CVE-2025-3586

In Liferay Portal 7.4.3.27 through 7.4.3.42, and Liferay DXP 2024.Q1.1 through 2024.Q1.20, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 27 through update 42 Liferay PaaS, and Liferay Self-Hosted, the Objects module does not restrict the use of Groovy scripts in Object...

CVE-2025-3586

In Liferay Portal 7.4.3.27 through 7.4.3.42, and Liferay DXP 2024.Q1.1 through 2024.Q1.20, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 27 through update 42 Liferay PaaS, and Liferay Self-Hosted, the Objects module does not restrict the use of Groovy scripts in Object...

CVE-2025-3586

In Liferay Portal 7.4.3.27 through 7.4.3.42, and Liferay DXP 2024.Q1.1 through 2024.Q1.20, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 27 through update 42 Liferay PaaS, and Liferay Self-Hosted, the Objects module does not restrict the use of Groovy scripts in Object...

CVE-2025-3586

In Liferay Portal 7.4.3.27 through 7.4.3.42, and Liferay DXP 2024.Q1.1 through 2024.Q1.20, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 27 through update 42 Liferay PaaS, and Liferay Self-Hosted, the Objects module does not restrict the use of Groovy scripts in Object...

CVE-2025-3586

In Liferay Portal 7.4.3.27 through 7.4.3.42, and Liferay DXP 2024.Q1.1 through 2024.Q1.20, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 27 through update 42 Liferay PaaS, and Liferay Self-Hosted, the Objects module does not restrict the use of Groovy scripts in Object...

CVE-2025-3586

CVE-2025-3586 affects Liferay Portal 7.4.3.27–7.4.3.42 and Liferay DXP 2024.Q1.1–2024.Q1.20, 2023.Q4.0–2023.Q4.10, 2023.Q3.1–2023.Q3.10, with the Objects module allowing remote authenticated Admin Users (Instance Administrator) to execute arbitrary Groovy scripts via Object actions, yielding remo...

PT-2025-35502

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.4.3.27 through 7.4.3.42 Liferay DXP versions 2023.Q3.1 through 2023.Q3.10 Liferay DXP versions 2023.Q4.0 through 2023.Q4.10 Liferay DXP versions 2024.Q1.1 through 2024.Q1.20 Liferay 7.4 update 27 through update 42...

CVE-2025-8281

The WP Talroo WordPress plugin through 2.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin and unauthenticated users...

CVE-2025-8281 WP Talroo <= 2.4 - Reflected XSS

The WP Talroo WordPress plugin through 2.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin and unauthenticated users...

CVE-2025-43748

The CVE-2025-43748 affects Liferay Portal and Liferay DXP: insufficient CSRF protection for omni-administrator users in Portal 7.0.0–7.4.3.119 and DXP 2024.Q1.1–2024.Q1.6, plus older/releases listed in the entry. Root cause is CSRF protection gaps enabling Cross‑Site Request Forgery. Practical im...

CVE-2025-7808

The WP Shopify WordPress plugin before 1.5.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2025-51502

Reflected Cross-Site Scripting XSS in Microweber CMS 2.0 via the layout parameter on the /admin/page/create page allows arbitrary JavaScript execution in the context of authenticated admin users...

Microweber has Reflected XSS Vulnerability in the layout Parameter

Reflected Cross-Site Scripting XSS in Microweber CMS 2.0 via the layout parameter on the /admin/page/create page allows arbitrary JavaScript execution in the context of authenticated admin users...

PT-2025-31651 · Unknown · Microweber Cms

Name of the Vulnerable Software and Affected Versions: Microweber CMS version 2.0 Description: This issue involves a reflected Cross-Site Scripting XSS vulnerability. It allows arbitrary JavaScript execution within the context of authenticated administrator users through manipulation of the layou...

CVE-2025-51502

Reflected Cross-Site Scripting XSS in Microweber CMS 2.0 via the layout parameter on the /admin/page/create page allows arbitrary JavaScript execution in the context of authenticated admin users...

VulnCheck KEV: CVE-2022-1006

The Advanced Booking Calendar WordPress plugin before 1.7.1 does not sanitise and escape the id parameter when editing Calendars, which could allow high privilege users such as admin to perform SQL injection attacks...

CVE-2025-6234

The Hostel WordPress plugin before 1.1.5.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2025-7175

A vulnerability was found in code-projects E-Commerce Site 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/usersphoto.php. The manipulation of the argument photo leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has...

PT-2025-28405 · Unknown · Code-Projects E-Commerce Website

Name of the Vulnerable Software and Affected Versions: code-projects E-Commerce Site version 1.0 Description: A critical issue has been found in the code-projects E-Commerce Site, affecting an unknown function of the file /admin/users photo.php. The manipulation of the photo argument leads to...

CVE-2025-3771

A path or symbolic link manipulation vulnerability in SIR 1.0.3 and prior versions allows an authenticated non-admin local user to overwrite system files with SIR backup files, which can potentially cause a system crash. This was achieved by adding a malicious entry to the registry under the...