CVE-2026-8444

CVE-2026-8444 affects WordPress WP Review Slider Pro (get_results() without $wpdb->prepare(). This allows authenticated attackers with Subscriber-level access or higher to append additional SQL queries to existing queries and potentially extract sensitive database information. The provided met...

CVE-2026-9187

The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to, and including, 2.2. This is due to a missing capability check and missing nonce validation in the actionremoveabandoned function, which is registered to both the...

CVE-2026-7392

A vulnerability has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. This impacts the function deletesupplier of the file /ajax.php?action=deletesupplier. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit has been...

CVE-2026-30760

An issue in SourceBans Material Admin before v.1.1.6 3ecd95e allows attackers to manipulate arbitrary user data in the web app via a crafted XAJAX call...

CVE-2025-41069

The vulnerability is an Insecure Direct Object Reference (IDOR) in DeporSite of T-INNOVA. An attacker can manipulate requests via the idUsuario parameter in /ajax/TInnova_v2/Formulario_Consentimiento/llamadaAjax/obtenerDatosConsentimientos to access or modify resources they should not. Documented...

EUVD-2019-16518

Malware in sbrugna...

EUVD-2021-11837

Malware in sbrugna...

CVE-2021-4458

The Modern Events Calendar Lite plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'wpajaxmecloadsinglepage' AJAX action in all versions up to, and including, 6.3.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

CVE-2024-29809

The imageurl parameter of the AJAX call to the editimagebwg action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the imageurl parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. The...

CVE-2024-29810

The thumburl parameter of the AJAX call to the editimagebwg action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the thumburl parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. The...

CVE-2021-24626

The Chameleon CSS WordPress plugin through 1.2 does not have any CSRF and capability checks in all its AJAX calls, allowing any authenticated user, such as subscriber to call them and perform unauthorised actions. One of AJAX call, removecss, also does not sanitise or escape the cssid POST...

CVE-2024-10349

A vulnerability was found in SourceCodester Best House Rental Management System 1.0 and classified as critical. Affected by this issue is the function deletetenant of the file /ajax.php?action=deletetenant. The manipulation of the argument id leads to sql injection. The attack may be launched...

CVE-2024-36678

In the module "Theme settings" pkthemesettings = 1.8.8 from Promokit.eu for PrestaShop, a guest can perform SQL injection. The script ajax.php have a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection...

CVE-2024-29808

The imageid parameter of the AJAX call to the editimagebwg action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the imageid parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. The...

CVE-2024-29810

The thumburl parameter of the AJAX call to the editimagebwg action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the thumburl parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. The...

CVE-2024-29810

CVE-2024-29810 details (mode C) : Affected software is the 10Web Photo Gallery WordPress plugin. The vulnerability is a reflected Cross-Site Scripting via the thumb_url parameter in the AJAX response for editimage_bwg in admin-ajax.php. The flaw allows arbitrary JavaScript to be inserted and exec...

CVE-2024-29809

CVE-2024-29809 is a reflected XSS in the Photo Gallery WordPress plugin (referenced by RH CVE) where the image_url parameter in the admin-ajax.php editimage_bwg action is echoed into JavaScript in the response. This requires an authenticated user with access to the component. The Red Hat entry re...

CVE-2024-29808

CVE-2024-29808 affects the Photo Gallery WordPress plugin family (e.g., 10Web Photo Gallery). It describes a reflected XSS in the image_id parameter of the admin-ajax.php editimage_bwg AJAX action, where the image_id value is echoed within existing JavaScript in the response, enabling arbitrary s...

CVE-2024-29832

CVE-2024-29832 affects the Photo Gallery WordPress plugin. The vulnerability is a reflected XSS in the current_url parameter of the admin-ajax.php GalleryBox AJAX call, where the current_url value is embedded into existing JavaScript in the response, allowing arbitrary JavaScript execution. Explo...

CVE-2024-29832 WordPress Photo Gallery Plugin <= 1.8.21 Unauthenticated Reflected Cross Site Scripting in GalleryBox current_url

The currenturl parameter of the AJAX call to the GalleryBox action of admin-ajax.php is vulnerable to reflected Cross Site Scripting. The value of the currenturl parameter is embedded within an existing JavaScript within the response allowing arbitrary JavaScript to be inserted and executed. No...