CYBR International Malware Information Sharing Platform (MISP)
The MISP is a threat intelligence aggregator that updates the community about evolving threats and vulnerabilities. The MISP may be imported as a threat intelligence data feed into existing cyber security threat analysis and reporting solutions.
| DataType | ProblemTypes | Impact | Publishdate | |
|---|---|---|---|---|
Threat detailsA vulnerability was found in D-Link DCS-932L 2.18.01. It has been declared as critical. This vulnerability affects the function isUCPCameraNameChanged of the file /sbin/ucp. The manipulation of the argument CameraName leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | CVE | CWE-119, CWE-121 | NETWORK: LOW | 05-17-2025 |
Threat detailsA vulnerability was found in D-Link DCS-932L 2.18.01 and classified as critical. Affected by this issue is the function sub_404780 of the file /bin/gpio. The manipulation of the argument CameraName leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | CVE | CWE-119, CWE-121 | NETWORK: LOW | 05-17-2025 |
Threat detailsAn attacker was able to perform an out-of-bounds read or write on a JavaScript object by confusing array index sizes. This vulnerability affects Firefox < 138.0.4 and Firefox ESR < 128.10.1. | CVE | LOW | 05-17-2025 | |
Threat detailsAn attacker was able to perform an out-of-bounds read or write on a JavaScript `Promise` object. This vulnerability affects Firefox < 138.0.4 and Firefox ESR < 128.10.1. | CVE | LOW | 05-17-2025 | |
Threat detailsAn attacker was able to perform an out-of-bounds read or write on a JavaScript object by confusing array index sizes. This vulnerability affects Firefox ESR < 115.23.1. | CVE | LOW | 05-17-2025 | |
Threat detailsAn attacker was able to perform an out-of-bounds read or write on a JavaScript `Promise` object. This vulnerability affects Firefox ESR < 115.23.1. | CVE | LOW | 05-17-2025 | |
Threat detailsA vulnerability has been found in itwanger paicoding 1.0.0/1.0.1/1.0.2/1.0.3 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /paicoding-core/src/main/java/com/github/paicoding/forum/core/util/CrossUtil.java. The manipulation leads to permissive cross-domain policy with untrusted domains. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. | CVE | CWE-346, CWE-942 | NETWORK: HIGH | 05-17-2025 |
Threat detailsA vulnerability, which was classified as problematic, was found in kanwangzjm Funiture up to 71ca0fb0658b3d839d9e049ac36429207f05329b. Affected is the function doPost of the file /funiture-master/src/main/java/com/app/mvc/acl/servlet/LoginServlet.java of the component Login. The manipulation of the argument ret leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. | CVE | CWE-601 | NETWORK: LOW | 05-17-2025 |
Threat detailsA vulnerability classified as critical has been found in projectworlds Student Project Allocation System 1.0. This affects an unknown part of the file /make_group_sql.php. The manipulation of the argument mem1/mem2/mem3 leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-89, CWE-74 | NETWORK: LOW | 05-17-2025 |
Threat detailsRejected reason: wrong year
| CVE | LOW | 05-17-2025 | |
Threat detailsRejected reason: wrong year
| CVE | LOW | 05-17-2025 | |
Threat detailsA vulnerability was found in TOTOLINK A702R, A3002R and A3002RU 3.0.0-B20230809.1615. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /boafrm/formWlanRedirect of the component HTTP POST Request Handler. The manipulation of the argument redirect-url leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-119, CWE-120 | NETWORK: LOW | 05-17-2025 |
Threat detailsA vulnerability was found in Projectworlds Life Insurance Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /deleteAgent.php. The manipulation of the argument agent_id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-89, CWE-74 | NETWORK: LOW | 05-17-2025 |
Threat detailsA vulnerability was found in TOTOLINK A702R, A3002R and A3002RU 3.0.0-B20230809.1615. It has been classified as critical. Affected is an unknown function of the file /boafrm/formSetLg of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-119, CWE-120 | NETWORK: LOW | 05-17-2025 |
Threat detailsCocotais Bot is a QQ official robot framework based on qq-bot-sdk. Starting in version 1.5.0-test2-hotfix and prior to version 1.6.2, command echoing feature in the framework allows users to indirectly trigger privileged behavior by injecting special platform tags. Specifically, an unauthorized user can use the `/echo | CVE | CWE-74 | LOW | 05-17-2025 |
Threat detailsDonetick an open-source app for managing tasks and chores. Prior to version 0.1.44, the application uses JSON Web Tokens (JWT) for authentication, but the signing secret has a weak default value. While the responsibility is left to the system administrator to change it, this approach is inadequate. The vulnerability is proven by existence of the issue in the live version as well. This issue can result in full account takeover of any user. Version 0.1.44 contains a patch. | CVE | CWE-1188, CWE-453 | LOW | 05-17-2025 |
