7.1
CVE-2024-13880 - My Quota <= 1.0.8 - Reflected XSS
The My Quota WordPress plugin through 1.0.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
7.1
CVE-2024-13878 - SpotBot <= 0.1.8 - Reflected XSS
The SpotBot WordPress plugin through 0.1.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
7.1
CVE-2024-13877 - Passbeemedia Web Push Notifications <= 1.0.0 - Reflected XSS
The Passbeemedia Web Push Notification WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
7.1
CVE-2024-13876 - Meintopf <= 0.2.1 - Reflected XSS
The mEintopf WordPress plugin through 0.2.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
7.1
CVE-2024-13875 - WP Programmmanager <= 1.2 - Reflected XSS
The WP-PManager WordPress plugin through 1.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
7.4
CVE-2025-22228 - CVE-2025-22228: Spring Security BCryptPasswordEncoder does not enforce maximum password length
BCryptPasswordEncoder.matches(CharSequence,String)Β will incorrectly return trueΒ for passwords larger than 72 characters as long as the first 72 characters are the same.
5.3
CVE-2025-1766 - Event Manager, Events Calendar, Tickets, Registrations β Eventin <= 4.0.24 - Missing Authorization β¦
The Event Manager, Events Calendar, Tickets, Registrations β Eventin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'payment_complete' function in all versions up to, and including, 4.0.24. This makes it possible for unauthenticated β¦
8.8
CVE-2025-1770 - Event Manager, Events Calendar, Tickets, Registrations β Eventin <= 4.0.24 - Authenticated (Contribβ¦
The Event Manager, Events Calendar, Tickets, Registrations β Eventin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.24 via the 'style' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to incβ¦
4.3
CVE-2025-1314 - Custom Twitter Feeds <= 2.2.5 - Cross-Site Request Forgery to Cache Reset via ctf_clear_cache_adminβ¦
The Custom Twitter Feeds β A Tweets Widget or X Feed Widget plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.5. This is due to missing or incorrect nonce validation on the ctf_clear_cache_admin() function. This makes it possible for unauthenβ¦
6.5
CVE-2025-29215 -
Tenda AX12 v22.03.01.46_CN was discovered to contain a stack overflow via the sub_43fdcc function at /goform/SetNetControlList.