CVE-2024-9663 CYAN Backup < 2.5.3 - Admin+ Stored XSS via Remote Storage Settings

The CYAN Backup WordPress plugin before 2.5.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-9599 Popup Box < 4.7.8 - Admin+ Stored XSS

The Popup Box WordPress plugin before 4.7.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-8670

CVE-2024-8670 affects the Photo Gallery by 10Web WordPress plugin prior to 1.8.29. The vulnerability stems from incomplete sanitization/escaping of plugin settings, enabling Stored XSS by high-privilege admins even when unfiltered_html is disallowed (e.g., multisite). Exploitation context: authen...

CVE-2024-8617 Quiz Maker <= 6.5.9.8 - Admin+ Stored XSS

The Quiz Maker WordPress plugin before 6.5.9.9 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-6713 PVN Auth Popup <= 1.0.0 - Admin+ Stored XSS

The PVN Auth Popup WordPress plugin through 1.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-13828 Badgearoo <= 1.0.14 - Reflected XSS

The Badgearoo WordPress plugin through 1.0.14 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-13384 Photo Gallery, Images, Slider in Rbs Image Gallery < 3.2.24 - Admin+ Stored XSS

The Photo Gallery, Images, Slider in Rbs Image Gallery WordPress plugin before 3.2.24 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for...

CVE-2024-12679 Prisna GWT < 1.4.14 - Admin+ Stored XSS

The Prisna GWT WordPress plugin before 1.4.14 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2025-0135 GlobalProtect App on macOS: Non Admin User Can Disable the GlobalProtect App

An incorrect privilege assignment vulnerability in the Palo Alto Networks GlobalProtect™ App on macOS devices enables a locally authenticated non administrative user to disable the app. The GlobalProtect app on Windows, Linux, iOS, Android, Chrome OS and GlobalProtect UWP app are not affected...

CVE-2025-0135 GlobalProtect App on macOS: Non Admin User Can Disable the GlobalProtect App

An incorrect privilege assignment vulnerability in the Palo Alto Networks GlobalProtect™ App on macOS devices enables a locally authenticated non administrative user to disable the app. The GlobalProtect app on Windows, Linux, iOS, Android, Chrome OS and GlobalProtect UWP app are not affected...

CVE-2025-4043

An admin user can gain unauthorized write access to the /etc/rc.local file on the device, which is executed on a system boot...

Malicious code in @ixm-apps/mf-admin-user (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=-...

CVE-2025-4262

A vulnerability was found in PHPGurukul Online DJ Booking Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/user-search.php. The manipulation of the argument searchdata leads to sql injection. The attack can be initiated remotely...

MRCMS 代码注入漏洞

MRCMS is a content management system by marker personal developer. A code injection vulnerability exists in MRCMS version 3.1.3, which originates from a cross-site scripting attack due to an incorrect manipulation of the parameter Username in the file /admin/user/edit.do...

CVE-2024-30146

Improper access control of endpoint in HCL Domino Leap allows certain admin users to import applications from the server's filesystem...

CVE-2025-3513 SureForms < 1.4.4 - Admin+ Stored XSS

The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-30146

Improper access control of endpoint in HCL Domino Leap allows certain admin users to import applications from the server's filesystem...

CVE-2025-0926

Gee-netics, member of AXIS Camera Station Pro Bug Bounty Program, has found that it is possible for a non-admin user to remove system files causing a boot loop by redirecting a file deletion when recording video. Axis has released a patched version for the highlighted flaw. Please refer to the Ax...

CVE-2025-1056

Gee-netics, member of AXIS Camera Station Pro Bug Bounty Program, has identified an issue with a specific file that the server is using. A non-admin user can modify this file to either create files or change the content of files in an admin-protected location. Axis has released a patched version...

📄 Online Shopping System Advanced 1.0 Shell Upload / SQL Injection

Online Shopping System Advanced version 1.0 suffers from remote shell upload and remote SQL injection vulnerabilities. Exploit Title: Online Shopping System Advanced - Remote Code Execution Date: 2025-03-11 Exploit Author: bRpsd Contact: [email protected] Zone-H: www.zone-h.org/archive/notifier=bRpsd...