| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Unauthenticated SQL Injection in Feed KuantoKusta for WooCommerce – Free <= 5.3 versions. |
| The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to, and including, 2.2. This is due to a missing capability check and missing nonce validation in the action__remove_abandoned() function, which is registered to both the wp_ajax_remove_abandoned and wp_ajax_nopriv_remove_abandoned hooks. The handler takes a user-supplied recover_id parameter from $_POST and passes it directly to wp_delete_post() with the force-delete flag set to true, without verifying that the ID belongs to the plugin's own cf7af_data post type. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, or other content on the affected site by sending a single admin-ajax. |
| Editor Remote Code Execution (RCE) in Responsive Slider by MetaSlider <= 3.106.0 versions. |
| Contributor PHP Object Injection in Anti-Malware Security and Brute-Force Firewall <= 4.23.87 versions. |
| Unauthenticated SQL Injection in GeekyBot <= 1.2.0 versions. |
| Unauthenticated SQL Injection in Simply Schedule Appointments <= 1.6.9.27 versions. |
| Unauthenticated SQL Injection in WP Photo Album Plus <= 9.1.08.001 versions. |
| Unauthenticated Broken Access Control in AWP Classifieds <= 4.4.4 versions. |
| Unauthenticated Privilege Escalation in WP BASE Booking <= 5.9.0 versions. |
| Unauthenticated Broken Access Control in Tutor LMS <= 3.9.7 versions. |
| Unauthenticated SQL Injection in Contest Gallery <= 28.1.6 versions. |
| Contributor Arbitrary File Deletion in Link Library <= 7.8.8 versions. |
| Unauthenticated SQL Injection in Funnel Builder by FunnelKit <= 3.15.0.1 versions. |
| Unauthenticated Broken Access Control in AI Product Search for WooCommerce – Motive Commerce Search <= 1.38.2 versions. |
| Unauthenticated SQL Injection in Realtyna Organic IDX plugin <= 5.1.0 versions. |
| Unauthenticated Insecure Direct Object References (IDOR) in Simple Shopping Cart <= 5.2.9 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Stop Spammers <= 2026.3 versions. |
| A denial-of-service vulnerability exists in the WebSocket API due to insufficient validation and handling of JSON-based requests. A low-privileged authenticated attacker can send a specially crafted request that causes service disruption and may result in an unexpected device reboot. |
| A race condition in OpenVPN 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1 allows remote attackers to potentially cause a server crash or leak heap memory via a use-after-free triggered during TLS session promotion. |
| Unauthenticated Broken Access Control in JupiterX Core <= 4.14.1 versions. |
