CVE-2024-51979 Authenticated stack based buffer overflow affecting multiple models from Brother Industries, Ltd, FUJIFILM Business Innovation, Ricoh, and Konica Minolta, Inc.

An authenticated attacker may trigger a stack based buffer overflow by performing a malformed request to either the HTTP service TCP port 80, the HTTPS service TCP port 443, or the IPP service TCP port 631. The malformed request will contain an empty Origin header value and a malformed Referer...

CVE-2024-51979 Authenticated stack based buffer overflow affecting multiple models from Brother Industries, Ltd, FUJIFILM Business Innovation, Ricoh, and Konica Minolta, Inc.

An authenticated attacker may trigger a stack based buffer overflow by performing a malformed request to either the HTTP service TCP port 80, the HTTPS service TCP port 443, or the IPP service TCP port 631. The malformed request will contain an empty Origin header value and a malformed Referer...

CVE-2025-5585

The CVE-2025-5585 entry concerns the SiteOrigin Widgets Bundle plugin for WordPress. A Stored Cross-Site Scripting flaw exists in all versions up to 1.68.4 (and discussed variants up to 1.68.5 in related advisories) due to insufficient input sanitization and output escaping, specifically via the ...

CVE-2024-56916

A cross-site scripting flaw was found in Netbox. An attacker with an authenticated account on the system can add malicious Javascript code to a banner field and potentially execute this code in the context of another user's session. Mitigation Mitigation for this issue is either not available or...

CVE-2025-5258 Conference Scheduler <= 2.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via className Parameter

The Conference Scheduler plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 2.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-lev...

CVE-2024-56916

In Netbox Community 4.1.7, once authenticated, Configuration History Addis vulnerable to cross-site scripting XSS due to the current value field rendering user supplied html. An authenticated attacker can leverage this to add malicious JavaScript to the any banner field. Once a victim edits a...

CVE-2024-56916

In Netbox Community 4.1.7, once authenticated, Configuration History Addis vulnerable to cross-site scripting XSS due to the current value field rendering user supplied html. An authenticated attacker can leverage this to add malicious JavaScript to the any banner field. Once a victim edits a...

CVE-2024-56916

CVE-2024-56916 (NetBox Community 4.1.7) is a cross-site scripting (XSS) vulnerability in the Configuration History &gt; Add feature, caused by the current value field rendering user-supplied HTML. An authenticated attacker can inject malicious JavaScript into the banner field, and the payload tri...

CVE-2025-52922

CVE-2025-52922 affects Innoshop up to 0.4.1, where a directory-traversal flaw in the FileManager API endpoints allows an authenticated admin to map the filesystem, create directories, read files, delete files, and create files by moving them. Affected endpoints include /api/file_manager/files?bas...

CVE-2025-52921

Innoshop up to version 0.4.1 contains a server-side code execution flaw in the File Manager of the admin panel. An authenticated attacker can upload a crafted file and bypass the image-only check by renaming the file to a .php extension (renaming function), enabling a subsequent GET request to ex...

CVE-2025-34510

Sitecore Experience Manager XM, Experience Platform XP, and Experience Commerce XC versions 9.0 through 9.3 and 10.0 through 10.4 are affected by a Zip Slip vulnerability. A remote, authenticated attacker can exploit this issue by sending a crafted HTTP request to upload a ZIP archive containing...

CVE-2025-5673

The CVE-2025-5673 entry concerns WordPress Blog2Social: Social Media Auto Post & Scheduler plugin. Affected versions up to 8.4.4 are vulnerable to SQL Injection via the prgSortPostType parameter, caused by insufficient escaping of user input and inadequate query preparation. This allows authentic...

CVE-2025-5923

The Game Review Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 4.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level...

CVE-2025-6070 Restrict File Access <= 1.1.2 - Authenticated (Subscriber+) Arbitrary File Read

The Restrict File Access plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.1.2 via the output function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server...

CVE-2025-4216 DIOT SCADA with MQTT <= 1.0.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The DIOT SCADA with MQTT plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'diot' shortcode in all versions up to, and including, 1.0.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticat...

CVE-2025-5123 Contact Us Page – Contact People <= 3.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via style Parameter

The Contact Us Page – Contact People plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style’ parameter in all versions up to, and including, 3.7.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-5233 Color Palette <= 4.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via hex Parameter

The Color Palette plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hex’ parameter in all versions up to, and including, 4.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and...

CVE-2025-4586

CVE-2025-4586 affects the WordPress plugin IRM Newsroom (WordPress) up to version 1.2.17; the vulnerability is a stored XSS via the irmcalendarview shortcode due to insufficient input sanitization and output escaping. Exploitation requires an authenticated attacker with contributor-level access o...

CVE-2025-4584 IRM Newsroom <= 1.2.17 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'irmeventlist' Shortcode

The IRM Newsroom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'irmeventlist' shortcode in all versions up to, and including, 1.2.17 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...

CVE-2025-4585 IRM Newsroom <= 1.2.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'irmflat' Shortcode

The IRM Newsroom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'irmflat' shortcode in all versions up to, and including, 1.2.19 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...