63 matches found
WordPress S2B AI Assistant – ChatBot, ChatGPT, OpenAI, Content & Image Generator plugin <= 1.7.8 - Authenticated (Editor+) Arbitrary File Upload vulnerability
Authenticated Editor+ Arbitrary File Upload vulnerability discovered by Ryan Kozak in WordPress Plugin S2B AI Assistant versions = 1.7.8...
CVE-2025-8084 AI Engine <= 3.1.8 - Authenticated (Editor+) Server-Side Request Forgery
The AI Engine plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.1.8 via the resthelperscreateimages function. This makes it possible for authenticated attackers, with Editor-level access and above, to make web requests to arbitrary locations...
CVE-2025-10686
The CVE-2025-10686 has concrete details across multiple sources: Creta Testimonial Showcase WordPress plugin prior to v1.2.4 is vulnerable to Local File Inclusion. Authenticated users with editor-level access or higher can include and execute arbitrary PHP files on the server, enabling code execu...
CVE-2025-12538 Fleet Manager <= 2.5.1 - Authenticated (Editor+) Stored Cross-Site Scripting
The Fleet Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and abov...
WordPress Nari Accountant plugin <= 1.0.12 - Authenticated (Editor+) Stored Cross-Site Scripting vulnerability
Authenticated Editor+ Stored Cross-Site Scripting vulnerability discovered by Ivan Cese in WordPress Plugin Nari Accountant versions = 1.0.12...
CVE-2025-10045 onOffice for WP-Websites <= 6.5.1 - Authenticated (Editor+) SQL Injection
The onOffice for WP-Websites plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 6.5.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible f...
CVE-2025-10045
CVE-2025-10045 (onOffice for WP-Websites, WordPress) : The plugin is vulnerable to SQL Injection via the string parameter order in all versions up to 5.7 due to insufficient escaping of user input and inadequate query preparation. Exploitation requires authenticated access at Editor+ level, enabl...
CVE-2025-10754
The CVE-2025-10754 entry concerns the DocoDoco Store Locator WordPress plugin. The vulnerability is an authenticated Arbitrary File Upload due to missing file type validation in the ZIP upload in versions up to 1.0.1. Wordfence notes that authenticated attackers with Editor-level access (or highe...
EUVD-2022-1993
Malicious code in bioql PyPI...
CVE-2025-9372
CVE-2025-9372 documents a stored XSS vulnerability in WordPress plugin Ultimate Multi Design Video Carousel (versions ≤ 1.4) caused by insufficient input sanitization and output escaping. Exploitation requires authenticated access at editor level and affects multi-site installations or sites wher...
CVE-2025-55672 Apache Superset: Stored XSS on charts metadata
A stored Cross-Site Scripting XSS vulnerability exists in Apache Superset's chart visualization. An authenticated user with permissions to edit charts can inject a malicious payload into a column's label. The payload is not properly sanitized and gets executed in the victim's browser when they...
CVE-2023-23786
Auth. editor+ Stored Cross-Site Scripting XSS vulnerability in Christof Servit affiliate-toolkit plugin = 3.3.3 versions...
WordPress Allow PHP Execute plugin <= 1.0 - Authenticated (Editor+) PHP Code Injection vulnerability
Authenticated Editor+ PHP Code Injection vulnerability discovered by Francesco Carlucci in WordPress Plugin Allow PHP Execute versions = 1.0...
WordPress UserPlus plugin <= 2.0 - Authenticated (Editor+) Registration Form Update to Privilege Escalation vulnerability
Authenticated Editor+ Registration Form Update to Privilege Escalation vulnerability discovered by István Márton in WordPress Plugin UserPlus versions = 2.0...
WordPress Smart Post Show plugin <= 3.0.0 - Authenticated (Editor+) Stored Cross-Site Scripting via Pagination Color vulnerability
Authenticated Editor+ Stored Cross-Site Scripting via Pagination Color vulnerability discovered by Dmitrii Ignatyev in WordPress Plugin Post Grid, Post Carousel, & List Category Posts – by Smart Post Show versions = 3.0.0...
WordPress News Flash theme <= 1.1.0 - Authenticated (Editor+) PHP Object Injection vulnerability
Authenticated Editor+ PHP Object Injection vulnerability discovered by Francesco Carlucci in WordPress Theme News Flash versions = 1.1.0...
WordPress Frontend Registration – Contact Form 7 plugin <= 5.1 - Authenticated (Editor+) Privilege Escalation vulnerability
Authenticated Editor+ Privilege Escalation vulnerability discovered by István Márton in WordPress Plugin Frontend Registration – Contact Form 7 versions = 5.1...
CVE-2022-32970
Auth. editor+ Stored Cross-Site Scripting XSS vulnerability in Themify Themify Portfolio Post plugin = 1.2.4 versions...
CVE-2022-47438
Auth. editor+ Stored Cross-Site Scripting XSS vulnerability in WpDevArt Booking calendar, Appointment Booking System plugin = 3.2.3 versions...
Vulnerability fixed in Grafana
Grafana Labs has fixed a vulnerability in Grafana. The vulnerability allows an authenticated remote malicious person to able to execute arbitrary code in the browser on a victim's victim's system. To do this, the malicious party must trick the entice the victim to click on a rogue link. Grafana...