Tagged: Cybersecurity Alert

The WP Responsive Meet The Team plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wprm_team’ shortcode in all versions up to, and including, 1.0.1. This is due to insufficient input sanitization...

The WP-Thumbnail plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘roboshot’ shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping on...

The Cinza Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘cgrid_skin_content’ post meta field in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping....

The JB News Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ shortcode attribute of the ‘jbticker’ shortcode in all versions up to, and including, 1.0. This is due to...

The Mixlr Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mixlr’ shortcode in all versions up to, and including, 1.0.1. This is due to insufficient input sanitization and output escaping...

The WP-Force Images Download plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpfid’ shortcode in all versions up to, and including, 1.8. This is due to insufficient input sanitization and output...

The Print Button Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘print-button’ shortcode in all versions up to, and including, 1.0.1. This is due to insufficient input sanitization and output...

The Email Tracker – Email Log, Email Open Tracking, Email Analytics & Email Management for WordPress Emails plugin for WordPress is vulnerable to SQL Injection via the ‘orderby’ parameter in all versions up to,...

The This-or-That plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘thisorthat’ shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user...

The wsc server uses a hard-coded certificate to check the authenticity of SOAP messages. An unauthenticated remote attacker can extract private keys from the Software of the affected devices. More information : https://sauter.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-060.json

The importFile SOAP method is vulnerable to a directory traversal attack. An unauthenticated remote attacker bypass the path restriction and upload files to arbitrary locations. More information : https://sauter.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-060.json

An unauthenticated remote attacker can crash the wscserver by sending incomplete SOAP requests. The wscserver process will not be restarted by a watchdog and a device reboot is necessary to make it work again....

A low privileged remote attacker can corrupt the webserver users storage on the device by setting a sequence of unsupported characters which leads to deletion of all previously configured users and the creation of...

A low privileged remote attacker can upload arbitrary data masked as a png file to the affected device using the webserver API because only the file extension is verified. More information : https://sauter.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-060.json