CVE-2024-13537

The C9 Blocks plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.7.7. This is due the plugin containing a publicly accessible composer-setup.php file with error display enabled. This makes it possible for unauthenticated attackers to retrieve the fu...

CVE-2024-13537 C9 Blocks <= 1.7.7 - Unauthenticated Full Path Disclosure

The C9 Blocks plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.7.7. This is due the plugin containing a publicly accessible composer-setup.php file with error display enabled. This makes it possible for unauthenticated attackers to retrieve the fu...

CVE-2024-13535

The Actionwear products sync plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.3.0. This is due the composer-setup.php file being publicly accessible with 'displayerrors' set to true. This makes it possible for unauthenticated attackers to retrieve...

CVE-2024-13535 Actionwear products sync <= 2.3.2 - Unauthenticated Full Patch Disclosure

The Actionwear products sync plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.3.2. This is due the composer-setup.php file being publicly accessible with 'displayerrors' set to true. This makes it possible for unauthenticated attackers to retrieve...

PT-2025-6562 · WordPress · Actionwear Products Sync Plugin

Name of the Vulnerable Software and Affected Versions: Actionwear products sync plugin for WordPress versions up to, and including, 2.3.0 Description: The issue is due to the composer-setup.php file being publicly accessible with display errors set to true, allowing unauthenticated attackers to...

Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection

Our Threat Hunting team discusses Earth Preta’s latest technique, in which the APT group leverages MAVInject and Setup Factory to deploy payloads, bypass ESET antivirus, and maintain control over compromised systems...

CVE-2024-13306 WP Google Map < 1.9.4 - Admin+ Stored XSS

The Maps Plugin using Google Maps for WordPress WordPress plugin before 1.9.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in...

CVE-2024-13208 WP Google Map < 1.9.4 - Admin+ Stored XSS

The Maps Plugin using Google Maps for WordPress WordPress plugin before 1.9.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in...

CVE-2024-13493 Sensly Online Presence <= 0.6 - Admin+ Stored XSS

The Sensly Online Presence WordPress plugin through 0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2025-21419

Windows Setup Files Cleanup Elevation of Privilege Vulnerability...

CVE-2025-0692

The Simple Video Management System WordPress plugin through 1.0.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite...

CVE-2024-13120

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even wh...

CVE-2024-13121

The CVE-2024-13121 entry concerns the WordPress Paid Membership Plugin (and related components) prior to version 4.15.20. The root cause is insufficient sanitisation/escaping of certain plugin settings, enabling stored XSS by high-privilege users (e.g., admins) even when unfiltered_html is disall...

CVE-2024-13120

The CVE-2024-13120 entry concerns the ProfilePress WordPress plugin (Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress) prior to version 4.15.20. Technical details in connected records show the issue is a stored XSS caused by not...

CVE-2024-13119

CVE-2024-13119 affects the ProfilePress family in WordPress via the Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content suite. The public description confirms that versions prior to 4.15.20 do not sanitize/escape certain settings, enabling Stored...

PT-2025-6532 · WordPress · Everest Forms

Name of the Vulnerable Software and Affected Versions: Everest Forms WordPress plugin versions prior to 3.0.8.1 Description: The issue allows high privilege users, such as admin, to perform Stored Cross-Site Scripting attacks even when the unfiltered html capability is disallowed, for example in ...

PT-2025-7154 · Q Free · Q-Free Maxtime

Name of the Vulnerable Software and Affected Versions: Q-Free MaxTime versions 2.11.0 and earlier Description: The issue is related to missing authentication for a critical function in Q-Free MaxTime, specifically in the maxprofile/setup/routes.lua file. This allows an unauthenticated remote...

PT-2025-7152 · Q Free · Q-Free Maxtime

Name of the Vulnerable Software and Affected Versions: Q-Free MaxTime versions 2.11.0 and earlier Description: The issue is related to a missing authentication for a critical function in the maxprofile/setup/routes.lua file. This allows an unauthenticated remote attacker to enable an authenticati...

yimioa 安全漏洞

yimioa CloudNet OA is a locally deployed OA software by rabbit individual developers. A security vulnerability exists in yimioa version 2024.07.03 and prior versions, which stems from /oa/setup/setup.jsp contains an improper authorization issue...

Q-Free MAXTIME Suite 访问控制错误漏洞

Q-Free MAXTIME Suite is a software suite for local traffic signal management from Q-Free. An access control error vulnerability exists in Q-Free MAXTIME Suite version 2.11.0 and prior versions, which stems from a lack of authentication for critical functions in maxprofile/setup/routes.lua. An...