Threat detailsA vulnerability was found in TOTOLINK A702R, A3002R and A3002RU 3.0.0-B20230809.1615 and classified as critical. This issue affects some unknown processing of the file /boafrm/formNtp of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-119, CWE-120 | NETWORK: LOW | 05-17-2025 |
Threat detailsA vulnerability has been found in TOTOLINK A702R, A3002R and A3002RU 3.0.0-B20230809.1615 and classified as critical. This vulnerability affects unknown code of the file /boafrm/formDosCfg of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-119, CWE-120 | NETWORK: LOW | 05-17-2025 |
Threat detailsA vulnerability, which was classified as critical, was found in TOTOLINK A702R, A3002R and A3002RU 3.0.0-B20230809.1615. This affects an unknown part of the file /boafrm/formSiteSurveyProfile of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-119, CWE-120 | NETWORK: LOW | 05-17-2025 |
Threat detailssetuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue. | CVE | CWE-22 | LOW | 05-17-2025 |
Threat detailsIBM i 7.2, 7.3, 7.4, 7.5, and 7.6 product IBM TCP/IP Connectivity Utilities for i contains a privilege escalation vulnerability. A malicious actor with command line access to the host operating system can elevate privileges to gain root access to the host operating system. | CVE | CWE-250 | NETWORK: HIGH | 05-17-2025 |
Threat detailsLibreNMS is PHP/MySQL/SNMP based network monitoring software. LibreNMS v25.4.0 and prior suffers from a Stored Cross-Site Scripting (XSS) Vulnerability in the `group name` parameter of the `http://localhost/poller/groups` form. This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users. LibreNMS v25.5.0 contains a patch for the issue. | CVE | CWE-79 | HIGH | 05-17-2025 |
Threat detailsA vulnerability, which was classified as critical, has been found in TOTOLINK A702R, A3002R and A3002RU 3.0.0-B20230809.1615. Affected by this issue is some unknown functionality of the file /boafrm/formSysCmd of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-119, CWE-120 | NETWORK: LOW | 05-17-2025 |
Threat detailsA vulnerability classified as critical was found in TOTOLINK A702R, A3002R and A3002RU 3.0.0-B20230809.1615. Affected by this vulnerability is the function sub_40BE30 of the file /boafrm/formStats of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-119, CWE-120 | NETWORK: LOW | 05-17-2025 |
Threat detailsA vulnerability, which was classified as critical, was found in TOTOLINK A702R, A3002R and A3002RU 3.0.0-B20230809.1615. Affected is an unknown function of the file /boafrm/formSaveConfig of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-119, CWE-120 | NETWORK: LOW | 05-17-2025 |
Threat detailsA vulnerability was found in PHPGurukul Park Ticketing Management System 2.0 and classified as critical. This issue affects some unknown processing of the file /add-normal-ticket.php. The manipulation of the argument noadult/nochildren/aprice/cprice leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | CVE | LOW | 05-17-2025 | |
Threat detailsThe MultiVendorX – WooCommerce Multivendor Marketplace Solutions plugin for WordPress is vulnerable to unauthorized loss of data due to a misconfigured capability check on the 'delete_fpm_product' function in all versions up to, and including, 4.2.22. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary posts, pages, attachments, and products. The vulnerability was partially patched in version 4.2.22. | CVE | CWE-863 | NETWORK: LOW | 05-17-2025 |
Threat detailsRAGFlow through 0.18.1 allows account takeover because it is possible to conduct successful brute-force attacks against email verification codes to perform arbitrary account registration, login, and password reset. Codes are six digits and there is no rate limiting. | CVE | LOW | 05-17-2025 | |
Threat detailsNetgate pfSense CE (prior to 2.8.0 beta release) and corresponding Plus builds is vulnerable to Cross Site Scripting (XSS) in widgets/log.widget.php. | CVE | LOW | 05-17-2025 | |
Threat detailsNetgate pfSense CE (prior to 2.8.0 beta release) and corresponding Plus builds are vulnerable to command injection in the OpenVPN widget due to improper sanitization of user-supplied input to the OpenVPN management interface. An authenticated attacker can exploit this vulnerability by injecting arbitrary OpenVPN management commands via the remipp parameter. | CVE | LOW | 05-17-2025 | |
Threat detailsThe WP Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpbc shortcode in all versions up to, and including, 10.11.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | CVE | CWE-79 | NETWORK: LOW | 05-17-2025 |
Threat detailsThe Jupiter X Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File inclusion in all versions up to, and including, 4.8.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the page with the included SVG file. | CVE | CWE-79 | NETWORK: LOW | 05-17-2025 |
Threat detailsThe EventON Pro plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'assets/lib/settings/settings.js' file in all versions up to, and including, 4.9.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 4.9.6. | CVE | CWE-862 | NETWORK: LOW | 05-17-2025 |
