| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The Permalink Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in the admin URI Editor interface in all versions up to, and including, 2.5.3.3 due to insufficient output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in the admin Permalink Manager page that will execute whenever an administrator accesses the Permalink Manager page. |
| The SALESmanago & Leadoo WordPress plugin before 3.11.3 does not properly sanitise and escape a parameter passed to one of its AJAX actions before using it in a SQL statement, and fails to enforce authorisation on that action, allowing authenticated users with minimal permissions, such as subscribers, to perform SQL injection attacks. |
| Unauthenticated Arbitrary File Download in WP Media folder Addon <= 4.0.1 versions. |
| Unauthenticated SQL Injection in Tutor LMS Pro <= 3.9.6 versions. |
| Unauthenticated SQL Injection in Blocksy Companion Pro < 2.1.29 versions. |
| Contributor Local File Inclusion in Element Pack Pro <= 9.0.6 versions. |
| Contributor Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.37 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Profile Builder Pro <= 3.15.0 versions. |
| Unauthenticated Broken Authentication in PowerPack Pro for Elementor < v2.13.0 versions. |
| Unauthenticated Cross Site Scripting (XSS) in WPFunnels Pro <= 2.9.4 versions. |
| Unauthenticated Broken Authentication in SMS Alert Order Notifications <= 3.9.3 versions. |
| Unauthenticated SQL Injection in WP eMember < v10.9.4 versions. |
| Unauthenticated Cross Site Scripting (XSS) in SweetDate Core < 1.1.5 versions. |
| Redis Lua HEAP overflow in cjson library vulnerability in Apache Kvrocks.
This issue affects Apache Kvrocks: from 2.0.4 through 2.15.0.
Users are recommended to upgrade to version 2.16.0, which fixes the issue. |
| Subscriber Sensitive Data Exposure in Visual Link Preview <= 2.3.1 versions. |
| Subscriber SQL Injection in SALESmanago & Leadoo <= 3.11.2 versions. |
| Unauthenticated Broken Access Control in Motors <= 1.4.109 versions. |
| Unauthenticated Broken Access Control in Five Star Restaurant Reservations <= 2.7.19 versions. |
| Unauthenticated SQL Injection in Premmerce Wishlist for WooCommerce <= 1.1.11 versions. |
| Subscriber PHP Object Injection in EventPrime <= 4.3.4.1 versions. |
