| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Server-Side Request Forgery (SSRF) vulnerability in Adam Pery Animate allows Server Side Request Forgery. This issue affects Animate: from n/a through 0.5. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdrift.no Landing pages and Domain aliases for WordPress allows Stored XSS. This issue affects Landing pages and Domain aliases for WordPress: from n/a through 0.8. |
| Missing Authorization vulnerability in vinodvaswani9 Bulk Assign Linked Products For WooCommerce allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Bulk Assign Linked Products For WooCommerce: from n/a through 2.1. |
| Missing Authorization vulnerability in VW Themes Sirat allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sirat: from n/a through 1.5.1. |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in cedcommerce Product Lister for eBay allows PHP Local File Inclusion. This issue affects Product Lister for eBay: from n/a through 2.0.9. |
| The eForm - WordPress Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.18.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| Vestel AC Charger
version
3.75.0 contains a vulnerability that
could enable an attacker to access files containing sensitive
information, such as credentials which could be used to further
compromise the device. |
| An issue in the Printer Manager Systm of Entrust Corp Printer Manager D3.18.4-3 and below allows attackers to execute a directory traversal via a crafted POST request. |
| The Contact Form by Bit Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.18.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. |
| Andamiro Pump It Up 20th Anniversary (aka Double X or XX/2019) 1.00.0-2.08.3 allows a physically proximate attacker to cause a denial of service (application crash) via certain deselect actions. |
| An XSS issue was discovered in the Flag module before 1.x-3.6.2 for Backdrop CMS. Flag is a module that allows flags to be added to nodes, comments, users, and any other type of entity. It doesn't verify flag links before performing the flag action, or verify that the response returned was provided by the flag module. This can allow crafted HTML to result in Cross Site Scripting. This is mitigated by the fact that an attacker must have a role with permission to create links on the website, for example: create or edit comments or content with a filtered text format. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MyThemeShop WP Quiz allows Stored XSS.This issue affects WP Quiz: from n/a through 2.0.10. |
| React Router is a router for React. In versions on the 7.0 branch prior to version 7.5.2, it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values โโof the data object passed to the HTML. This issue has been patched in version 7.5.2. |
| React Router is a router for React. Starting in version 7.2.0 and prior to version 7.5.2, it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that completely corrupts the page. If a cache system is in place, this allows the response containing the error to be cached, resulting in a cache poisoning that strongly impacts the availability of the application. This issue has been patched in version 7.5.2. |
| The 1 Decembrie 1918 plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.dec.2012. This is due to missing or incorrect nonce validation on the 1-decembrie-1918/1-decembrie-1918.php page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. |
| The Prevent Direct Access โ Protect WordPress Files plugin for WordPress is vulnerable to unauthorized access and modification of data| due to a misconfigured capability check on the 'pda_lite_custom_permission_check' function in versions 2.8.6 to 2.8.8.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to access and change the protection status of media. |
| The Upsell Funnel Builder for WooCommerce plugin for WordPress is vulnerable to order manipulation in all versions up to, and including, 3.0.0. This is due to the plugin allowing the additional product ID and discount field to be manipulated prior to processing via the 'add_offer_in_cart' function. This makes it possible for unauthenticated attackers to arbitrarily update the product associated with any order bump, and arbitrarily update the discount applied to any order bump item, when adding it to the cart. |
| An improper XML parsing vulnerability was reported in the FileZ client that could allow arbitrary file reads on the system if a crafted url is visited by a local user. |
| A cross-site scripting vulnerability was reported in the FileZ client that could allow execution of code if a crafted url is visited by a local user. |
| An open redirect vulnerability was reported in the FileZ client that could allow information disclosure if a crafted url is visited by a local user. |
