulnerability in RevenueHunt Product Recommendation Quiz for eCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Recommendation Quiz for eCommerce: from n/a through 2.1.2. 2025-01-02 6.5 CVE-2023-46631 RumbleTalk Ltd–RumbleTalk Live Group Chat
  Missing Authorization vulnerability in RumbleTalk Ltd RumbleTalk Live Group Chat allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RumbleTalk Live Group Chat: from n/a through 6.2.5. 2025-01-02 5.4 CVE-2023-45828 Ruslan Suhar–Convertful Your Ultimate On-Site Conversion Tool
  Missing Authorization vulnerability in Ruslan Suhar Convertful – Your Ultimate On-Site Conversion Tool allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Convertful – Your Ultimate On-Site Conversion Tool: from n/a through 2.5. 2025-01-02 5.3 CVE-2023-46605 Samsung Mobile–Samsung Mobile Devices
  Protection Mechanism Failure in bootloader prior to SMR Oct-2024 Release 1 allows physical attackers to reset lockscreen failure count by hardware fault injection. User interaction is required for triggering this vulnerability. 2024-12-31 5.2 CVE-2024-49422 Saurav Sharma–Generate Dummy Posts
  Missing Authorization vulnerability in Saurav Sharma Generate Dummy Posts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Generate Dummy Posts: from n/a through 1.0.0. 2025-01-02 5.3 CVE-2023-46637 Schema App–Schema App Structured Data
  Missing Authorization vulnerability in Schema App Schema App Structured Data allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Schema App Structured Data: from n/a through 1.23.1. 2025-01-02 5.3 CVE-2023-44258 Searchiq–SearchIQ
  Cross-Site Request Forgery (CSRF) vulnerability in Searchiq SearchIQ.This issue affects SearchIQ: from n/a through 4.6. 2024-12-31 4.3 CVE-2024-56229 Seers–Seers
  Missing Authorization vulnerability in Seers Seers allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Seers: from n/a through 8.1.1. 2025-01-02 5.3 CVE-2023-47515 SKT Themes–Posterity
  Cross-Site Request Forgery (CSRF) vulnerability in SKT Themes Posterity allows Cross Site Request Forgery.This issue affects Posterity: from n/a through 3.3. 2025-01-02 4.3 CVE-2024-37493 smartersite–WP Compress Instant Performance & Speed Optimization
  The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘custom_server’ parameter in all versions up to, and including, 6.30.03 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. 2025-01-04 6.1 CVE-2024-12047 Smartsupp–Smartsupp live chat, chatbots, AI and lead generation
  Cross-Site Request Forgery (CSRF) vulnerability in Smartsupp Smartsupp – live chat, chatbots, AI and lead generation allows Cross Site Request Forgery.This issue affects Smartsupp – live chat, chatbots, AI and lead generation: from n/a through 3.6. 2025-01-02 6.5 CVE-2024-38790 Sonaar Music–MP3 Audio Player for Music, Radio & Podcast by Sonaar
  Missing Authorization vulnerability in Sonaar Music MP3 Audio Player for Music, Radio & Podcast by Sonaar allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects MP3 Audio Player for Music, Radio & Podcast by Sonaar: from n/a through 5.8. 2025-01-02 6.3 CVE-2024-56266 SourceCodester–Online Eyewear Shop
  A vulnerability was found in SourceCodester Online Eyewear Shop 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /orders/view_order.php. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. 2025-01-02 6.3 CVE-2025-0173 Stephen Sherrard–Member Directory and Contact Form
  Missing Authorization vulnerability in Stephen Sherrard Member Directory and Contact Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Member Directory and Contact Form: from n/a through 1.7.0. 2024-12-31 4.3 CVE-2024-56215 StoreApps–Smart Manager
  Missing Authorization vulnerability in StoreApps Smart Manager.This issue affects Smart Manager: from n/a through 8.45.0. 2024-12-31 4.3 CVE-2024-49687 StorePlugin–ShopElement
  Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in StorePlugin ShopElement allows Stored XSS.This issue affects ShopElement: from n/a through 2.0.0. 2025-01-02 6.5 CVE-2024-56260 StylemixThemes–MasterStudy LMS
  Cross-Site Request Forgery (CSRF) vulnerability in StylemixThemes MasterStudy LMS allows Cross Site Request Forgery.This issue affects MasterStudy LMS: from n/a through 3.2.1. 2025-01-02 4.3 CVE-2024-37093 supsystic.com–Data Tables Generator by Supsystic
  Missing Authorization vulnerability in supsystic.com Data Tables Generator by Supsystic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Data Tables Generator by Supsystic: from n/a through 1.10.36. 2025-01-02 5.4 CVE-2024-56253 SWTE–Swift Performance Lite
  Cross-Site Request Forgery (CSRF) vulnerability in SWTE Swift Performance Lite allows Cross Site Request Forgery.This issue affects Swift Performance Lite: from n/a through 2.3.6.20. 2025-01-02 4.3 CVE-2024-37511 Tagbox–Taggbox
  Cross-Site Request Forgery (CSRF) vulnerability in Tagbox Taggbox allows Cross Site Request Forgery.This issue affects Taggbox: from n/a through 3.3. 2025-01-02 4.3 CVE-2024-38754 taskbuilder–Taskbuilder WordPress Project & Task Management plugin
  The Taskbuilder – WordPress Project & Task Management plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s wppm_tasks shortcode in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2025-01-04 6.4 CVE-2024-11930 TCBarrett–Glossary
  Missing Authorization vulnerability in TCBarrett Glossary allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Glossary: from n/a through 3.1.2. 2025-01-02 5.4 CVE-2023-46633 TCS–BaNCS
  A vulnerability was found in TCS BaNCS 10. It has been classified as problematic. This affects an unknown part of the file /REPORTS/REPORTS_SHOW_FILE.jsp. The manipulation of the argument FilePath leads to file inclusion. 2025-01-04 5.5 CVE-2025-0202 TeamPass–TeamPass
  TeamPass before 3.1.3.1 does not properly check whether a mail_me (aka action_mail) operation is on behalf of an administrator or manager. 2024-12-30 5.4 CVE-2024-50702 TeamPass–TeamPass
  TeamPass before 3.1.3.1 does not properly prevent a user from acting with the privileges of a different user_id. 2024-12-30 5.4 CVE-2024-50703 TeamPass–TeamPass
  TeamPass before 3.1.3.1, when retrieving information about access rights for a folder, does not properly check whether a folder is in a user’s allowed folders list that has been defined by an admin. 2024-12-30 4.3 CVE-2024-50701 The Events Calendar–Event Tickets
  Cross-Site Request Forgery (CSRF) vulnerability in The Events Calendar Event Tickets allows Cross Site Request Forgery.This issue affects Event Tickets: from n/a through 5.11.0.4. 2025-01-02 4.3 CVE-2024-38762 The Events Calendar–The Events Calendar
  Cross-Site Request Forgery (CSRF) vulnerability in The Events Calendar The Events Calendar allows Cross Site Request Forgery.This issue affects The Events Calendar: from n/a through 6.5.1.4. 2025-01-02 4.3 CVE-2024-37518 ThemeIsle–Hestia
  Cross-Site Request Forgery (CSRF) vulnerability in ThemeIsle Hestia allows Cross Site Request Forgery.This issue affects Hestia: from n/a through 3.1.2. 2025-01-02 4.3 CVE-2024-37467 ThemeLooks–Enter Addons
  Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in ThemeLooks Enter Addons allows Stored XSS.This issue affects Enter Addons: from n/a through 2.1.9. 2025-01-02 6.5 CVE-2024-56252 Themes4WP–Popularis Verse
  Cross-Site Request Forgery (CSRF) vulnerability in Themes4WP Popularis Verse allows Cross Site Request Forgery.This issue affects Popularis Verse: from n/a through 1.1.1. 2025-01-02 4.3 CVE-2024-38763 Themewinter–Eventin
  Path Traversal: ‘…/…//’ vulnerability in Themewinter Eventin allows Path Traversal.This issue affects Eventin: from n/a through 4.0.7. 2024-12-31 6.5 CVE-2024-56213 Themify–Themify Audio Dock
  Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Themify Themify Audio Dock allows Stored XSS.This issue affects Themify Audio Dock: from n/a through 2.0.4. 2025-01-02 6.5 CVE-2024-56239 Themify–Themify Builder
  Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in Themify Themify Builder allows PHP Local File Inclusion.This issue affects Themify Builder: from n/a through 7.6.3. 2024-12-31 6.5 CVE-2024-56216 thorsten–phpMyFAQ
