An ACAP configuration file has improper permissions, which could allow command injection and potentially lead to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation...
A malicious ACAP application can gain access to admin-level service account credentials used by legitimate ACAP applications, leading to potential privilege escalation of the malicious ACAP application. This vulnerability can only be exploited if...
An ACAP configuration file lacked sufficient input validation, which could allow a path traversal attack leading to potential privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow...
An ACAP configuration file lacked sufficient input validation, which could allow for arbitrary code execution. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP...
The age-restriction WordPress plugin through 3.0.2 does not have authorisation in the age_restrictionRemoteSupportRequest function, allowing any authenticated users, such as subscriber to create an admin user with a hardcoded username and arbitrary password. More...
The Make Email Customizer for WooCommerce WordPress plugin through 1.0.6 lacks proper authorization checks and option validation in its AJAX actions, allowing any authenticated user, such as a Subscriber, to update arbitrary WordPress options....
The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.48 does not sanitize user input provided via an AJAX action, allowing unauthenticated users to store XSS payloads which are later retrieved from...
The Chart Expert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pmzez_chart’ shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping...
The Geopost plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘height’ parameter of the ‘geopost’ shortcode in all versions up to, and including, 1.2. This is due to insufficient input sanitization...
The Holiday class post calendar plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.1 via the ‘contents’ parameter. This is due to a lack of sanitization...
The Progress Bar Blocks for Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output...
The Ninja Countdown | Fastest Countdown Builder plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the ‘ninja_countdown_admin_ajax’ AJAX endpoint in all versions up to, and...
The GitHub Gist Shortcode Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter of the ‘gist’ shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization...
The WP Count Down Timer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters of the ‘wp_countdown_timer’ shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization...