78 matches found
CVE-2026-7842 Infility Global < 2.15.20 - Editor+ SQL Injection via orderby Parameter
The Infility Global Infility Global WordPress plugin before 2.15.20 for WordPress does not sanitize or validate the orderby and order parameters in the importlist, urldetail, and filedetail admin page callbacks before using them in SQL queries, allowing authenticated attackers with Editor-level...
PT-2026-37281
Name of the Vulnerable Software and Affected Versions Grav CMS Form plugin versions prior to 9.1.0 Description A Stored Cross-Site Scripting XSS issue exists in the select field template of the Grav CMS Form plugin. Taxonomy tag and category values are rendered using the Twig |raw filter in the...
CVE-2025-13727
The Video Share VOD – Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 2.7.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers...
PT-2026-7495
The Category Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag-image' parameter in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Editor-level access and...
CVE-2024-2344
The Avada theme for WordPress is vulnerable to SQL Injection via the 'entry' parameter in all versions up to, and including, 7.11.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticted...
CVE-2025-13370 ProjectList <= 0.3.0 - Authenticated (Editor+) SQL Injection via 'id' Parameter
The ProjectList plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' parameter in all versions up to, and including, 0.3.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...
PT-2025-46276
Name of the Vulnerable Software and Affected Versions Fleet Manager plugin for WordPress versions prior to 2.5.1 Description The Fleet Manager plugin for WordPress is susceptible to Stored Cross-Site Scripting through admin settings. Insufficient input sanitization and output escaping allows...
PT-2025-44949
The Nari Accountant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via account settings in all versions up to, and including, 1.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and...
CVE-2025-11888 ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution <= 4.8.4 - Incorrect Authorization to Authenticated (Editor+) License Status Update
The ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient capability check on the postdeactive function and postactivate function in all versions up to, and including, 4.8.4...
CVE-2025-11888
The CVE-2025-11888 entry concerns the WordPress plugin ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution. Affected versions are
EUVD-2024-33799
Malicious code in bioql PyPI...
EUVD-2025-5883
Malicious code in bioql PyPI...
EUVD-2024-44445
Malicious code in bioql PyPI...
EUVD-2024-33592
Malicious code in bioql PyPI...
EUVD-2025-31210
Malicious code in bioql PyPI...
PT-2025-39485
Name of the Vulnerable Software and Affected Versions ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution versions prior to 4.8.4 Description The ShopEngine Elementor WooCommerce Builder Addon plugin for WordPress is susceptible to unauthorized access. This is due to ...
CVE-2025-9519 Easy Timer <= 4.2.1 - Authenticated (Editor+) Remote Code Execution via Shortcode
The Easy Timer plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.1 via the plugin's shortcodes. This is due to insufficient restriction of shortcode attributes. This makes it possible for authenticated attackers, with Editor-level access and...
CVE-2025-9519
CVE-2025-9519 affects the WordPress plugin Easy Timer (≤ 4.2.1). The issue enables Remote Code Execution via shortcode attributes due to insufficient restriction, exploitable by authenticated users with Editor level access or higher. Reported CVSS v3.1 base score 7.2 (HIGH) with network access, h...
CVE-2025-4964
The WP Online Users Stats plugin for WordPress is vulnerable to time-based SQL Injection via the ‘tablename’ parameter in all versions up to, and including, 1.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes i...
CVE-2025-4964
CVE-2025-4964 applies to WP Online Users Stats for WordPress, with a time-based SQL Injection via the table_name parameter in all versions up to 1.0.0. The root cause is insufficient escaping and lack of proper preparation in the existing SQL query, enabling authenticated attackers with Editor-le...