Threat detailsThe Wise Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.3 via the 'uploads' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads directory which can contain file attachments included in chat messages. The vulnerability was partially patched in version 3.3.3. | CVE | CWE-200 | NETWORK: LOW | 05-17-2025 |
Threat detailsA vulnerability, which was classified as critical, has been found in TOTOLINK A702R, A3002R and A3002RU 3.0.0-B20230809.1615. This issue affects some unknown processing of the file /boafrm/formWirelessTbl of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-119, CWE-120 | NETWORK: LOW | 05-17-2025 |
Threat detailsA vulnerability classified as critical has been found in TOTOLINK A702R, A3002R and A3002RU 3.0.0-B20230809.1615. This affects an unknown part of the file /boafrm/formWsc of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-119, CWE-120 | NETWORK: LOW | 05-17-2025 |
Threat detailsA vulnerability was found in TOTOLINK A702R, A3002R and A3002RU 3.0.0-B20230809.1615. It has been rated as critical. Affected by this issue is the function submit-url of the file /boafrm/formReflashClientTbl of the component HTTP POST Request Handler. The manipulation leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-119, CWE-120 | NETWORK: LOW | 05-17-2025 |
Threat detailsThe WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpmem_user_memberships shortcode in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | CVE | CWE-79 | NETWORK: LOW | 05-17-2025 |
Threat detailsA vulnerability classified as critical was found in TOTOLINK A702R, A3002R and A3002RU 3.0.0-B20230809.1615. This vulnerability affects unknown code of the file /boafrm/formDMZ of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-119, CWE-120 | NETWORK: LOW | 05-17-2025 |
Threat detailsUntrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo). | CVE | LOW | 05-17-2025 | |
Threat detailsA vulnerability classified as problematic has been found in y_project RuoYi 4.8.0. Affected is an unknown function of the file /monitor/online/batchForceLogout of the component Offline Logout. The manipulation of the argument ids leads to improper authorization. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. | CVE | CWE-285, CWE-266 | NETWORK: HIGH | 05-17-2025 |
Threat detailsThe Echo RSS Feed Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the echo_generate_featured_image() function in all versions up to, and including, 5.4.8.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | CVE | CWE-434 | NETWORK: LOW | 05-17-2025 |
Threat detailsThe Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the crawlomatic_generate_featured_image() function in all versions up to, and including, 2.6.8.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | CVE | CWE-434 | NETWORK: LOW | 05-17-2025 |
Threat detailsThe CSV Mass Importer WordPress plugin through 1.2 does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup) | CVE | LOW | 05-17-2025 | |
Threat detailsThe WPBot Pro Wordpress Chatbot plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the qcld_openai_delete_training_file() function in all versions up to, and including, 13.6.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | CVE | CWE-73 | NETWORK: LOW | 05-17-2025 |
Threat detailsInvision Community 5.0.0 before 5.0.7 allows remote code execution via crafted template strings to themeeditor.php. The issue lies within the themeeditor controller (file: /applications/core/modules/front/system/themeeditor.php), where a protected method named customCss can be invoked by unauthenticated users. This method passes the value of the content parameter to the Theme::makeProcessFunction() method; hence it is evaluated by the template engine. Accordingly, this can be exploited by unauthenticated attackers to inject and execute arbitrary PHP code by providing crafted template strings. | CVE | LOW | 05-17-2025 | |
Threat detailsA vulnerability was found in SourceCodester Doctor's Appointment System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /admin/delete-doctor.php of the component GET Parameter Handler. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-89, CWE-74 | NETWORK: LOW | 05-17-2025 |
Threat detailsThe Z-Downloads WordPress plugin before 1.11.6 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated visitors to perform Cross-Site Scripting attacks when accessing share URLs. | CVE | LOW | 05-17-2025 | |
Threat detailsThe PowerPress Podcasting plugin by Blubrry WordPress plugin before 11.9.18 does not sanitise and escape some of its settings when adding a podcast, which could allow admin users to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | CVE | LOW | 05-17-2025 | |
Threat detailsThe Logo Slider WordPress plugin before 3.7.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | CVE | LOW | 05-17-2025 | |
Threat detailsThe Download Manager WordPress plugin before 3.2.99 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | CVE | LOW | 05-17-2025 | |
