Ideagen DevonWay contains a stored cross site scripting vulnerability. A remote, authenticated attacker could craft a payload in the ‘Reports’ page that executes when another user views the report. Fixed in 2.62.4 and 2.62...

OPEXUS eComplaint before version 9.0.45.0 allows an attacker to visit the the ‘DocumentOpen.aspx’ endpoint, iterate through predictable values of ‘chargeNumber’, and download any uploaded files. More information : https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-008-02.json

OPEXUS eCasePortal before version 9.0.45.0 allows an unauthenticated attacker to navigate to the ‘Attachments.aspx’ endpoint, iterate through predictable values of ‘formid’, and download or delete all user-uploaded files, or upload new files. More information...

OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment in the “Estimated Staff Hours” field. The JavaScript is executed whenever another user visits the Project Cost tab. Fixed in OPEXUS...

OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript in the “A or SIC Number” field within the Project Setup functionality. The JavaScript is executed whenever another user views the project. Fixed in...

OPEXUS eCASE Audit allows an authenticated attacker to save JavaScript as a comment within the Document Check Out functionality. The JavaScript is executed whenever another user views the Action History Log. Fixed in OPEXUS...

OPEXUS eCASE Audit allows an authenticated attacker to modify client-side JavaScript or craft HTTP requests to access functions or buttons that have been disabled or blocked by an administrator. Fixed in eCASE Platform 11.14.1.0....

Kirby is an open-source content management system. From versions 5.0.0 to 5.2.1, Kirby is missing permission checks in the content changes API. This vulnerability affects all Kirby sites where user permissions are configured to...

Missing Authorization vulnerability in Munir Kamal Block Slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Block Slider: from n/a through 2.2.3. More information : https://patchstack.com/database/wordpress/plugin/block-slider/vulnerability/wordpress-block-slider-plugin-2-2-3-broken-access-control-vulnerability?_s_id=cve

Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in G5Theme Handmade Framework allows PHP Local File Inclusion.This issue affects Handmade Framework: from n/a through 3.9. More information...

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in BuddyDev MediaPress allows Stored XSS.This issue affects MediaPress: from n/a through 1.6.2. More information : https://patchstack.com/database/wordpress/plugin/mediapress/vulnerability/wordpress-mediapress-plugin-1-6-1-cross-site-scripting-xss-vulnerability?_s_id=cve

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in pencilwp X Addons for Elementor allows DOM-Based XSS.This issue affects X Addons for Elementor: from n/a through 1.0.23. More information : https://patchstack.com/database/wordpress/plugin/x-addons-elementor/vulnerability/wordpress-x-addons-for-elementor-plugin-1-0-23-cross-site-scripting-xss-vulnerability?_s_id=cve

Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GA4WP: Google Analytics for WordPress: from n/a through 2.10.0. More information : https://patchstack.com/database/wordpress/plugin/ga-for-wp/vulnerability/wordpress-ga4wp-google-analytics-for-wordpress-plugin-2-10-0-broken-access-control-vulnerability?_s_id=cve

Missing Authorization vulnerability in Nawawi Jamili Docket Cache allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Docket Cache: from n/a through 24.07.04. More information : https://patchstack.com/database/wordpress/plugin/docket-cache/vulnerability/wordpress-docket-cache-plugin-24-07-04-broken-access-control-vulnerability?_s_id=cve