Slider Hero < 8.7.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Description The Slider Hero with Animation, Video Background plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 8.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2024-2742

Planet IGS-4215-16T2S (firmware 1.305b210528) is affected by an OS command injection vulnerability exploitable by an authenticated attacker through the IP address functionality. The issue allows executing arbitrary commands on the remote host. Public details confirm the vulnerability, including a...

Cross site scripting

The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button1icon' attribute of the Dual Button widget in all versions up to, and including, 1.12.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...

JetWidgets For Elementor < 1.0.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via Animated Box Widget

Description The JetWidgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Animated Box widget in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

Schoolbox SQL Injection Vulnerability

Schoolbox is an online learning platform from Schoolbox Australia. A SQL injection vulnerability exists in Schoolbox versions prior to 23.1.3, which stems from vulnerability to a blind SQL injection attack that allows an authenticated attacker to read, modify, and delete database records...

BIT-GITLAB-2022-3060

Improper control of a resource identifier in Error Tracking in GitLab CE/EE affecting all versions from 12.7 allows an authenticated attacker to generate content which could cause a victim to make unintended arbitrary requests...

CVE-2024-1731 Auto Refresh Single Page <= 1.1 - Authenticated (Contributor+) PHP Object Injection

The Auto Refresh Single Page plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1 via deserialization of untrusted input from the arspoptions post meta option. This makes it possible for authenticated attackers, with contributor-level access and...

CVE-2024-1172

The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Accordion widget in all versions up to, and including, 5.9.8 due to insufficient input sanitization and output...

Slivery Extender <= 1.0.2 - Authenticated(Contributor+) Remote Code Execution via shortcode

Description The Slivery Extender plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.2 via the 'sliderthemesection' function. This is due to the use of calluserfunc on one of the shortcode attributes. This makes it possible for authenticated...

PT-2024-19477 · Linksys · Linksys Router E1700

Name of the Vulnerable Software and Affected Versions: Linksys Router E1700 version 1.0.04 build 3 Description: An issue was discovered in the Linksys Router E1700, allowing authenticated attackers to execute arbitrary code via the setDateTime function. Recommendations: For Linksys Router E1700...

Brizy – Page Builder < 2.4.41 - Authenticated (Contributor+) Arbitrary File Upload

Description The Brizy – Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the storeImages function in all versions up to, and including, 2.4.40. This makes it possible for authenticated attackers, with contributor access or above, to...

Academy LMS – eLearning and online course solution for WordPress < 1.9.20 - Authenticated (Subscriber+) Privilege Escalation

Description The Academy LMS – eLearning and online course solution for WordPress plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.9.19. This is due to plugin allowing arbitrary user meta updates through the saveduserinfo function. This makes it...

CVE-2024-0167

Dell Unity (unified hybrid storage array) is affected by CVE-2024-0167 prior to version 5.4. The vulnerability is an OS command injection in the svc_topstats utility that an authenticated, local attacker can exploit to overwrite arbitrary files on the filesystem with root privileges. Impact is hi...

CVE-2024-0168

Dell Unity, versions prior to 5.4, contains a Command Injection Vulnerability in svcoscheck utility. An authenticated attacker could potentially exploit this vulnerability, leading to the ability to inject arbitrary operating system commands. This vulnerability allows an authenticated attacker to...

Exploit for Code Injection in Oretnom23 Simple_Student_Attendance_System

CVE-2023-51801 Simple Student Attendance System v.1.0 - Mult...

CVE-2023-6994

The List category posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'catlist' shortcode in all versions up to, and including, 0.89.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2023-37932

An improper limitation of a pathname to a restricted directory 'path traversal' vulnerability CWE-22 in FortiVoiceEntreprise version 7.0.0 and before 6.4.7 allows an authenticated attacker to read arbitrary files from the system via sending crafted HTTP or HTTPS requests...

Icegram < 3.1.20 - Authenticated (Contributor+) Stored Cross-Site Scripting via Campaign Message

Description The Icegram plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the campaign message field in versions up to, and including, 3.1.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level...

MSync <= 1.0.0 - Authenticated (Administrator+) SQL Injection

Description The MSync plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with...

CVE-2023-46857

Squidex before 7.9.0 allows XSS via an SVG document to the Upload Assets feature. This occurs because there is an incomplete blacklist in the SVG inspection, allowing JavaScript in the SRC attribute of an IFRAME element. An authenticated attack with assets.create permission is required for...