Threat detailsThe webtoffee-gdpr-cookie-consent WordPress plugin before 2.6.1 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting visit logs via CSRF attacks | CVE | LOW | 05-17-2025 | |
Threat detailsThe webtoffee-gdpr-cookie-consent WordPress plugin before 2.6.1 does not properly sanitize and escape the IP headers when logging them, allowing visitors to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Consent report' page and the malicious script is executed in the admin context. | CVE | LOW | 05-17-2025 | |
Threat detailsA vulnerability was found in SourceCodester Doctor's Appointment System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/appointment.php of the component GET Parameter Handler. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-89, CWE-74 | NETWORK: LOW | 05-17-2025 |
Threat detailsA vulnerability was found in Sourcecodester Doctor's Appointment System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/delete-appointment.php of the component GET Parameter Handler. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-89, CWE-74 | NETWORK: LOW | 05-17-2025 |
Threat detailsThe Simple Nav Archives WordPress plugin through 2.1.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | CVE | LOW | 05-17-2025 | |
Threat detailsThe Maspik WordPress plugin before 2.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. | CVE | LOW | 05-17-2025 | |
Threat detailsThe AVIF Uploader WordPress plugin before 1.1.1 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. | CVE | LOW | 05-17-2025 | |
Threat detailsThe Page Builder: Pagelayer WordPress plugin before 1.8.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | CVE | LOW | 05-17-2025 | |
Threat detailsThe Nested Pages WordPress plugin before 3.2.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | CVE | LOW | 05-17-2025 | |
Threat detailsThe Hustle WordPress plugin through 7.8.5 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | CVE | LOW | 05-17-2025 | |
Threat detailsThe Backup Database WordPress plugin through 4.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | CVE | LOW | 05-17-2025 | |
Threat detailsThe Payment Gateway for Telcell WordPress plugin through 2.0.1 does not validate the api_url parameter before redirecting the user to its value, leading to an Open Redirect issue | CVE | LOW | 05-17-2025 | |
Threat detailsThe Events Calendar WordPress plugin before 6.6.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | CVE | LOW | 05-17-2025 | |
Threat detailsThe Team WordPress plugin before 4.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | CVE | LOW | 05-17-2025 | |
Threat detailsThe Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses WordPress plugin before 1.9.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | CVE | LOW | 05-17-2025 | |
Threat detailsThe Quiz Maker WordPress plugin before 6.5.9.9 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | CVE | LOW | 05-17-2025 | |
Threat detailsThe PWA for WP WordPress plugin before 1.7.72 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | CVE | LOW | 05-17-2025 | |
| CVE | LOW | 05-17-2025 | ||
Threat detailsThe KBucket: Your Curated Content in WordPress plugin before 4.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | CVE | LOW | 05-17-2025 | |
Threat detailsThe KBucket: Your Curated Content in WordPress plugin before 4.1.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against admin. | CVE | LOW | 05-17-2025 | |
Threat detailsThe DL Verification WordPress plugin through 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | CVE | LOW | 05-17-2025 | |
Threat detailsThe Simple Video Directory WordPress plugin before 1.4.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. | CVE | LOW | 05-17-2025 | |
Threat detailsThe Simple Share WordPress plugin through 0.5.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | CVE | LOW | 05-17-2025 | |
Threat detailsThe Stylish Price List WordPress plugin before 7.1.8 does not sanitise and escape some of its settings, which could allow high privilege users of contributor and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | CVE | LOW | 05-17-2025 | |
Threat detailsIn the process of testing the Simple Job Board WordPress plugin before 2.12.2, a vulnerability was found that allows you to implement Stored XSS on behalf of the editor by embedding malicious script, which entails account takeover backdoor | CVE | LOW | 05-17-2025 | |
Threat detailsThe GamiPress WordPress plugin before 1.0.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | CVE | LOW | 05-17-2025 | |
Threat detailsThe Simple Job Board WordPress plugin before 2.12.6 does not prevent uploaded files from being listed, allowing unauthenticated users to access and download uploaded resumes | CVE | LOW | 05-17-2025 | |
Threat detailsThe ClickSold IDX WordPress plugin through 1.90 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | CVE | LOW | 05-17-2025 | |
Threat detailsThe Joy Of Text Lite WordPress plugin through 2.3.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | CVE | LOW | 05-17-2025 | |
