CVE-2025-8889 Compress Then Upload < 1.0.5 - Admin+ Arbitrary File Upload

The Compress & Upload WordPress plugin before 1.0.5 does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to for example in multisite setup...

CVE-2025-52915

K7RKScan.sys 23.0.0.10, part of the K7 Security Anti-Malware suite, allows an admin-privileged user to send crafted IOCTL requests to terminate processes that are protected through a third-party implementation. This is caused by insufficient caller validation in the driver's IOCTL handler, enabli...

CVE-2025-56761

Memos 0.22 is vulnerable to Stored Cross site scripting XSS vulnerabilities by the upload attachment and user avatar features. Memos does not verify the content type of the uploaded data and serve it back as is. An authenticated attacker can use this to elevate their privileges when the stored XS...

CVE-2025-56761

Memos 0.22 is vulnerable to Stored Cross site scripting XSS vulnerabilities by the upload attachment and user avatar features. Memos does not verify the content type of the uploaded data and serve it back as is. An authenticated attacker can use this to elevate their privileges when the stored XS...

CVE-2023-3666

The Sticky Side Buttons WordPress plugin before 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2023-3666 Sticky Side Buttons < 2.0.0 - Admin+ Stored XSS

The Sticky Side Buttons WordPress plugin before 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

PT-2025-35797

Name of the Vulnerable Software and Affected Versions Memos version 0.22 Description Memos version 0.22 is susceptible to Stored Cross-Site Scripting XSS through the upload attachment and user avatar features. The software does not validate the content type of uploaded data before serving it,...

PT-2025-34985

Name of the Vulnerable Software and Affected Versions: QuickCMS version 6.8 Description: QuickCMS is susceptible to a Stored Cross-Site Scripting XSS issue through the sDescriptionMeta parameter within the page editor's SEO functionality. An attacker possessing administrative privileges can injec...

CVE-2025-30036 Stored XSS permitting session takeover of arbitrary user

Stored XSS vulnerability exists in the "Oddział" Ward module, in the death diagnosis description field, and allows the execution of arbitrary JavaScript code. This can lead to session hijacking of other users and potentially to privilege escalation up to full administrative rights...

CVE-2025-43759

Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows admin users of a virtual instance to add pages that are not in the...

CVE-2025-53971

Mattermost versions 10.5.x = 10.5.8, 9.11.x = 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins to demote Team Members to Guests via the PUT /api/v4/teams/team-id/members/user-id/schemeRoles API endpoint...

CVE-2025-53971

Mattermost Server vulnerability CVE-2025-53971 affects versions 10.5.x ≤ 10.5.8 and 9.11.x ≤ 9.11.17. The issue arises from improper authorization validation for team scheme role modifications, allowing Team Admins to demote Team Members to Guests via PUT /api/v4/teams/{team-id}/members/{user-id}...

CVE-2025-55736

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to "admin", giving its relative privileges e.g. delete users, posts, comments etc.. The problem is in the routes/adminPanelUsers file...

WordPress AWStats Script plugin <= 0.3 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nabil Irawan Patchstack Alliance in WordPress Plugin AWStats Script versions = 0.3...

WordPress Dropshix plugin <= 4.0.14 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Vinit Lakra Patchstack Alliance in WordPress Plugin Dropshix versions = 4.0.14...

Brocade Fabric OS 9.1.x < 9.1.1d7 RCE (BSA-2025-2930)

The version of Brocade FabricOS installed on the remote host is 9.1.x prior to 9.1.1d7. It is, therefore, affected by a remote code execution vulnerability as referenced in the BSA-2025-2930 advisory: - Brocade Fabric OS versions starting with 9.1.0 have root access removed, however, a local user...

CVE-2025-4661

CVE-2025-4661 is a path traversal vulnerability in Brocade Fabric OS 9.1.0 through 9.2.2 that could let a local admin access files outside the intended directory, potentially leading to sensitive information disclosure. Exploitation requires admin privileges on the switch. Connected sources confi...

CVE-2025-4661 Path transversal vulnerability potentially leading to sensitive information disclosure

A path transversal vulnerability in Brocade Fabric OS 9.1.0 through 9.2.2 could allow a local admin user to gain access to files outside the intended directory potentially leading to the disclosure of sensitive information. Note: Admin level privilege is required on the switch in order to exploit...

CVE-2025-6173

A vulnerability classified as critical was found in Webkul QloApps 1.6.1. Affected by this vulnerability is an unknown functionality of the file /admin/ajaxproductslist.php. The manipulation of the argument packItself leads to sql injection. The attack can be launched remotely. The exploit has be...

CVE-2025-5209

The CVE-2025-5209 entry describes a stored XSS vulnerability in the WordPress Ivory Search plugin prior to version 5.5.10. The issue arises because the plugin does not sufficiently sanitize and escape certain settings, allowing high-privilege users (e.g., admins) to trigger cross-site scripting e...