EUVD-2026-23448

The WP Customer Area plugin for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation in the 'ajaxattachfile' function in all versions up to, and including, 8.3.4. This makes it possible for authenticated attackers with a role that an administrator...

CVE-2026-3464 WP Customer Area <= 8.3.4 - Authenticated (Subscriber+) Arbitrary File Read/Deletion via ajax_attach_file

The WP Customer Area plugin for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation in the 'ajaxattachfile' function in all versions up to, and including, 8.3.4. This makes it possible for authenticated attackers with a role that an administrator...

CVE-2026-3464

The WP Customer Area plugin for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation in the 'ajaxattachfile' function in all versions up to, and including, 8.3.4. This makes it possible for authenticated attackers with a role that an administrator...

CVE-2026-3464 WP Customer Area <= 8.3.4 - Authenticated (Subscriber+) Arbitrary File Read/Deletion via ajax_attach_file

The WP Customer Area plugin for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation in the 'ajaxattachfile' function in all versions up to, and including, 8.3.4. This makes it possible for authenticated attackers with a role that an administrator...

CVE-2025-40701

Reflected Cross-Site Scripting vulnerability in SOTESHOP, version 8.3.4. THis vulnerability allows an attacker execute JavaScript code in the victim's browser when a malicious URL with the 'id' parameter in '/adsTracker/checkAds' is sent to the victim. The vulnerability can be exploited to steal...

CVE-2025-40701

SOTESHOP 8.3.4 contains a Reflected XSS in /adsTracker/checkAds via the id parameter. An attacker can inject JS and run it in the victim’s browser, potentially stealing session cookies or acting on behalf of the user. CVSS 4.0 suggests 5.1 base score (MEDIUM) with network attack vector, low compl...

PT-2026-21512

Reflected Cross-Site Scripting vulnerability in SOTESHOP, version 8.3.4. THis vulnerability allows an attacker execute JavaScript code in the victim's browser when a malicious URL with the 'id' parameter in '/adsTracker/checkAds' is sent to the victim. The vulnerability can be exploited to steal...

WordPress Elementor Addons by Livemesh plugin <= 8.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Posts Multislider Widget vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Posts Multislider Widget vulnerability discovered by Drian - Pato Academy in WordPress Plugin Livemesh Addons for Elementor versions = 8.3.4...

GHSA-4G25-WJ72-CHXG Snipe-IT allows stored XSS via the Locations "Country" field

Snipe-IT before 8.3.4 allows stored XSS via the Locations "Country" field, enabling a low-privileged authenticated user to inject JavaScript that executes in another user's session...

CVE-2025-65621

Snipe-IT before 8.3.4 allows stored XSS, allowing a low-privileged authenticated user to inject JavaScript that executes in an administrator's session, enabling privilege escalation...

Snipe-IT has Cross-site Scripting vulnerability in CSV import workflow

Snipe-IT v8.3.4 build 20218 contains a reflected cross-site scripting XSS vulnerability in the CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progressmessage value that is rendered as raw HTML in the admin interface. An attacker can intercept and modify the...

CVE-2025-13196

The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Open Street Map widget's marker content parameter in all versions up to, and including, 8.3.4. This is due to insufficient input sanitization and output escaping on user-supplied...

CVE-2025-13196

CVE-2025-13196 (Element Pack Addons for Elementor, WordPress) The vulnerability is a Stored Cross-Site Scripting flaw in the Open Street Map widget’s marker content parameter, affecting all versions up to 8.3.4. Authentication is required (contributors or higher) to inject scripts that execute fo...

EUVD-2025-5955

Malicious code in bioql PyPI...

EUVD-2025-5525

Malicious code in bioql PyPI...

📄 PHP CGI Remote Code Execution

A critical vulnerability in PHP's CGI implementation allows remote attackers to execute arbitrary code through command injection. The vulnerability exists due to improper handling of command-line arguments in PHP CGI, which can be exploited to bypass security restrictions and execute arbitrary...

CVE-2023-0221

Product security bypass vulnerability in ACC prior to version 8.3.4 allows a locally logged-in attacker with administrator privileges to bypass the execution controls provided by ACC using the utilman program...

CVE-2023-36995

TravianZ through 8.3.4 allows XSS via the Alliance tag/name, the statistics page, the link preferences, the Admin Logs, or the COOKUSR cookie...

GHSA-3MV9-4H5G-VHG3 tsup DOM Clobbering vulnerability

A DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjsshims.js components...

PT-2024-35615

Name of the Vulnerable Software and Affected Versions The Newsletter plugin for WordPress versions up to, and including, 8.3.4 Description The issue is related to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping. This allows unauthenticated attackers to injec...