CVE-2025-42960

SAP Business Warehouse and SAP BW/4HANA BEx Tools allow an authenticated attacker to gain higher access levels than intended by exploiting improper authorization checks. This could potentially impact data integrity by allowing deletion of user table entries.�It has no impact on the confidentialit...

Fortinet多款产品 SQL注入漏洞

Fortinet FortiManager and others are products of Fortinet, Inc.Fortinet FortiManager is a centralized network security management platform.Fortinet FortiAnalyzer is a centralized network security reporting solution.Fortinet Fortinet FortiManager VM is a centralized network security management...

CVE-2025-47228

CVE-2025-47228 affects Netmake ScriptCase, Production Environment extension, up to version 9.12.006(23). A shell injection flaw exists in the SSH connection settings that, when paired with authenticated access and crafted HTTP requests, allows an attacker to execute system commands on the server....

Exploit for Unrestricted Upload of File with Dangerous Type in Wpvivid Migration\,_Backup\,_Staging

🚨 Migration, Backup, Staging – WPvivid Backup & Migration 📈...

CVE-2025-6673 Easy restaurant menu manager <= 2.0.1 - Authenticated (Contributot+) Stored Cross-Site Scripting via `nsc_eprm_menu_link` Shortcode

The Easy restaurant menu manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's nsceprmmenulink shortcode in versions up to, and including 2.0.1, due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-6944 Uncode Core <= 2.9.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes

The Uncode Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'uncodehltext' and 'uncodetexticon' shortcodes in all versions up to, and including, 2.9.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

CVE-2025-5567 Shortcodes Ultimate <= 7.4.0 - Authenticted (Contributor+) Stored Cross-Site Scripting via 'data-url' Attribute

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data-url' DOM element attribute in all versions up to, and including, 7.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticate...

CVE-2024-9017

CVE-2024-9017 : The PeepSo Core: Groups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Group Description field in all versions up to and including 6.4.6.0. Exploitation requires authenticated access at Subscriber level or higher, enabling an attacker to inject scripts t...

CVE-2025-5014 Home Villas | Real Estate WordPress Theme <= 2.8 - Authenticated (Subscriber+) Arbitrary File Deletion

The Home Villas | Real Estate WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'wpremcswidgetfiledelete' function in all versions up to, and including, 2.8. This makes it possible for authenticated attackers, with...

CVE-2025-6462

CVE-2025-6462 affects the WordPress plugin EZ SQL Reports Shortcode Widget and DB Backup, with a Stored Cross-Site Scripting via the SQLREPORT shortcode in all versions up to 5.25.11. Exploitation requires authenticated access at contributor level or higher. Multiple connected reports note this v...

CVE-2025-6252 Qi Addons For Elementor <= 1.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Qi Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 1.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level...

CVE-2025-5398

CVE-2025-5398 affects Ninja Forms – The Contact Form Builder That Grows With You (WordPress plugin). The CVE describes a Stored Cross-Site Scripting (CSTI) vulnerability due to insufficient output escaping in the templating engine, impacting all versions up to and including 3.10.2.1. Exploitation...

CVE-2025-5398 Ninja Forms <= 3.10.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via CSTI

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the use of a templating engine in all versions up to, and including, 3.10.2.1 due to insufficient output escaping on user data passed through the template. This mak...

CVE-2025-5940

CVE-2025-5940 Osom Blocks for WordPress is affected by a Stored Cross-Site Scripting via the class_name parameter in all versions up to 1.2.1. Exploitation requires authenticated access at Contributor level or higher , and triggers script execution when a page is loaded. The vulnerability is conf...

CVE-2025-5585

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-url DOM Element Attribute in all versions up to, and including, 1.68.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

PT-2025-27229 · Raspap · Raspap

Name of the Vulnerable Software and Affected Versions: RaspAP raspap-webgui version 3.3.1 Description: The issue allows an authenticated attacker to perform a Directory Traversal attack. This is achieved by sending a crafted POST request to the "ajax/networking/get wgkey.php" endpoint with a path...

CVE-2025-5842 Modern Design Library <= 1.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via class Parameter

The Modern Design Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class’ parameter in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level...

CVE-2025-6540 web-cam <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via slug Parameter

The web-cam plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘slug’ parameter in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above,...

CVE-2025-5275

CVE-2025-5275 covers a Stored XSS in the WordPress plugin Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More (versions up to 1.8.6.1). Root cause: insufficient input sanitization and output escaping in privacy settings. Exploitation requires authenticated adm...

CVE-2025-5564 GC Social wall <= 1.15 - Authenticated (Contributor+) Stored Cross-Site Scripting

The GC Social Wall plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gcsocialwall' shortcode in all versions up to, and including, 1.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...