Threat detailsThe Audio Comments Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on the 'audio-comments/audior-settings.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | CVE | CWE-352 | NETWORK: LOW | 05-17-2025 |
Threat detailsThe RegistrationMagic WordPress plugin before 6.0.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | CVE | LOW | 05-17-2025 | |
Threat detailsThe AlT Monitoring plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the 'ALT_Monitoring_edit' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | CVE | CWE-352 | NETWORK: LOW | 05-17-2025 |
Threat detailsThe Secure Downloads WordPress plugin before 1.2.3 is vulnerable does not properly restrict which files can be downloaded. This makes it possible for authenticated attackers, with admin-level access and above, to download arbitrary files that may contain sensitive information like wp-config.php. | CVE | LOW | 05-17-2025 | |
Threat detailsThe Everest Forms WordPress plugin before 3.0.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | CVE | LOW | 05-17-2025 | |
Threat detailsA vulnerability was found in Campcodes Sales and Inventory System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /pages/supplier_update.php. The manipulation of the argument Name leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-89, CWE-74 | NETWORK: LOW | 05-17-2025 |
Threat detailsA vulnerability has been found in Campcodes Sales and Inventory System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /pages/supplier_add.php. The manipulation of the argument Name leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-89, CWE-74 | NETWORK: LOW | 05-17-2025 |
Threat detailsBSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities. Those include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. BSON-XS was the official Perl XS implementation of MongoDB's BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported. | CVE | LOW | 05-17-2025 | |
Threat detailsThe Add SVG Support for Media Uploader | inventivo WordPress plugin through 1.0.5 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. | CVE | LOW | 05-17-2025 | |
Threat detailsThe SVG Uploads Support WordPress plugin through 2.1.1 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. | CVE | LOW | 05-17-2025 | |
Threat detailsThe Wholesale Market WordPress plugin before 2.2.2, Wholesale Market for WooCommerce WordPress plugin before 2.0.1 have a flawed CSRF check when updating their settings, which could allow attackers to make a logged in admin update them via a CSRF attack | CVE | LOW | 05-17-2025 | |
Threat detailsSamsung Internet for Galaxy Watch version 5.0.9, available up until Samsung Galaxy Watch 3, does not properly validate TLS certificates, allowing for an attacker to impersonate any and all websites visited by the user. This is a critical misconfiguration in the way the browser validates the identity of the server. It negates the use of HTTPS as a secure channel, allowing for Man-in-the-Middle attacks, stealing sensitive information or modifying incoming and outgoing traffic. NOTE: This vulnerability is in an end-of-life product that is no longer maintained by the vendor. | CVE | LOW | 05-17-2025 | |
Threat detailsThe Wholesale Market WordPress plugin before 2.2.2, Wholesale Market for WooCommerce WordPress plugin before 2.0.1 have a flawed CSRF check when updating their settings, which could allow attackers to make a logged in admin update them via a CSRF attack | CVE | LOW | 05-17-2025 | |
Threat detailsArbitrary File Upload vulnerability in Doctor-Appointment version 1.0 in /Frontend/signup_com.php, allows attackers to execute arbitrary code. | CVE | LOW | 05-17-2025 | |
Threat detailsSQL Injection vulnerability in Flipkart-Clone-PHP version 1.0 in entry.php in product_title parameter, allows attackers to execute arbitrary code. | CVE | LOW | 05-17-2025 | |
Threat detailsSoftware installed and run as a non-privileged user may conduct improper GPU system calls to trigger use-after-free kernel exceptions. | CVE | LOW | 05-17-2025 | |
Threat detailsKernel software installed and running inside a Guest VM may exploit memory shared with the GPU Firmware to read and/or write data outside the Guest's virtualised GPU memory. | CVE | LOW | 05-17-2025 | |
Threat detailsA vulnerability, which was classified as critical, was found in PHPGurukul Human Metapneumovirus Testing Management System 1.0. Affected is an unknown function of the file /edit-phlebotomist.php. The manipulation of the argument mobilenumber leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-89, CWE-74 | NETWORK: LOW | 05-16-2025 |
Threat detailsA vulnerability, which was classified as critical, has been found in PHPGurukul Human Metapneumovirus Testing Management System 1.0. This issue affects some unknown processing of the file /profile.php. The manipulation of the argument mobilenumber leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | CVE | CWE-89, CWE-74 | NETWORK: LOW | 05-16-2025 |
Threat detailsThe Ninja Pages WordPress plugin through 1.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | CVE | LOW | 05-16-2025 |
