CVE-2025-8315

The CVE-2025-8315 entry concerns the WordPress WP Easy Contact plugin. A stored cross-site scripting flaw exists in the noaccess_msg parameter affecting all versions up to 4.0.1 due to insufficient input sanitization and output escaping. Authenticated attackers with Contributor-level access or hi...

CVE-2013-10053

A remote command execution vulnerability exists in ZPanel version 10.0.0.2 in its htpasswd module. When creating .htaccess files, the inHTUsername field is passed unsanitized to a system call that invokes the system’s htpasswd binary. By injecting shell metacharacters into the username field, an...

CVE-2025-8212 Medical Addon for Elementor <= 1.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Typewriter Widget

The Medical Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Typewriter widget in all versions up to, and including, 1.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-6076

CVE-2025-6076 affects Partner Software’s Partner Software application and Partner Web application. The vulnerability arises from insufficient sanitization of files uploaded via the Reports tab, enabling an authenticated user to upload a malicious file and potentially compromise the device. The is...

CVE-2013-10062

This CVE describes a directory traversal vulnerability in Linksys E1500 routers, affecting firmware 1.0.00, 1.0.04, and 1.0.05. The flaw is in the web interface’s /apply.cgi endpoint, exploitable via the next_page POST parameter to access files outside the web root, potentially exposing sensitive...

CVE-2013-10062 Linksys Routers apply.cgi Path Traversal

A directory traversal vulnerability exists in Linksys router's web interface tested on the E1500 model firmware versions 1.0.00, 1.0.04, and 1.0.05, specifically in the /apply.cgi endpoint. Authenticated attackers can exploit the nextpage POST parameter to access arbitrary files outside the...

CVE-2025-6348 Smart Slider 3 <= 3.5.1.28 - Authenticated (Administrator+) SQL Injection via `sliderid` Parameter

The Smart Slider 3 plugin for WordPress is vulnerable to time-based SQL Injection via the ‘sliderid’ parameter in all versions up to, and including, 3.5.1.28 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

CVE-2025-5684

CVE-2025-5684 : MetForm – WordPress plugin vulnerable to Stored Cross-Site Scripting via the mf-template DOM element in all versions up to and including 4.0.1. An authenticated attacker with Contributor-level access or higher can inject scripts executed by users on injected pages. Public sources ...

CVE-2025-5587 Appzend <= 1.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via progressbarLayout Parameter

The Appzend theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘progressbarLayout’ parameter in all versions up to, and including, 1.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level...

CVE-2025-6681 Fan Page <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via width Parameter

The Fan Page plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘width’ parameter in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and...

CVE-2025-7810 StreamWeasels Kick Integration <= 1.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

The StreamWeasels Kick Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'data-uuid' attribute in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible fo...

PT-2025-31172 · Samsung · Samsung Dms

Name of the Vulnerable Software and Affected Versions: Samsung DMS Data Management Server affected versions not specified Description: An improper limitation of a pathname to a restricted directory 'Path Traversal' exists in Samsung DMS Data Management Server. This allows authenticated attackers ...

CVE-2025-41683

An authenticated remote attacker can execute arbitrary commands with root privileges on affected devices due to lack of improper sanitizing of user input in the Main Web Interface endpoint eventmailtest...

CVE-2025-54140

pyLoad is a free and open-source Download Manager written in pure Python. In version 0.5.0b3.dev89, an authenticated path traversal vulnerability exists in the /json/upload endpoint of pyLoad. By manipulating the filename of an uploaded file, an attacker can traverse out of the intended upload...

CVE-2025-7959 Station Pro <= 2.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via width and height Parameters

The Station Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘width' and 'height’ parameter in all versions up to, and including, 2.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-lev...

CVE-2025-6539 Voltax Video Player <= 1.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

The Voltax Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level acces...

CVE-2025-6382 Taeggie Feed <= 0.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via name Attribute

The Taeggie Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's taeggie-feed shortcode in all versions up to, and including, 0.1.10. The plugin’s render method takes the user-supplied name attribute and injects it directly into a tag - both in the id attribute...

CVE-2025-3669 Supreme Addons for Beaver Builder <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via auto_qrcodesabb Shortcode

The Supreme Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's autoqrcodesabb shortcode in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

CVE-2025-6387

The WP Get The Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the url parameter in versions up to 1.5. Authenticated attackers with Contributor-level access and above can inject scripts that execute when a user visits the affected page. The vulnerability details and r...

CVE-2025-4968

The CVE-2025-4968 entry concerns the WPBakery Page Builder for WordPress plugin (affected: WPBakery Page Builder