Export limit exceeded: 343255 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (343255 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-13623 | 1 Wordpress | 1 Wordpress | 2025-12-08 | 6.1 Medium |
| The Twitscription plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the admin.php PATH_INFO in all versions up to, and including, 0.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-13622 | 1 Wordpress | 1 Wordpress | 2025-12-08 | 6.1 Medium |
| The Jabbernotification plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the admin.php PATH_INFO in all versions up to, and including, 0.99-RC2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-13512 | 2 Jiangxin, Wordpress | 2 Cosign Single Signon, Wordpress | 2025-12-08 | 6.1 Medium |
| The CoSign Single Signon plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 0.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-13494 | 1 Wordpress | 1 Wordpress | 2025-12-08 | 5.3 Medium |
| The SSP Debug plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.0. This is due to the plugin storing PHP error logs in a predictable, web-accessible location (wp-content/uploads/ssp-debug/ssp-debug.log) without any access controls. This makes it possible for unauthenticated attackers to view sensitive debugging information including full URLs, client IP addresses, User-Agent strings, WordPress user IDs, and internal filesystem paths. | ||||
| CVE-2025-13488 | 1 Sonatype | 1 Nexus Repository Manager | 2025-12-08 | N/A |
| Due to a regression introduced in version 3.83.0, a security header is no longer applied to certain user-uploaded content served from repositories. This may allow an authenticated attacker with repository upload privileges to exploit a stored cross-site scripting (XSS) vulnerability with user context. | ||||
| CVE-2025-13373 | 1 Advantech | 1 Iview | 2025-12-08 | 7.5 High |
| Advantech iView versions 5.7.05.7057 and prior do not properly sanitize SNMP v1 trap (Port 162) requests, which could allow an attacker to inject SQL commands. | ||||
| CVE-2025-13362 | 1 Wordpress | 1 Wordpress | 2025-12-08 | 4.3 Medium |
| The Norby AI plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-10285 | 1 Silabs | 1 Simplicity Device Manager | 2025-12-08 | N/A |
| The web interface of the Silicon Labs Simplicity Device Manager is exposed publicly and can be used to extract the NTLMv2 hash which an attacker could use to crack the user's domain password. | ||||
| CVE-2025-11759 | 2 Watchful, Wordpress | 2 Xcloner, Wordpress | 2025-12-08 | 4.3 Medium |
| The Backup, Restore and Migrate your sites with XCloner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.2. This is due to missing or incorrect nonce validation on the Xcloner_Remote_Storage:save() function. This makes it possible for unauthenticated attackers to add or modify an FTP backup configuration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation allows an attacker to set an attacker-controlled FTP site for backup storage and exfiltrate potentially sensitive site data. | ||||
| CVE-2025-12093 | 1 Wordpress | 1 Wordpress | 2025-12-08 | 5.3 Medium |
| The Voidek Employee Portal plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX actions in all versions up to, and including, 1.0.6. This makes it possible for unauthenticated attackers to perform several actions like registering an account, deleting users, and modifying details within the employee portal. | ||||
| CVE-2025-12128 | 1 Wordpress | 1 Wordpress | 2025-12-08 | 4.3 Medium |
| The Hide Categories Or Products On Shop Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7. This is due to missing or incorrect nonce validation on the save_data_hcps() function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-12133 | 1 Wordpress | 1 Wordpress | 2025-12-08 | 4.3 Medium |
| The EPROLO Dropshipping plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wp_ajax_eprolo_delete_tracking and wp_ajax_eprolo_save_tracking_data AJAX endpoints in all versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify and delete tracking data. | ||||
| CVE-2025-12154 | 1 Wordpress | 1 Wordpress | 2025-12-08 | 8.8 High |
| The Auto Thumbnailer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the uploadThumb() function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-12163 | 2 Omnipressteam, Wordpress | 2 Omnipress, Wordpress | 2025-12-08 | 6.4 Medium |
| The Omnipress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | ||||
| CVE-2025-12165 | 1 Wordpress | 1 Wordpress | 2025-12-08 | 4.3 Medium |
| The Webcake – Landing Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'webcake_save_config' AJAX endpoint in all versions up to, and including, 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin's settings. | ||||
| CVE-2025-12181 | 2 Contentstudio, Wordpress | 2 Contentstudio, Wordpress | 2025-12-08 | 8.8 High |
| The ContentStudio plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the cstu_update_post() function in all versions up to, and including, 1.3.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-12186 | 1 Wordpress | 1 Wordpress | 2025-12-08 | 4.4 Medium |
| The Weekly Planner plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2025-12190 | 2 Duddi, Wordpress | 2 Image Optimizer, Wordpress | 2025-12-08 | 4.3 Medium |
| The Image Optimizer by wps.sk plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the imagopby_ajax_optimize_gallery() function. This makes it possible for unauthenticated attackers to trigger bulk optimization via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-12191 | 3 Ovologics, Woocommerce, Wordpress | 3 Pdf Catalog For Woocommerce, Woocommerce, Wordpress | 2025-12-08 | 5.4 Medium |
| The PDF Catalog for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pdfcatalog' AJAX action in all versions up to, and including, 1.1.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-12354 | 1 Wordpress | 1 Wordpress | 2025-12-08 | 4.3 Medium |
| The Live CSS Preview plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_frontend_save' AJAX endpoint in all versions up to, and including, 2.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's css setting. | ||||