  phpMyFAQ is an open source FAQ web application. Starting no later than version 3.2.10 and prior to version 4.0.2, an attacker can inject malicious HTML content into the FAQ editor at `http[:]//localhost/admin/index[.]php?action=editentry`, resulting in a complete disruption of the FAQ page’s user interface. By injecting malformed HTML elements styled to cover the entire screen, an attacker can render the page unusable. This injection manipulates the page structure by introducing overlapping buttons, images, and iframes, breaking the intended layout and functionality. Exploiting this issue can lead to Denial of Service for legitimate users, damage to the user experience, and potential abuse in phishing or defacement attacks. Version 4.0.2 contains a patch for the vulnerability. 2025-01-02 5.2 CVE-2024-56199 Tiki Wiki–CMS
  Tiki Wiki CMS – CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 2024-12-30 6.1 CVE-2024-47918 Till Krss–Email Address Encoder
  Cross-Site Request Forgery (CSRF) vulnerability in Till Krüss Email Address Encoder allows Cross Site Request Forgery.This issue affects Email Address Encoder: from n/a through 1.0.23. 2025-01-02 4.3 CVE-2024-43927 Tim Whitlock–Loco Translate
  Cross-Site Request Forgery (CSRF) vulnerability in Tim Whitlock Loco Translate allows Cross Site Request Forgery.This issue affects Loco Translate: from n/a through 2.6.9. 2025-01-02 4.3 CVE-2024-37236 TMD–Custom Header Menu
  A vulnerability was found in TMD Custom Header Menu 4.0.0.1 on OpenCart. It has been rated as problematic. This issue affects some unknown processing of the file /admin/index.php. The manipulation of the argument headermenu_id leads to sql injection. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. 2025-01-04 4.1 CVE-2025-0214 Toast Plugins–Animator
  Missing Authorization vulnerability in Toast Plugins Animator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Animator: from n/a through 3.0.10. 2025-01-02 6.5 CVE-2023-47689 Torod Holding LTD–Torod
  Missing Authorization vulnerability in Torod Holding LTD Torod allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Torod: from n/a through 1.7. 2024-12-31 6.5 CVE-2024-55995 Trend Micro, Inc.–Trend Micro Deep Security
  An incorrect permissions assignment vulnerability in Trend Micro Deep Security 20.0 agents between versions 20.0.1-9400 and 20.0.1-23340 could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. 2024-12-31 6.7 CVE-2024-55955 Trend Micro, Inc.–Trend Micro ID Security
  Trend Micro ID Security, version 3.0 and below contains a vulnerability that could allow an attacker to send an unlimited number of email verification requests without any restriction, potentially leading to abuse or denial of service. 2024-12-31 6.5 CVE-2024-53647 Tsinghua Unigroup–Electronic Archives Management System
  A vulnerability was found in Tsinghua Unigroup Electronic Archives Management System 3.2.210802(62532). It has been classified as problematic. Affected is the function download of the file /Searchnew/Subject/download.html. The manipulation of the argument path leads to information disclosure. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. 2024-12-30 4.3 CVE-2024-13042 Tsinghua Unigroup–Electronic Archives System
  A vulnerability classified as problematic was found in Tsinghua Unigroup Electronic Archives System 3.2.210802(62532). Affected by this vulnerability is an unknown functionality of the file /setting/ClassFy/exampleDownload.html. The manipulation of the argument name leads to path traversal: ‘/../filedir’. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. 2025-01-05 4.3 CVE-2025-0225 Tsinghua Unigroup–Electronic Archives System
  A vulnerability, which was classified as problematic, has been found in Tsinghua Unigroup Electronic Archives System 3.2.210802(62532). Affected by this issue is the function download of the file /collect/PortV4/downLoad.html. The manipulation of the argument path leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. 2025-01-05 4.3 CVE-2025-0226 Tsinghua Unigroup–Electronic Archives System
  A vulnerability, which was classified as problematic, was found in Tsinghua Unigroup Electronic Archives System 3.2.210802(62532). This affects an unknown part of the file /Logs/Annals/downLoad.html. The manipulation of the argument path leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. 2025-01-05 4.3 CVE-2025-0227 Tyche Softwares–Arconix Shortcodes
  Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Tyche Softwares Arconix Shortcodes allows Stored XSS.This issue affects Arconix Shortcodes: from n/a through 2.1.14. 2025-01-02 6.5 CVE-2024-56242 Uncanny Owl–Uncanny Toolkit Pro for LearnDash
  Cross-Site Request Forgery (CSRF) vulnerability in Uncanny Owl Uncanny Toolkit Pro for LearnDash allows Cross Site Request Forgery.This issue affects Uncanny Toolkit Pro for LearnDash: from n/a before 4.1.4.1. 2025-01-02 5.4 CVE-2024-37438 Unknown–TravelTour
  The does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin 2025-01-01 6.1 CVE-2024-11846 vercel–next.js
  Next.js is a React framework for building full-stack web applications. Starting in version 13.0.0 and prior to versions 13.5.8, 14.2.21, and 15.1.2, Next.js is vulnerable to a Denial of Service (DoS) attack that allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution. This vulnerability can also be used as a Denial of Wallet (DoW) attack when deployed in providers billing by response times. (Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.). Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing. This is the same issue as if the incoming HTTP request has an invalid `Content-Length` header or never closes. If the host has no other mitigations to those then this vulnerability is novel. This vulnerability affects only Next.js deployments using Server Actions. The issue was resolved in Next.js 13.5.8, 14.2.21, and 15.1.2. We recommend that users upgrade to a safe version. There are no official workarounds. 2025-01-03 5.3 CVE-2024-56332 Veritas–Data Insight
  Veritas / Arctera Data Insight before 7.1.1 allows Application Administrators to conduct SQL injection attacks. 2024-12-30 6.5 CVE-2024-46542 VolThemes–Patricia Blog
  Cross-Site Request Forgery (CSRF) vulnerability in VolThemes Patricia Blog allows Cross Site Request Forgery.This issue affects Patricia Blog: from n/a through 1.2. 2025-01-02 4.3 CVE-2024-38732 VW THEMES–VW Automobile Lite
  Missing Authorization vulnerability in VW THEMES VW Automobile Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects VW Automobile Lite: from n/a through 2.1. 2024-12-31 5.4 CVE-2024-56234 W3 Eden, Inc.–Download Manager
  Missing Authorization vulnerability in W3 Eden, Inc. Download Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Manager: from n/a through 3.3.03. 2024-12-31 4.3 CVE-2024-56217 wangl1989–mysiteforme
  A vulnerability was found in wangl1989 mysiteforme 1.0 and classified as critical. Affected by this issue is the function rememberMeManager of the file src/main/java/com/mysiteforme/admin/config/ShiroConfig.java. The manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. 2025-01-05 6.3 CVE-2024-13136 wangl1989–mysiteforme
  A vulnerability was found in wangl1989 mysiteforme 1.0. It has been rated as critical. This issue affects the function doContent of the file src/main/java/com/mysiteform/admin/controller/system/FileController. The manipulation of the argument content leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. 2025-01-05 6.3 CVE-2024-13139 wangl1989–mysiteforme
  A vulnerability was found in wangl1989 mysiteforme 1.0. It has been declared as critical. This vulnerability affects the function upload of the file src/main/java/com/mysiteform/admin/service/ipl/LocalUploadServiceImpl. The manipulation of the argument test leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. 2025-01-05 4.7 CVE-2024-13138 Webdeclic–WPMasterToolKit
  Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in Webdeclic WPMasterToolKit allows Path Traversal.This issue affects WPMasterToolKit: from n/a through 1.13.1. 2025-01-02 4.9 CVE-2024-56248 websoudan–MW WP Form
  Missing Authorization vulnerability in websoudan MW WP Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MW WP Form: from n/a through 4.4.5. 2025-01-02 5.3 CVE-2023-46206 WebToffee–WordPress Backup & Migration
  Missing Authorization vulnerability in WebToffee WordPress Backup & Migration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress Backup & Migration: from n/a through 1.4.1. 2025-01-02 5.4 CVE-2023-45636 weDevs–WP ERP
