PT-2026-47129

Name of the Vulnerable Software and Affected Versions LearnPress – Backup & Migration Tool versions prior to 4.1.5 Description The plugin is susceptible to PHP Object Injection due to the deserialization of untrusted input. This allows authenticated attackers with administrator-level access or...

CVE-2024-2694

The Betheme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 27.5.6 via deserialization of untrusted input of the 'mfn-page-items' post meta value. This makes it possible for authenticated attackers, with contributor-level access and above, to inject...

PT-2025-38931

Name of the Vulnerable Software and Affected Versions weDevs WP Project Manager versions through 2.6.25 Description The software contains hard-coded credentials, potentially allowing retrieval of embedded sensitive data. Recommendations Update weDevs WP Project Manager to a version later than...

CVE-2024-13645

The tagDiv Composer plugin for WordPress is vulnerable to PHP Object Instantiation in all versions up to, and including, 5.3 via module parameter. This makes it possible for unauthenticated attackers to Instantiate a PHP Object. No known POP chain is present in the vulnerable software, which mean...

CVE-2024-13787

The VEDA - MultiPurpose WordPress Theme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.2 via deserialization of untrusted input in the 'vedabackupandrestoreaction' function. This makes it possible for authenticated attackers, with Subscriber-leve...

CVE-2024-13556

The Affiliate Links: WordPress Plugin for Link Cloaking and Link Management plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0.1 via deserialization of untrusted input from an file export. This makes it possible for unauthenticated attackers to...

CVE-2024-12562

The s2Member Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 241216 via deserialization of untrusted input from the 's2memberproremoteop' vulnerable parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No know...

CVE-2024-7560

The News Flash theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.0 via deserialization of untrusted input from the newsflashpostmeta meta value. This makes it possible for authenticated attackers, with Editor-level access and above, to inject a PH...

CVE-2024-4733

The ShiftController Employee Shift Scheduling plugin is vulnerable to PHP Object Injection via deserialization of untrusted input via the hc3session-cookie in versions up to, and including, 4.9.57. This makes it possible for an authenticated attacker with contributor access-level or above to inje...

CVE-2025-24597

Insertion of Sensitive Information Into Sent Data vulnerability in Dmitry V. CEO of "UKR Solution" Barcode Generator for WooCommerce embedding-barcodes-into-product-pages-and-orders allows Retrieve Embedded Sensitive Data.This issue affects Barcode Generator for WooCommerce: from n/a through =...

CVE-2024-11501

CVE-2024-11501 concerns the WordPress Gallery plugin (versions

CVE-2024-12253

CVE-2024-12253 concerns the WordPress plugin “Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal” (versions up to 3.1.2). The issue is a missing capability check on actions including ‘save_settings’, ‘export_csv’, and ‘simpleecommcart-action’, which allows an attacker with subscr...

CVE-2024-6400

Cleartext Storage of Sensitive Information, Exposure of Sensitive Information Through Data Queries vulnerability in Finrota Netahsilat allows Retrieve Embedded Sensitive Data, Authentication Bypass, IMAP/SMTP Command Injection, Collect Data from Common Resource Locations. This issue solved in...

CVE-2024-3305

The CVE-2024-3305 issue affects Utarit Information SoliClub (mobile app). It is an Authorization Bypass Through a User-Controlled Key that enables retrieval of embedded sensitive data due to missing authorization checks. Affected versions are SoliClub on iOS before 4.4.0 and Android before 5.2.1....

CVE-2024-3240 ConvertPlug <= 3.5.25 - Authenticated (Contributor+) PHP Object Injection

The ConvertPlug plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.5.25 via deserialization of untrusted input from the 'settingsencoded' attribute of the 'smileinfobar' shortcode. This makes it possible for authenticated attackers, with...

OpenGnsys SQL注入漏洞

OpenGnsys is an open source computing device management software from the Spanish OpenGnsys project. A SQL injection vulnerability exists in OpenGnsys version 1.1.1d Espeto, which stems from the presence of a SQL injection vulnerability that allows an attacker to inject malicious SQL code into th...

PT-2024-22976 · Abast · Scan Visio Edocument Suite Web Viewer

Name of the Vulnerable Software and Affected Versions: SCAN VISIO eDocument Suite Web Viewer of Abast affected versions not specified Description: A SQL Injection issue has been discovered, allowing an unauthenticated user to retrieve, update, and delete all database information. This issue was...

CVE-2023-49339

Ellucian Banner 9.17 allows Insecure Direct Object Reference IDOR via a modified bannerId to the /StudentSelfService/ssb/studentCard/retrieveData endpoint...

Design/Logic Flaw

Ellucian Banner 9.17 allows Insecure Direct Object Reference IDOR via a modified bannerId to the /StudentSelfService/ssb/studentCard/retrieveData endpoint...

Ellucian Security Breach

Ellucian is Ellucian's open and flexible technology ecosystem supporting SaaS. A security vulnerability exists in Ellucian Banner version 9.17 and earlier, which stems from an insecure direct object reference IDOR vulnerability in the endpoint /StudentSelfService/ssb/studentCard/retrieveData...