5.3
CVE-2025-2742 - zhijiantianya ruoyi-vue-pro Material Upload Interface upload-permanent path traversal
A vulnerability classified as critical was found in zhijiantianya ruoyi-vue-pro 2.4.1. This vulnerability affects unknown code of the file /admin-api/mp/material/upload-permanent of the component Material Upload Interface. The manipulation of the argument File leads to path traversal. The attack caโฆ
6.9
CVE-2025-2740 - PHPGurukul Old Age Home Management System eligibility.php sql injection
A vulnerability classified as critical has been found in PHPGurukul Old Age Home Management System 1.0. Affected is an unknown function of the file /admin/eligibility.php. The manipulation of the argument pagetitle leads to sql injection. It is possible to launch the attack remotely. The exploit haโฆ
6.1
CVE-2025-1798 - Design Comuni Italia < 1.1.2 - Unauthenticated Stored XSS
The does not sanitise and escape some parameters when outputting them back in a page, allowing unauthenticated users the ability to perform stored Cross-Site Scripting attacks.
3.5
CVE-2025-1452 - Favorites < 2.3.5 - Admin+ Stored XSS
The Favorites WordPress plugin before 2.3.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
3.5
CVE-2025-0717 - Social Slider Feed < 2.2.9 - Admin+ Stored XSS
To exploit the vulnerability, it is necessary:
4.7
CVE-2024-9770 - WP-Recall < 16.26.12 - Admin+ SQL Injection
The WP-Recall WordPress plugin before 16.26.12 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
7.1
CVE-2024-13863 - Stylish Google Sheet Reader < 4.1 - Reflected XSS
The Stylish Google Sheet Reader 4.0 WordPress plugin before 4.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
7.2
CVE-2024-13618 - Downloable by American Osteopathic Association <= 0.1.0 - Unauthenticated SSRF
The aoa-downloadable WordPress plugin through 0.1.0 lacks authorization and authentication for requests to its download.php endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs.
8.6
CVE-2024-13617 - Downloable by American Osteopathic Association <= 0.1.0 - Unauthenticated Arbitrary File Download
The aoa-downloadable WordPress plugin through 0.1.0 doesn't validate a parameter in its download function, allowing unauthenticated attackers to download arbitrary files from the server
3.5
CVE-2024-13123 - AFI < 1.100.0 - Admin+ Stored XSS
The AFI WordPress plugin before 1.100.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).