CVE-2025-6538 Post Rating and Review <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via class Parameter

The Post Rating and Review plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class’ parameter in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level...

CVE-2025-6538

CVE-2025-6538 affects the WordPress plugin “Post Rating and Review” (all versions ≤ 1.3.4). Root cause: insufficient input sanitization and output escaping in the class parameter, enabling stored XSS. Impact: authenticated attackers with Contributor+ access can inject scripts executed when users ...

CVE-2025-5588 Image Editor by Pixo <= 2.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via download Parameter

The Image Editor by Pixo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘download’ parameter in all versions up to, and including, 2.3.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-leve...

CVE-2025-53073

In Sentry 25.1.0 through 25.5.1, an authenticated attacker can access a project's issue endpoint and perform unauthorized actions such as adding a comment without being a member of the project's team. A seven-digit issue ID must be known it is not treated as a secret and might be mentioned...

CVE-2024-51984 Authenticated disclosure of external service passwords via pass-back attack affecting multiple models from Brother Industries, Ltd, FUJIFILM Business Innovation, Ricoh, Toshiba Tec, and Konica Minolta, Inc.

An authenticated attacker can reconfigure the target device to use an external service such as LDAP or FTP controlled by the attacker. If an existing password is present for an external service, the attacker can force the target device to authenticate to an attacker controlled device using the...

CVE-2024-51984

CVE-2024-51984 describes an authentication-based credential disclosure risk affecting multiple Brother-branded devices and peers (Konica Minolta, FUJIFILM, Ricoh, Toshiba Tec) via pass-back to external services. An authenticated attacker can reconfigure a target device to use an attacker-controll...

CVE-2024-51979 Authenticated stack based buffer overflow affecting multiple models from Brother Industries, Ltd, FUJIFILM Business Innovation, Ricoh, and Konica Minolta, Inc.

An authenticated attacker may trigger a stack based buffer overflow by performing a malformed request to either the HTTP service TCP port 80, the HTTPS service TCP port 443, or the IPP service TCP port 631. The malformed request will contain an empty Origin header value and a malformed Referer...

CVE-2024-51979 Authenticated stack based buffer overflow affecting multiple models from Brother Industries, Ltd, FUJIFILM Business Innovation, Ricoh, and Konica Minolta, Inc.

An authenticated attacker may trigger a stack based buffer overflow by performing a malformed request to either the HTTP service TCP port 80, the HTTPS service TCP port 443, or the IPP service TCP port 631. The malformed request will contain an empty Origin header value and a malformed Referer...

CVE-2025-5585

The CVE-2025-5585 entry concerns the SiteOrigin Widgets Bundle plugin for WordPress. A Stored Cross-Site Scripting flaw exists in all versions up to 1.68.4 (and discussed variants up to 1.68.5 in related advisories) due to insufficient input sanitization and output escaping, specifically via the ...

CVE-2024-56916

A cross-site scripting flaw was found in Netbox. An attacker with an authenticated account on the system can add malicious Javascript code to a banner field and potentially execute this code in the context of another user's session. Mitigation Mitigation for this issue is either not available or...

CVE-2025-5258 Conference Scheduler <= 2.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via className Parameter

The Conference Scheduler plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 2.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-lev...

CVE-2024-56916

In Netbox Community 4.1.7, once authenticated, Configuration History Addis vulnerable to cross-site scripting XSS due to the current value field rendering user supplied html. An authenticated attacker can leverage this to add malicious JavaScript to the any banner field. Once a victim edits a...

CVE-2024-56916

In Netbox Community 4.1.7, once authenticated, Configuration History Addis vulnerable to cross-site scripting XSS due to the current value field rendering user supplied html. An authenticated attacker can leverage this to add malicious JavaScript to the any banner field. Once a victim edits a...

CVE-2024-56916

CVE-2024-56916 (NetBox Community 4.1.7) is a cross-site scripting (XSS) vulnerability in the Configuration History &gt; Add feature, caused by the current value field rendering user-supplied HTML. An authenticated attacker can inject malicious JavaScript into the banner field, and the payload tri...

CVE-2025-52922

CVE-2025-52922 affects Innoshop up to 0.4.1, where a directory-traversal flaw in the FileManager API endpoints allows an authenticated admin to map the filesystem, create directories, read files, delete files, and create files by moving them. Affected endpoints include /api/file_manager/files?bas...

CVE-2025-52921

Innoshop up to version 0.4.1 contains a server-side code execution flaw in the File Manager of the admin panel. An authenticated attacker can upload a crafted file and bypass the image-only check by renaming the file to a .php extension (renaming function), enabling a subsequent GET request to ex...

CVE-2025-34510

Sitecore Experience Manager XM, Experience Platform XP, and Experience Commerce XC versions 9.0 through 9.3 and 10.0 through 10.4 are affected by a Zip Slip vulnerability. A remote, authenticated attacker can exploit this issue by sending a crafted HTTP request to upload a ZIP archive containing...

CVE-2025-5673

The CVE-2025-5673 entry concerns WordPress Blog2Social: Social Media Auto Post & Scheduler plugin. Affected versions up to 8.4.4 are vulnerable to SQL Injection via the prgSortPostType parameter, caused by insufficient escaping of user input and inadequate query preparation. This allows authentic...

CVE-2025-5923

The Game Review Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 4.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level...

CVE-2025-6070 Restrict File Access <= 1.1.2 - Authenticated (Subscriber+) Arbitrary File Read

The Restrict File Access plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.1.2 via the output function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server...