| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Unauthenticated SQL Injection in Simply Schedule Appointments <= 1.6.9.27 versions. |
| Unauthenticated SQL Injection in WP Photo Album Plus <= 9.1.08.001 versions. |
| Unauthenticated Broken Access Control in AWP Classifieds <= 4.4.4 versions. |
| Unauthenticated Privilege Escalation in WP BASE Booking <= 5.9.0 versions. |
| Unauthenticated Broken Access Control in Tutor LMS <= 3.9.7 versions. |
| Unauthenticated SQL Injection in Contest Gallery <= 28.1.6 versions. |
| Contributor Arbitrary File Deletion in Link Library <= 7.8.8 versions. |
| Unauthenticated SQL Injection in Funnel Builder by FunnelKit <= 3.15.0.1 versions. |
| Unauthenticated Broken Access Control in AI Product Search for WooCommerce – Motive Commerce Search <= 1.38.2 versions. |
| Unauthenticated SQL Injection in Realtyna Organic IDX plugin <= 5.1.0 versions. |
| Unauthenticated Insecure Direct Object References (IDOR) in Simple Shopping Cart <= 5.2.9 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Stop Spammers <= 2026.3 versions. |
| A denial-of-service vulnerability exists in the WebSocket API due to insufficient validation and handling of JSON-based requests. A low-privileged authenticated attacker can send a specially crafted request that causes service disruption and may result in an unexpected device reboot. |
| A race condition in OpenVPN 2.6.0 through 2.6.19 and 2.7_alpha1 through 2.7.1 allows remote attackers to potentially cause a server crash or leak heap memory via a use-after-free triggered during TLS session promotion. |
| Unauthenticated Broken Access Control in JupiterX Core <= 4.14.1 versions. |
| bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer. This could crash the process when processing untrusted data. |
| Unauthenticated Broken Access Control in WooCommerce POS <= 1.8.14 versions. |
| Unauthenticated PHP Object Injection in Integration for Contact Form 7 and Constant Contact <= 1.1.6 versions. |
| Unauthenticated PHP Object Injection in Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.8 versions. |
| Slim is a PHP micro framework that enables users to write simple web applications and APIs. In versions 4.4.0 through 4.15, if an application uses HttpException::setTitle() and/or setDescription() to include untrusted/request-derived data in the error title or description (e.g. "No products found matching '{$query}'."), an attacker could inject arbitrary HTML/JavaScript that executes in the victim's browser when they encounter an HTML error page generated by Slim. The vulnerability is present even with displayErrorDetails = false as the unescaped title and description are rendered on this error path. Built-in exceptions (HttpNotFoundException, HttpBadRequestException, etc.) ship plain-text defaults, so a vanilla Slim app with no user code is not exploitable. Only applications that feed untrusted data into setTitle() and/or setDescription() are affected. The issue has been fixed in 4.15.2. If developers are unable to immediately update their applications, they can work around this issue by avoiding passing untrusted/request-derived data into HttpException::setTitle() and setDescription() and using static, plain-text error copy instead.
They should also register a custom error renderer (an ErrorRendererInterface implementation, or a subclass of HtmlErrorRenderer that escapes the title and description) for the HTML media type. |
