CVE-2024-13569

The Front End Users WordPress plugin through 3.2.32 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

PT-2025-17357 · WordPress · Insert Headers/Footers

Name of the Vulnerable Software and Affected Versions: Insert Headers And Footers plugin for WordPress versions up to, and including, 3.1.1 Description: The issue is due to missing or incorrect nonce validation on the custom plugin set option function, making it possible for unauthenticated...

CVE-2025-32795

Dify is an open-source LLM app development platform. Prior to version 0.6.12, a vulnerability was identified in the DIFY where normal users are improperly granted permissions to edit APP names, descriptions and icons. This access control flaw allows non-admin users to modify app details, despite...

CVE-2024-11924

CVE-2024-11924 corresponds to Icegram Express (formerly Email Subscribers) WordPress plugin prior to 5.7.52. The issue is Stored XSS arising from insufficient sanitisation/escaping of plugin settings, enabling high-privilege users (e.g., admins) to inject scripts even when unfiltered_html is disa...

MaxKB 代码注入漏洞

MaxKB is a 1Panel-dev open source open source knowledge base question and answer system based on a large language model and RAG. MaxKB suffers from a code injection vulnerability that stems from a reverse shell vulnerability in the function library module that allows a privileged user to create a...

Online Restaurant Management System 注入漏洞

Online Restaurant Management System is a Code-projects open source online restaurant management system. An injection vulnerability exists in Online Restaurant Management System version 1.0, which originates from improper handling of parameter IDs in the /admin/userupdate.php file, which can lead ...

Online Restaurant Management System 注入漏洞

Online Restaurant Management System is a Code-projects open source online restaurant management system. An injection vulnerability exists in Online Restaurant Management System version 1.0, which originates from improper handling of the parameter Name in the /admin/usersave.php file, which can le...

CVE-2025-3170

A vulnerability classified as critical has been found in Project Worlds Online Lawyer Management System 1.0. This affects an unknown part of the file /adminuser.php. The manipulation of the argument blockid/unblockid leads to sql injection. It is possible to initiate the attack remotely. The...

PT-2025-14622 · Unknown · Project Worlds Online Lawyer Management System

Name of the Vulnerable Software and Affected Versions: Project Worlds Online Lawyer Management System version 1.0 Description: A critical issue has been discovered, affecting the /admin user.php file. The manipulation of the block id and unblock id arguments leads to SQL injection. This issue can...

CVE-2025-20228

In Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8 and Splunk Cloud Platform versions below 9.2.2403.108, and 9.1.2312.204, a low-privileged user that does not hold the "admin" or "power" Splunk roles could change the maintenance mode state of App Key Value Store KVStore through a...

CVE-2024-55963

CVE-2024-55963 affects Appsmith prior to 1.51. The issue is improper access control on the restart API, allowing a non-admin user to trigger a server restart from within the Appsmith container. The impact is a denial of service on the Appsmith server (availability impact H) with the vulnerability...

CVE-2024-13863 Stylish Google Sheet Reader < 4.1 - Reflected XSS

The Stylish Google Sheet Reader 4.0 WordPress plugin before 4.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-10703 Registrations for The Events Calendar < 2.13.4 - Admin+ Stored XSS

The Registrations for the Events Calendar WordPress plugin before 2.13.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in...

CVE-2024-0640

A stored cross-site scripting XSS vulnerability exists in chatwoot/chatwoot versions 3.0.0 to 3.5.1. This vulnerability allows an admin user to inject malicious JavaScript code via the dashboard app settings, which can then be executed by another admin user when they access the affected dashboard...

CVE-2024-13739

The Newsletters plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the "to" parameter in all versions up to, and including, 4.9.9.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web script...

CVE-2024-0640

A stored cross-site scripting XSS vulnerability exists in chatwoot/chatwoot versions 3.0.0 to 3.5.1. This vulnerability allows an admin user to inject malicious JavaScript code via the dashboard app settings, which can then be executed by another admin user when they access the affected dashboard...

CVE-2024-0640

CVE-2024-0640 (Chatwoot) describes a stored XSS vulnerability in chatwoot/chatwoot versions 3.0.0 to 3.5.1. An admin can inject malicious JavaScript through the dashboard app settings, which can then be executed by another admin when they access the affected dashboard. The issue has been fixed in...

CVE-2024-0640 Stored XSS in chatwoot/chatwoot

A stored cross-site scripting XSS vulnerability exists in chatwoot/chatwoot versions 3.0.0 to 3.5.1. This vulnerability allows an admin user to inject malicious JavaScript code via the dashboard app settings, which can then be executed by another admin user when they access the affected dashboard...

CVE-2024-0640 Stored XSS in chatwoot/chatwoot

A stored cross-site scripting XSS vulnerability exists in chatwoot/chatwoot versions 3.0.0 to 3.5.1. This vulnerability allows an admin user to inject malicious JavaScript code via the dashboard app settings, which can then be executed by another admin user when they access the affected dashboard...

CVE-2024-13876 Meintopf <= 0.2.1 - Reflected XSS

The mEintopf WordPress plugin through 0.2.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...