CVE-2025-49350

The CVE-2025-49350 entry concerns the WordPress Actionwear products sync plugin (versions up to 2.3.3). The root cause is a missing authorization due to incorrectly configured access control, leading to a broken access control vulnerability. Affected software is the Actionwear products sync plugi...

Incorrect Default Permissions

Overview Affected versions of this package are vulnerable to Incorrect Default Permissions in the process that handles file uploads and database creation. An attacker can gain unauthorized access to sensitive files by leveraging default file permissions that allow any operating system account to...

CVE-2025-31406 WordPress ELEX WooCommerce Request a Quote plugin <= 2.3.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in ELEXtensions ELEX WooCommerce Request a Quote elex-request-a-quote allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ELEX WooCommerce Request a Quote: from n/a through = 2.3.9...

WordPress WP Media Category Management plugin 2.0-2.3.3 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by luckybuddy in WordPress Plugin WP Media Category Management versions 2.0-2.3.3...

CVE-2024-49281

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in NinjaTeam Click to Chat – WP Support All-in-One Floating Widget allows Stored XSS.This issue affects Click to Chat – WP Support All-in-One Floating Widget: from n/a through 2.3.3...

libspdm 安全漏洞

libspdm is a DMTF open source example implementation that follows the DMTF SPDM specification. A security vulnerability exists in libspdm versions prior to 2.3.3 and 3.0, which stems from a vulnerability that allows an unauthenticated requestor to store and use a respondent's CTExponent value...

CVE-2022-46817

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Flyzoo Flyzoo Chat plugin = 2.3.3 versions...

CVE-2022-45278

Jizhicms v2.3.3 was discovered to contain a SQL injection vulnerability via the /index.php/admins/Fields/getfields.html component...

CVE-2022-3852

The VR Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3.3. This is due to missing or incorrect nonce validation on several functions. This makes it possible for unauthenticated attackers to delete, and modify calendars as well as the...

PYSEC-2021-171

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a CHECK-fail in tf.rawops.SparseConcat. This is because the...