CVE-2024-12800

The CVE-2024-12800 entry concerns the WordPress plugin IP Based Login. Affected versions prior to 2.4.1 do not sanitize values during import, enabling Stored Cross-Site Scripting (Stored XSS) that could be exploited by high-privilege users (e.g., admins) even when unfiltered_html is disallowed (e...

CVE-2024-11843

CVE-2024-11843 affects the Panorama WordPress plugin up to version 1.5.1. The vulnerability arises because the plugin does not sanitize and escape certain settings, enabling Stored XSS when administered by high-privilege users (admin), even if unfiltered_html is disallowed (e.g., in multisite). A...

CVE-2024-11189 Social Share And Social Locker – ARSocial < 1.4.2 - Admin+ Stored XSS

The Social Share And Social Locker WordPress plugin before 1.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite...

PT-2025-21486 · WordPress · The Kbucket: Your Curated Content

Name of the Vulnerable Software and Affected Versions: The KBucket: Your Curated Content in WordPress plugin versions prior to 4.1.5 Description: The issue is related to a Reflected Cross-Site Scripting problem. It occurs because a parameter is not properly sanitised and escaped before being...

CVE-2025-0135

An incorrect privilege assignment vulnerability in the Palo Alto Networks GlobalProtect™ App on macOS devices enables a locally authenticated non administrative user to disable the app. The GlobalProtect app on Windows, Linux, iOS, Android, Chrome OS and GlobalProtect UWP app are not affected...

CVE-2025-3583

The Newsletter WordPress plugin before 8.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2025-3583 Newsletter < 8.7.1 - Admin+ Stored XSS

The Newsletter WordPress plugin before 8.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2025-3502

The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2025-27134

Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, a privilege escalation vulnerability exists in the Joplin server, allowing non-admin users to exploit the API endpoint PATCH /api/users/:id t...

CVE-2025-3504 WP Maps < 4.7.2 - Admin+ Stored XSS

The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-30146

Improper access control of endpoint in HCL Domino Leap allows certain admin users to import applications from the server's filesystem...

CVE-2024-30146 HCL Domino Leap is affected by improper access control

Improper access control of endpoint in HCL Domino Leap allows certain admin users to import applications from the server's filesystem...

CVE-2024-30146 HCL Domino Leap is affected by improper access control

Improper access control of endpoint in HCL Domino Leap allows certain admin users to import applications from the server's filesystem...

CVE-2024-30146

The CVE-2024-30146 entry concerns HCL Domino Leap. Affected component: the endpoint handling import of applications. Root cause: improper access control allowing certain admin users to import applications from the server’s filesystem. Impact as described: potential unauthorized filesystem access ...

CVE-2025-27134

CVE-2025-27134 concerns Joplin server prior to version 3.3.3, where a vulnerability in the PATCH /api/users/:id endpoint allows a non-admin user to set the is_admin field to 1. This privilege escalation enables low-privilege users to perform administrative actions without proper authorization. Th...

CVE-2025-27134 Privilege escalation in Joplin server via user patch endpoint

Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, a privilege escalation vulnerability exists in the Joplin server, allowing non-admin users to exploit the API endpoint PATCH /api/users/:id t...

PT-2025-18288 · Joplin · Joplin

Name of the Vulnerable Software and Affected Versions: Joplin versions prior to 3.3.3 Description: A privilege escalation vulnerability exists in the Joplin server, allowing non-admin users to exploit the API endpoint PATCH /api/users/:id to set the is admin field to 1. This issue allows maliciou...

About Elevation of Privilege – Windows Process Activation (CVE-2025-21204) vulnerability

About Elevation of Privilege - Windows Process Activation CVE-2025-21204 vulnerability. This vulnerability from the April Microsoft Patch Tuesday was not highlighted by VM vendors in their reviews. It affects the Windows Update Stack component and is related to improper link resolution before fil...

CVE-2024-12273

The Calculated Fields Form WordPress plugin before 5.2.62 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

Security Bulletin: IBM DataPower Gateway may permit admin users to view and edit files that are not allowed to be read via RBM access rights (CVE-2022-22326)

Summary IBM has addressed the CVE Vulnerability Details CVEID:CVE-2022-22326 DESCRIPTION: IBM MQ Appliance could allow unauthorized viewing of logs and files due to insufficient authorisation checks. CVSS Base score: 4 CVSS Temporal Score: See:...