7.5
CVE-2024-13344 - Advance Seat Reservation Management for WooCommerce <= 3.3 - Unauthenticated SQL Injection
The Advance Seat Reservation Management for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'profileId' parameter in all versions up to, and including, 3.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL querβ¦
6.4
CVE-2025-3510 - tagDiv Composer <= 5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Shorβ¦
The tagDiv Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with coβ¦
6.4
CVE-2025-3748 - Taxonomy Chain Menu <= 1.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via pn_chaiβ¦
The Taxonomy Chain Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's pn_chain_menu shortcode in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticβ¦
6.4
CVE-2024-13419 - Smart Framework <= Multiple Plugins - Missing Authorization to Authenticated (Subscriber+) Stored Cβ¦
Multiple plugins and/or themes for WordPress using Smart Framework are vulnerable to Stored Cross-Site Scripting due to a missing capability check on the saveOptions() and importThemeOptions() functions in various versions. This makes it possible for authenticated attackers, with Subscriber-level aβ¦
9.8
CVE-2025-3709 - Flowring Technology Agentflow - Account Lockout Bypass
Agentflow from Flowring Technology has an Account Lockout Bypass vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to perform password brute force attack.
9.8
CVE-2025-3708 - Le-show Medical Practice Management System - SQL Injection
Le-show medical practice management system from Le-yan has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
6.5
CVE-2025-3707 - Sunnet eHRD CTMS - SQL Injection
The eHDR CTMS from Sunnet has a SQL Injection vulnerability, allowing remote attackers with regular privileges to inject arbitrary SQL command to read database contents.
0.0
CVE-2025-4209 -
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
6.4
CVE-2025-3670 - KiwiChat NextClient <= 6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Paramβ¦
The KiwiChat NextClient plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the βurlβ parameter in all versions up to, and including, 6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access aβ¦
5.3
CVE-2025-4177 - Flynax Bridge <= 2.2.0 - Unauthenticated Arbitrary User Deletion
The Flynax Bridge plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deleteUser() function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to delete arbitrary users.