The WPC Smart Compare for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘shortcode_btn’ shortcode in all versions up to, and including, 6.4.6 due to insufficient input sanitization and...
The FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-caption-title` & `data-caption-description` HTML attributes in all versions up to, and...
The WoodMart plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 8.2.5 via the woodmart_get_posts_by_query() function due to insufficient restrictions on which posts can be included. This makes...
The WPGYM – WordPress Gym Management System plugin for WordPress is vulnerable to SQL Injection via several parameters in the MJ_gmgt_delete_class_limit_for_member, MJ_gmgt_get_yearly_income_expense, MJ_gmgt_get_monthly_income_expense, MJ_gmgt_add_class_limit, MJ_gmgt_view_meeting_detail, and MJ_gmgt_create_meeting functions in all versions up to 67.8.0...
The GB Forms DB plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.2 via the gbfdb_talk_to_front() function. This is due to the function accepting user input...
When passing values outside of the expected range to QColorTransferGenericFunction it can cause a denial of service, for example, this can happen when passing a specifically crafted ICC profile to QColorSpace::fromICCProfile.This issue affects Qt...
The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘upload[1][title]’...
Installation file of ESET security products on Windows allow an attacker to misuse to delete an arbitrary file without having the permissions to do so. Assigner : security@eset.com More information : https://support.eset.com/en/ca8838-arbitrary-file-deletion-vulnerability-in-eset-product-installers-on-windows-fixed
The Order Delivery Date WordPress plugin before 12.6.0 discloses arbitrary post title (such as from draft and private posts) via an unauthenticated AJAX action, allowing attackers to retrieve such information Assigner : contact@wpscan.com More...
The communication protocol used between client and server had a flaw that could lead to an authenticated user performing a remote code execution attack. Assigner : product-security@axis.com More information : https://www.axis.com/dam/public/9b/a5/72/cve-2025-30023pdf-en-US-485733.pdf
The communication protocol used between client and server had a flaw that could be leveraged to execute a man in the middle attack. Assigner : product-security@axis.com More information : https://www.axis.com/dam/public/01/d9/24/cve-2025-30024pdf-en-US-485734.pdf
The communication protocol used between the server process and the service control had a flaw that could lead to a local privilege escalation. Assigner : product-security@axis.com More information : https://www.axis.com/dam/public/40/0e/03/cve-2025-30025pdf-en-US-485736.pdf
The AXIS Camera Station Server had a flaw that allowed to bypass authentication that is normally required. Assigner : product-security@axis.com More information : https://www.axis.com/dam/public/a3/42/92/cve-2025-30026pdf-en-US-485735.pdf
The GeoDirectory WordPress plugin before 2.8.120 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the...