| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| WordPress Core is vulnerable to Sensitive Information Exposure in versions up to, and including, 6.4.3 via the redirect_guess_404_permalink function. This can allow unauthenticated attackers to expose the slug of a custom post whose 'publicly_queryable' post status has been set to 'false'. |
| The Wordpress Plugin Smart Product Review plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. |
| Improper isolation in the Intel(R) Core(TM) Ultra Processor stream cache mechanism may allow an authenticated user to potentially enable escalation of privilege via local access. |
| The Comfino Payment Gateway plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 4.1.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. |
| Incorrect default permissions in some onboard video driver software before version 1.14 for Intel(R) Server Boards based on Intel(R) 62X Chipset may allow an authenticated user to potentially enable escalation of privilege via local access. |
| The ViewMedica 9 plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.15. This is due to missing or incorrect nonce validation on the 'Viewmedica-Admin' page. This makes it possible for unauthenticated attackers to inject arbitrary SQL queries via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. |
| The Horoscope And Tarot plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'divine_horoscope' shortcode in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| The Seraphinite Bulk Discounts for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.4.6. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. |
| Unchecked return value in SDM firmware for Intel(R) Stratix 10 and Intel(R) Agilex 7 FPGAs before version 23.3 may allow an authenticated user to potentially enable denial of service via adjacent access. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kanwei_doublethedonation Double the Donation double-the-donation allows Stored XSS.This issue affects Double the Donation: from n/a through <= 2.0.0. |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Alexander AnyComment anycomment allows PHP Local File Inclusion.This issue affects AnyComment: from n/a through <= 0.3.6. |
| The PPWP – Password Protect Pages plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.9.5 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator. |
| Null pointer dereference for some Intel(R) CST software before version 2.1.10300 may allow an authenticated user to potentially enable denial of service via local access. |
| Directory traversal vulnerability exists in A.K.I Software's PMailServer/PMailServer2 products' CGIs included in Internal Simple Webserver. If this vulnerability is exploited, a remote attacker may access arbitrary files outside DocumentRoot. |
| The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the /wp-json/timetics/v1/customers/ REST API endpoint in all versions up to, and including, 1.0.27. This makes it possible for authenticated attackers, with Timetics Customer access and above, to delete arbitrary users. |
| PingOne MFA Integration Kit contains a vulnerability where the skipMFA action can be configured such that user authentication does not require the second factor authentication from the user's existing registered devices. A threat actor might be able to exploit this vulnerability to authenticate as a target user if they have existing knowledge of the target user’s first-factor credentials. |
| Missing Authorization vulnerability in Jewel Theme Master Addons for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Master Addons for Elementor: from n/a through 2.0.5.3. |
| Deserialization of Untrusted Data vulnerability in BoldThemes Goldenblatt goldenblatt allows Object Injection.This issue affects Goldenblatt: from n/a through < 1.3.0. |
| Cross-Site Request Forgery (CSRF) vulnerability in Stephanie Leary Dashboard Notepad dashboard-notepad allows Cross Site Request Forgery.This issue affects Dashboard Notepad: from n/a through <= 1.42. |
| Missing Authorization vulnerability in merkulove Lottier lottier-gutenberg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lottier: from n/a through <= 1.1.1. |