  Missing Authorization vulnerability in weDevs WP ERP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP ERP: from n/a through 1.12.6. 2025-01-02 4.3 CVE-2023-45765 wedevs–WP Project Manager Task, team, and project management plugin featuring kanban board and gantt charts
  The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to SQL Injection via the ‘project_id’ parameter of the /wp-json/pm/v2/projects/2/task-lists REST API endpoint in all versions up to, and including, 2.6.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, who have been granted access to a project, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. 2025-01-04 6.5 CVE-2024-12195 weDevs–WP User Frontend
  Missing Authorization vulnerability in weDevs WP User Frontend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP User Frontend: from n/a through 3.6.8. 2025-01-02 4.3 CVE-2023-45002 WeyHan Ng–Post Teaser
  Missing Authorization vulnerability in WeyHan Ng Post Teaser.This issue affects Post Teaser: from n/a through 4.1.5. 2025-01-02 5.4 CVE-2022-45811 Woo–WooCommerce Subscriptions
  Missing Authorization vulnerability in Woo WooCommerce Subscriptions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Subscriptions: from n/a before 5.8.0. 2024-12-31 4.3 CVE-2023-50850 WowStore Team–ProductX Gutenberg WooCommerce Blocks
  Missing Authorization vulnerability in WowStore Team ProductX – Gutenberg WooCommerce Blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ProductX – Gutenberg WooCommerce Blocks: from n/a through 2.7.8. 2025-01-02 4.3 CVE-2023-45271 WP CTA PRO–WordPress CTA
  Missing Authorization vulnerability in WP CTA PRO WordPress CTA allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress CTA: from n/a through 1.5.8. 2025-01-02 6.5 CVE-2023-46644 WP Hait–Post Grid Elementor Addon
  Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WP Hait Post Grid Elementor Addon allows Stored XSS.This issue affects Post Grid Elementor Addon: from n/a through 2.0.18. 2025-01-02 6.5 CVE-2024-56268 WP iCal Availability–WP iCal Availability
  Missing Authorization vulnerability in WP iCal Availability WP iCal Availability allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP iCal Availability: from n/a through 1.0.3. 2025-01-02 5.4 CVE-2023-46607 WP Royal–Ashe Extra
  Missing Authorization vulnerability in WP Royal Ashe Extra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ashe Extra: from n/a through 1.2.9. 2025-01-02 5.4 CVE-2023-46079 WP Royal–Ashe Extra
  Missing Authorization vulnerability in WP Royal Ashe Extra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ashe Extra: from n/a through 1.2.92. 2025-01-02 5.4 CVE-2024-56244 WP Royal–Ashe
  Cross-Site Request Forgery (CSRF) vulnerability in WP Royal Ashe allows Cross Site Request Forgery.This issue affects Ashe: from n/a through 2.233. 2025-01-02 4.3 CVE-2024-37478 WP Royal–Bard
  Cross-Site Request Forgery (CSRF) vulnerability in WP Royal Bard allows Cross Site Request Forgery.This issue affects Bard: from n/a through 2.210. 2025-01-02 4.3 CVE-2024-37490 WP Royal–Royal Elementor Addons
  Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WP Royal Royal Elementor Addons allows Stored XSS.This issue affects Royal Elementor Addons: from n/a through 1.3.987. 2024-12-31 6.5 CVE-2024-56062 WP Royal–Royal Elementor Addons
  Missing Authorization vulnerability in WP Royal Royal Elementor Addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Royal Elementor Addons: from n/a through 1.7.1001. 2024-12-31 4.3 CVE-2024-56227 WP Travel Engine–Travel Monster
  Cross-Site Request Forgery (CSRF) vulnerability in WP Travel Engine Travel Monster allows Cross Site Request Forgery.This issue affects Travel Monster: from n/a through 1.1.2. 2025-01-02 4.3 CVE-2024-37272 wp-buy–Visitors Traffic Real Time Statistics
  Missing Authorization vulnerability in wp-buy Visitors Traffic Real Time Statistics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Visitors Traffic Real Time Statistics: from n/a through 7.2. 2025-01-02 4.3 CVE-2023-47557 WP-CRM–WP-CRM System
