CVE-2024-9771 WP-Recall < 16.26.12 - Admin+ Stored XSS

The WP-Recall WordPress plugin before 16.26.12 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2025-0627 AI Autotagger < 3.30.0 - Admin+ Stored XSS

The WordPress Tag, Category, and Taxonomy Manager WordPress plugin before 3.30.0 does not sanitise and escape some of its Widgets settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for...

CVE-2025-0627

CVE-2025-0627 involves the WordPress Tag, Category, and Taxonomy Manager – AI Autotagger plugin (pre-3.30.0). The issue is a failure to sanitize/escape certain Widgets settings, enabling Stored Cross-Site Scripting by high-privilege users (e.g., admins) even when unfiltered_html is disabled (such...

CVE-2024-9771 WP-Recall < 16.26.12 - Admin+ Stored XSS

The WP-Recall WordPress plugin before 16.26.12 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2025-0627 AI Autotagger < 3.30.0 - Admin+ Stored XSS

The WordPress Tag, Category, and Taxonomy Manager WordPress plugin before 3.30.0 does not sanitise and escape some of its Widgets settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for...

CVE-2024-30148

Improper access control of endpoint in HCL Leap allows certain admin users to import applications from the server's filesystem...

CVE-2025-0671 Email Subscribers < 5.7.50 - Admin+ Stored XSS in Template

The Icegram Express WordPress plugin before 5.7.50 does not sanitise and escape some of its Template settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-30148

Improper access control of endpoint in HCL Leap allows certain admin users to import applications from the server's filesystem...

CVE-2024-30148 HCL Leap is affected by improper access control

Improper access control of endpoint in HCL Leap allows certain admin users to import applications from the server's filesystem...

CVE-2024-30148 HCL Leap is affected by improper access control

Improper access control of endpoint in HCL Leap allows certain admin users to import applications from the server's filesystem...

HCL Leap 安全漏洞

HCL Leap is a low-code development platform from HCL India. HCL Leap has a security vulnerability that stems from improper endpoint access control that allows certain admin users to import applications from the server file system...

PT-2025-17739 · Hcl · Hcl Leap

Name of the Vulnerable Software and Affected Versions: HCL Leap affected versions not specified Description: The issue concerns improper access control of an endpoint in HCL Leap, allowing certain admin users to import applications from the server's filesystem. Recommendations: At the moment, the...

CVE-2025-2162

The MapPress Maps for WordPress plugin before 2.94.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2025-1524

The Ultimate Dashboard WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2025-1524 Ultimate Dashboard < 3.8.6 - Admin+ Stored XSS

The Ultimate Dashboard WordPress plugin before 3.8.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2025-1523

CVE-2025-1523 concerns The Ultimate Dashboard WordPress plugin prior to 3.8.6. The vulnerability is a stored XSS in plugin settings caused by insufficient sanitization/escaping, which could allow a high-privilege user (e.g., an admin) to inject script payloads. Exploitation details (e.g., exact v...

CVE-2024-13207 Widget for Social Page Feeds < 6.4.2 - Admin+ Stored XSS

The Widget for Social Page Feeds WordPress plugin before 6.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setu...

CVE-2024-13874

The Feedify WordPress plugin before 2.4.6 is vulnerable to a Reflected Cross-Site Scripting attack because it does not sanitise and escape a parameter before outputting it back on the page, potentially affecting high-privilege users such as admins. Affected component is the output path handling t...

CVE-2025-32358

In Zammad 6.4.x before 6.4.2, SSRF can occur. Authenticated admin users can enable webhooks in Zammad, which are triggered as POST requests when certain conditions are met. If a webhook endpoint returned a redirect response, Zammad would follow it automatically with another GET request. This coul...

CVE-2024-13863

The Stylish Google Sheet Reader 4.0 WordPress plugin before 4.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...