7.5
CVE-2021-47662 - Unauthenticated remote shutdown of the cobot
Due to missing authorization an unauthenticated remote attacker can cause a DoS attack by connecting via HTTPS and triggering the shutdown button.
7.2
CVE-2025-3872 - Privilege escalation by altering payload in contact form
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon centreon-web (User configuration form modules) allows SQL Injection. A user with high privileges is able to become administrator by intercepting the contact form request and altering its…
9.8
CVE-2025-3603 - Flynax Bridge <= 2.2.0 - Unauthenticated Privilege Escalation via Password Update
The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticate…
8.3
CVE-2025-3776 - Verification SMS with TargetSMS <= 1.5 - Unauthenticated Limited Remote Code Execution
The Verification SMS with TargetSMS plugin for WordPress is vulnerable to limited Remote Code Execution in all versions up to, and including, 1.5 via the 'targetvr_ajax_handler' function. This is due to a lack of validation on the type of function that can be called. This makes it possible for unau…
4.2
CVE-2025-3793 - Buddypress Force Password Change <= 0.1 - Authenticated (Subscriber+) Account Takeover via Password…
The Buddypress Force Password Change plugin for WordPress is vulnerable to authenticated account takeover due to the plugin not properly validating a user's identity prior to updating their password through the 'bp_force_password_ajax' function in all versions up to, and including, 0.1. This makes …
6.5
CVE-2025-3280 - ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes <= 1.4.9 - Authenticated (Subscri…
The ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes plugin for WordPress is vulnerable to SQL Injection via the 'attribute_value_filter' parameter in all versions up to, and including, 1.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient prepara…
5.3
CVE-2024-13307 - Reales WP - Real Estate WordPress Theme <= 2.1.2 - Missing Authorization to Unauthenticated Attachm…
The Reales WP - Real Estate WordPress Theme theme for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'reales_delete_file', 'reales_delete_file_plans', 'reales_add_to_favourites', and 'reales_remove_from_favourites' functions in all ver…
7.2
CVE-2025-3300 - WPMasterToolKit (WPMTK) – All in one plugin <= 2.5.2 - Authenticated (Administrator+) to Arbitrary …
The WPMasterToolKit (WPMTK) – All in one plugin plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.5.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to read and modify the contents of arbitrary files on…
6.4
CVE-2025-3832 - FuseDesk <= 6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via successredirect Para…
The FuseDesk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘successredirect’ parameter in all versions up to, and including, 6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access …
6.4
CVE-2025-2579 - Lottie Player <= 1.1.8 - Authenticated (Author+) Stored Cross-Site Scripting via File Upload
The Lottie Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via File uploads in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inj…