  Missing Authorization vulnerability in WP-CRM WP-CRM System allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP-CRM System: from n/a through 3.2.9.1. 2024-12-31 6.5 CVE-2024-55991 WPBlockArt–Magazine Blocks
  Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WPBlockArt Magazine Blocks allows Stored XSS.This issue affects Magazine Blocks: from n/a through 1.3.20. 2025-01-02 6.5 CVE-2024-56258 wpdevart–Responsive Image Gallery, Gallery Album
  Missing Authorization vulnerability in wpdevart Responsive Image Gallery, Gallery Album allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Responsive Image Gallery, Gallery Album: from n/a through 2.0.3. 2025-01-02 4.3 CVE-2023-45631 WPDeveloper–Essential Addons for Elementor
  Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WPDeveloper Essential Addons for Elementor allows Stored XSS.This issue affects Essential Addons for Elementor: from n/a through 6.0.7. 2024-12-31 6.5 CVE-2024-56063 WPDO–DoLogin Security
  Missing Authorization vulnerability in WPDO DoLogin Security allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DoLogin Security: from n/a through 3.7.1. 2025-01-02 5.3 CVE-2023-46608 wpexpertsio–WP Multi Store Locator
  The WP Multi Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. 2025-01-04 6.4 CVE-2024-12475 wpjobportal–WP Job Portal A Complete Recruitment System for Company or Job Board website
  The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.4 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create jobs for companies that are unaffiliated with the attacker. 2025-01-03 4.3 CVE-2024-12132 WPKoi–WPKoi Templates for Elementor
  Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WPKoi WPKoi Templates for Elementor allows Stored XSS.This issue affects WPKoi Templates for Elementor: from n/a through 3.1.3. 2025-01-02 6.5 CVE-2024-56241 wpweaver–Turnkey bbPress by WeaverTheme
  The Turnkey bbPress by WeaverTheme plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘_wpnonce’ parameter in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. 2025-01-04 6.1 CVE-2024-12221 XLPlugins–Finale Lite
  Missing Authorization vulnerability in XLPlugins Finale Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Finale Lite: from n/a through 2.16.0. 2025-01-02 6.5 CVE-2023-47180 Xtemos–WoodMart
  Missing Authorization vulnerability in Xtemos WoodMart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WoodMart: from n/a through 7.2.1. 2025-01-02 5.4 CVE-2023-32240 xylus–WP Smart Import : Import any XML File to WordPress
  The WP Smart Import : Import any XML File to WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘ page’ parameter in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. 2025-01-04 6.1 CVE-2024-12701 YITH–YITH WooCommerce Product Add-Ons
  Missing Authorization vulnerability in YITH YITH WooCommerce Product Add-Ons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YITH WooCommerce Product Add-Ons: from n/a through 4.2.0. 2025-01-02 5.3 CVE-2023-46635 yourownprogrammer–YOP Poll
  Authentication Bypass by Primary Weakness vulnerability in yourownprogrammer YOP Poll allows Authentication Bypass.This issue affects YOP Poll: from n/a through 6.5.28. 2025-01-02 5.3 CVE-2023-46611 Yulio Aleman Jimenez–Smart Shopify Product
  Missing Authorization vulnerability in Yulio Aleman Jimenez Smart Shopify Product allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Smart Shopify Product: from n/a through 1.0.2. 2024-12-31 6.5 CVE-2024-56031 ZeroWdd–studentmanager
  A vulnerability, which was classified as critical, has been found in ZeroWdd studentmanager 1.0. This issue affects the function addStudent/editStudent of the file src/main/Java/com/wdd/studentmanager/controller/StudentController. java. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. 2025-01-05 6.3 CVE-2024-13133 ZeroWdd–studentmanager
  A vulnerability, which was classified as critical, was found in ZeroWdd studentmanager 1.0. Affected is the function addTeacher/editTeacher of the file src/main/Java/com/wdd/studentmanager/controller/TeacherController. java. The manipulation of the argument file leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. 2025-01-05 6.3 CVE-2024-13134