CVE-2025-4670 Easy Digital Downloads <= 3.3.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via edd_receipt Shortcode

The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's eddreceipt shortcode in all versions up to, and including, 3.3.8.1 due to insufficient input sanitization and output escaping on user...

BIT-GITLAB-2025-0993 Allocation of Resources Without Limits or Throttling in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. This could allow an authenticated attacker to cause a denial of service condition by exhausting server resources...

CVE-2024-9521

The SEO Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post meta in versions up to, and including, 1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level a...

CVE-2024-46333

An authenticated cross-site scripting XSS vulnerability in Piwigo v14.5.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Album Name parameter under the Add Album function...

CVE-2024-38269

An improper restriction of operations within the bounds of a memory buffer in the USB file-sharing handler of the Zyxel VMG8825-T50K firmware versions through 5.50ABOM.8C0 could allow an authenticated attacker with administrator privileges to cause potential memory corruptions, resulting in a...

CVE-2024-7418

The The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.7.11 via the postqueryguten and postquery functions. This makes it possible for authenticated attackers,...

CVE-2024-37665

An access control issue in Wvp GB28181 Pro 2.0 allows authenticated attackers to escalate privileges to Administrator via a crafted POST request...

CVE-2024-47579

An attacker authenticated as an administrator can use an exposed webservice to upload or download a custom PDF font file on the system server. Using the upload functionality to copy an internal file into a font file and subsequently using the download functionality to retrieve that file allows th...

CVE-2024-20383

A vulnerability in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email and Web Manager could allow an authenticated, remote attacker to conduct an XSS attack against a user of the interface. This vulnerability is due to insufficient validation of user input. An...

CVE-2024-5419

The Void Contact Form 7 Widget For Elementor Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cf7redirectpage' attribute within the plugin's Void Contact From 7 widget in all versions up to, and including, 2.4 due to insufficient input sanitization and outpu...

CVE-2025-5096 TablePress <= 3.1.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Multiple Parameters

The TablePress plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the 'data-caption', 'data-s-content-padding', 'data-s-title', and 'data-footer' data-attributes in all versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping. Th...

CVE-2024-1172

The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Accordion widget in all versions up to, and including, 5.9.8 due to insufficient input sanitization and output...

CVE-2024-1570

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's login-password shortcode in all versions up to, and including, 4.14.4 due to insufficient...

CVE-2024-4203

The Premium Addons Pro for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the maps widget in all versions up to, and including, 4.10.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2024-20300

A vulnerability in the web-based management interface of Cisco Firepower Management Center FMC Software could allow an authenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the interface of an affected device. This vulnerability is due to insufficient...

CVE-2024-20264

A vulnerability in the web-based management interface of Cisco Firepower Management Center FMC Software could allow an authenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the interface of an affected device. This vulnerability is due to insufficient...

CVE-2024-8881

A post-authentication command injection vulnerability in the CGI program in the Zyxel GS1900-48 switch firmware version V2.80AAHN.1C0 and earlier could allow an authenticated, LAN-based attacker with administrator privileges to execute some operating system OS commands on an affected device by...

CVE-2024-8987

The Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's youzifymedia shortcode in all versions up to, and including, 1.3.0 due to insufficient input sanitization and outpu...

CVE-2024-6155

The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Authenticated Subscriber+ Server-Side Request Forgery and Stored Cross Site Scripting in all versions up to, and including, 9.0.0 due to a missing capability check in the greenshiftdownloadfilelocaly function...

CVE-2024-20472

A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center FMC Software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability exists because the web-based management interface does not validat...