CVE-2025-3429

CVE-2025-3429 affects the WordPress plugin 3DPrint Lite (versions up to 2.1.3.6). The vulnerability is an authenticated (Admin+) SQL Injection via the material_text parameter due to insufficient escaping in the query, enabling an attacker with admin privileges to append additional SQL statements ...

PT-2025-15470

Name of the Vulnerable Software and Affected Versions: AOS-10 GW affected versions not specified AOS-8 Controller/Mobility Conductor affected versions not specified Description: Arbitrary File Write vulnerabilities exist in the web-based management interface of both the AOS-10 GW and AOS-8...

Exploit for CVE-2025-30911

Exploit for CVE-2025-30911 – WordPress RomethemeKit = 1.5.4...

CVE-2025-2780 Woffice Core <= 5.4.21 - Authenticated (Subscriber+) Arbitrary File Upload

The Woffice Core plugin for WordPress, used by the Woffice Theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'saveFeaturedImage' function in all versions up to, and including, 5.4.21. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2024-13898 Simple Banner <= 3.0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

The Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.5 due to insufficient input sanitization and output...

CVE-2024-13673

CVE-2024-13673 affects the Big Boom Directory plugin for WordPress. It is a Stored XSS via the plugin's bbd-search shortcode in all versions up to 2.5.0, caused by insufficient input sanitization and output escaping. Authenticated users with contributor-level access can inject scripts that execut...

Cisco Meraki MX and Z Series AnyConnect VPN Denial of Service Vulnerability

A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series devices could allow an authenticated, remote attacker to cause a denial of service DoS condition in the Cisco AnyConnect service on an affected device. To exploit this vulnerability, the attacker must...

WordPress plugin Inline Image Upload for BBPress 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A code issue vulnerability exists in...

CVE-2024-11499

A vulnerability exists in RTU500 IEC 60870-4-104 controlled station functionality, that allows an authenticated and authorized attacker to perform a CMU restart. The vulnerability can be triggered if certificates are updated while in use on active connections. The affected CMU will automatically...

CVE-2025-1913 Product Import Export for WooCommerce <= 2.5.0 - Authenticated (Admin+) PHP Object Injection via form_data Parameter

The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.5.0 via deserialization of untrusted input from the 'formdata' parameter This makes it possible for authenticated attacker...

CVE-2025-2573 Amazing service box Addons For WPBakery Page Builder <= 2.0.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

The Amazing service box Addons For WPBakery Page Builder formerly Visual Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible f...

CVE-2025-0845 DesignThemes Core Features <= 4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The DesignThemes Core Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

CVE-2024-10207 Server-Side Request Forgery (authenticated) in APROL Web Portal

A Server-Side Request Forgery vulnerability in the APROL Web Portal used in B&R APROL 4.4-00P5 may allow an authenticated network-based attacker to force the web server to request arbitrary URLs...

CVE-2025-2478 Code Clone <= 0.9 - Authenticated (Administrator+) SQL Injection via snippetId Parameter

The Code Clone plugin for WordPress is vulnerable to time-based SQL Injection via the ‘snippetId’ parameter in all versions up to, and including, 0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible fo...

CVE-2025-2303 Block Logic <= 1.0.8 - Authenticated (Contributor+) Remote Code Execution

The Block Logic – Full Gutenberg Block Display Control plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.8 via the blocklogicchecklogic function. This is due to the unsafe evaluation of user-controlled input. This makes it possible for...

CVE-2025-2511 AHAthat Plugin <= 1.6 - Authenticated (Administrator+) SQL Injection via id Parameter

The AHAthat Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' parameter in all versions up to, and including, 1.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

CVE-2025-1503

The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Roundup Recipe Name field in all versions up to, and including, 9.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-leve...

CVE-2024-12010

A post-authentication command injection vulnerability in the ”zyUtilMailSend” function of the Zyxel AX7501-B1 firmware version V5.17ABPC.5.3C0 and earlier could allow an authenticated attacker with administrator privileges to execute operating system OS commands on a vulnerable device...

CVE-2024-11253

A post-authentication command injection vulnerability in the "DNSServer” parameter of the diagnostic function in the Zyxel VMG8825-T50K firmware version V5.50ABOM.8.5C0 and earlier could allow an authenticated attacker with administrator privileges to execute operating system OS commands on a...

CVE-2023-37933

An improper neutralization of input during web page generation 'Cross-site Scripting' vulnerability CWE-79 in FortiADC GUI version 7.4.0, 7.2.0 through 7.2.1 and before 7.1.3 allows an authenticated attacker to perform an XSS attack via crafted HTTP or HTTPs requests...