CVE-2025-2478 Code Clone <= 0.9 - Authenticated (Administrator+) SQL Injection via snippetId Parameter

The Code Clone plugin for WordPress is vulnerable to time-based SQL Injection via the ‘snippetId’ parameter in all versions up to, and including, 0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible fo...

CVE-2025-2303 Block Logic <= 1.0.8 - Authenticated (Contributor+) Remote Code Execution

The Block Logic – Full Gutenberg Block Display Control plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.8 via the blocklogicchecklogic function. This is due to the unsafe evaluation of user-controlled input. This makes it possible for...

CVE-2025-2511 AHAthat Plugin <= 1.6 - Authenticated (Administrator+) SQL Injection via id Parameter

The AHAthat Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' parameter in all versions up to, and including, 1.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

CVE-2025-1503

The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Roundup Recipe Name field in all versions up to, and including, 9.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-leve...

CVE-2024-12010

A post-authentication command injection vulnerability in the ”zyUtilMailSend” function of the Zyxel AX7501-B1 firmware version V5.17ABPC.5.3C0 and earlier could allow an authenticated attacker with administrator privileges to execute operating system OS commands on a vulnerable device...

CVE-2024-11253

A post-authentication command injection vulnerability in the "DNSServer” parameter of the diagnostic function in the Zyxel VMG8825-T50K firmware version V5.50ABOM.8.5C0 and earlier could allow an authenticated attacker with administrator privileges to execute operating system OS commands on a...

CVE-2023-37933

An improper neutralization of input during web page generation 'Cross-site Scripting' vulnerability CWE-79 in FortiADC GUI version 7.4.0, 7.2.0 through 7.2.1 and before 7.1.3 allows an authenticated attacker to perform an XSS attack via crafted HTTP or HTTPs requests...

CVE-2024-13675 SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels) <= 1.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The SlingBlocks – Gutenberg Blocks by FunnelKit Formerly WooFunnels plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the "Icon List" Block in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2024-13649

CVE-2024-13649 concerns the WordPress plugin “140+ Widgets | Xpro Addons For Elementor – FREE”. The vulnerability is a stored Cross-Site Scripting (XSS) condition in several widgets, caused by insufficient input sanitization and output escaping. Affected product: Xpro Elementor Addons for Element...

CVE-2025-1287 The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown, Syntax Highlighter, and Page Scroll widgets in all versions up to, and including, 6.2.2 due to insufficient...

CVE-2024-13781 Hero Maps Premium - Customizable Google Maps Plugin <= 2.3.9 - Authenticated (Subscriber+) SQL Injection

The Hero Maps Premium plugin for WordPress is vulnerable to SQL Injection via several AJAX actions in all versions up to, and including, 2.3.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

CVE-2024-12809 Wishlist <= 1.0.43 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Wishlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wishlistbutton' shortcode in all versions up to, and including, 1.0.43 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2024-13747 WooMail - WooCommerce Email Customizer <= 3.0.34 - Authenticated (Subscriber+) Missing Authorization to SQL Injection

The WooMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'templatedeletesaved' function in all versions up to, and including, 3.0.34. This makes it possible for authenticated attackers, with Subscriber-leve...

CVE-2025-1008 Recently Purchased Products For Woo <= 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via view Parameter

The Recently Purchased Products For Woo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘view’ parameter in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-51947

ArcGIS Server (Esri) vulnerable: stored XSS in ArcGIS Server versions 11.3 and below via a crafted link, exploitable by a remote, authenticated attacker with publisher privileges. Impact is low on confidentiality and integrity; no impact to availability. Root cause: stored cross-site scripting in...

CVE-2025-1459

The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Embedded VideoPB widget in all versions up to, and including, 2.31.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-1459 Page Builder by SiteOrigin <= 2.31.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Embedded VideoPB widget in all versions up to, and including, 2.31.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-13901

The Counter Box: Add Engaging Countdowns, Timers & Counters to Your WordPress Site plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the ‘content’ parameter in all versions up to, and including, 2.0.6 due to insufficient input sanitization and output escaping. This...

CVE-2025-1571 Exclusive Addons for Elementor <= 2.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Animated Text and Image Comparison Widgets

The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Animated Text and Image Comparison Widgets in all versions up to, and including, 2.7.6 due to insufficient input sanitization and output escaping on user supplied attributes. This...

CVE-2025-0764 wpForo Forum <= 2.4.1 - Authenticated (Subscriber+) Arbitrary File Read in update

The wpForo Forum plugin for WordPress is vulnerable to arbitrary file read due to insufficient input validation in the 'update' method of the 'Members' class in all versions up to, and including, 2.4.1. This makes it possible for authenticated attackers, with subscriber-level privileges or higher...