5.1
CVE-2021-47885 - Payment Terminal Multiple Versions Non-Persistent Cross-Site Scripting
Multiple payment terminal versions contain non-persistent cross-site scripting vulnerabilities in billing and payment information input fields. Attackers can inject malicious script code through vulnerable parameters to manipulate client-side requests and potentially execute session hijacking or phβ¦
5.1
CVE-2021-47856 - Easy Cart Shopping Cart 2021 Cross-Site Scripting via Search Parameter
Easy Cart Shopping Cart 2021 contains a non-persistent cross-site scripting vulnerability in the search module's keyword parameter. Remote attackers can inject malicious script code through the search input to compromise user sessions and manipulate application content.
0.0
CVE-2026-25251 -
This has been moved to the REJECTED state because the information source is under review. If circumstances change, it is possible that this will be moved to the PUBLISHED state at a later date.
9.3
CVE-2026-25069 - SunFounder Pironman Dashboard <= 1.3.13 Path Traversal Arbitrary File Read/Deletion
SunFounder Pironman Dashboard (pm_dashboard) version 1.3.13 and prior contain a path traversal vulnerability in the log file API endpoints. An unauthenticated remote attacker can supply traversal sequences via the filename parameter to read and delete arbitrary files. Successful exploitation can diβ¦
4.3
CVE-2026-1165 - Popup Box <= 6.1.1 - Cross-Site Request Forgery to Popup Status Change
The Popup Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.1.1. This is due to a flawed nonce implementation in the 'publish_unpublish_popupbox' function that verifies a self-created nonce rather than one submitted in the request. This makβ¦
7.2
CVE-2025-14554 - Sell BTC - Cryptocurrency Selling Calculator <= 1.5 - Unauthenticated Stored Cross-Site Scripting vβ¦
The Sell BTC - Cryptocurrency Selling Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'orderform_data' AJAX action in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated atβ¦
5.4
CVE-2026-1251 - SupportCandy β Helpdesk & Customer Support Ticket System <= 3.4.4 - Authenticated (Subscriber+) Insβ¦
The SupportCandy β Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.4 via the 'add_reply' function due to missing validation on a user controlled key. This makes it possible for authenticated aβ¦
6.5
CVE-2026-0683 - SupportCandy β Helpdesk & Customer Support Ticket System <= 3.4.4 - Authenticated (Subscriber+) SQLβ¦
The SupportCandy β Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to SQL Injection via the Number-type custom field filter in all versions up to, and including, 3.4.4. This is due to insufficient escaping on the user-supplied operand value when using the equals operatoβ¦
5.3
CVE-2025-15525 - Ajax Load More β Infinite Scroll, Lazy Load & Load More <= 7.8.1 - Incorrect Authorization to Unautβ¦
The Ajax Load More β Infinite Scroll, Load More, & Lazy Load plugin for WordPress is vulnerable to unauthorized access of data due to incorrect authorization on the parse_custom_args() function in all versions up to, and including, 7.8.1. This makes it possible for unauthenticated attackers to expoβ¦
5.3
CVE-2026-1431 - Booking Calendar <= 10.14.13 - Missing Authorization to Unauthenticated Booking Details Exposure
The Booking Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wpbc_ajax_WPBC_FLEXTIMELINE_NAV() function in all versions up to, and including, 10.14.13. This makes it possible for unauthenticated attackers to retrieve booking informaβ¦