The This-or-That plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘thisorthat’ shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user...
The importFile SOAP method is vulnerable to a directory traversal attack. An unauthenticated remote attacker bypass the path restriction and upload files to arbitrary locations. More information : https://sauter.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-060.json
An unauthenticated remote attacker can crash the wscserver by sending incomplete SOAP requests. The wscserver process will not be restarted by a watchdog and a device reboot is necessary to make it work again....
A low privileged remote attacker can corrupt the webserver users storage on the device by setting a sequence of unsupported characters which leads to deletion of all previously configured users and the creation of...
A low privileged remote attacker can upload arbitrary data masked as a png file to the affected device using the webserver API because only the file extension is verified. More information : https://sauter.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-060.json
A high privileged remote attacker can influence the parameters passed to the openssl command due to improper neutralization of special elements when adding a password protected self-signed certificate. More information : https://sauter.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-060.json
The wsc server uses a hard-coded certificate to check the authenticity of SOAP messages. An unauthenticated remote attacker can extract private keys from the Software of the affected devices. More information : https://sauter.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-060.json
The PixelYourSite – Your smart PIXEL (TAG) & API Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 11.1.2. This is due to missing or incorrect...
The Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pro_version_activation_code’ parameter in all versions up to,...
The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.38 via the save_refund_request() function. This makes it possible for authenticated...
The Meta Tag Manager WordPress plugin before 3.3 does not restrict which roles can create http-equiv refresh meta tags. More information : https://wpscan.com/vulnerability/4a2d4dcf-bb34-4eec-b5de-31c6a4d823cf/
The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘order_mail’ setting in versions up to, and including, 2.11.22. This is due to insufficient sanitization on the order_mail field and...
The NS Maintenance Mode for WP WordPress plugin through 1.3.1 lacks authorization in its subscriber export function allowing unauthenticated attackers to download a list of a site’s subscribers containing their name and email address...
On Mercku M6a devices through 2.1.0, the authentication system uses predictable session tokens based on timestamps. More information : https://blog.nullvoid.me/posts/mercku-exploits/