6.4
CVE-2024-10222 - SVG Support <= 2.5.10 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
The SVG Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.5.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to โฆ
4.7
CVE-2020-6158 -
Opera Mini for Android before version 52.2 is vulnerable to an address bar spoofing attack. The vulnerability allows a malicious page to trick the browser into showing an address of a different page. This may allow the malicious page to impersonate another page and trick a user into providing sensiโฆ
6.9
CVE-2025-1535 - Baiyi Cloud Asset Management System admin.ticket.close.php sql injection
A vulnerability was found in Baiyi Cloud Asset Management System 8.142.100.161. It has been classified as critical. This affects an unknown part of the file /wuser/admin.ticket.close.php. The manipulation of the argument ticket_id leads to sql injection. It is possible to initiate the attack remoteโฆ
8.7
CVE-2024-9150 - Code Injection in Wyn Enterprise
Report generation functionality in Wyn Enterprise allows for code inclusion, but not sufficiently limits what code might be included. An attacker is able use a low privileges account in order to abuse this functionality and execute malicious code, load DLL libraries and executing OS commands on a hโฆ
4.9
CVE-2024-13846 - Indeed Ultimate Learning Pro <= 3.9 - Authenticated (Administrator+) SQL Injection via post_id Paraโฆ
The Indeed Ultimate Learning Pro plugin for WordPress is vulnerable to time-based SQL Injection via the โpost_idโ parameter in all versions up to, and including, 3.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makesโฆ
5.3
CVE-2025-1402 - Event Tickets and Registration <= 5.19.1.1 - Missing Authorization to Ticket Deletion
The Event Tickets and Registration plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ajax_ticket_delete' function in all versions up to, and including, 5.19.1.1. This makes it possible for authenticated attackers, with Contributor-level accessโฆ
6.4
CVE-2024-13455 - igumbi Online Booking <= 1.40 - Authenticated (Contributor+) Stored Cross-Site Scripting
The igumbi Online Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'igumbi_calendar' shortcode in all versions up to, and including, 1.40 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authโฆ
6.5
CVE-2024-13713 - WPExperts Square For GiveWP <= 1.3.1 - Authenticated (Subscriber+) SQL Injection
The WPExperts Square For GiveWP plugin for WordPress is vulnerable to SQL Injection via the 'post' parameter in all versions up to, and including, 1.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible โฆ
6.4
CVE-2025-1489 - WP-Appbox <= 4.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via appbox Shortcode
The WP-Appbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's appbox shortcode in all versions up to, and including, 4.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, wโฆ
4.1
CVE-2024-13900 - Head, Footer and Post Injections <= 3.3.0 - Authenticated (Administrator+) PHP Code Injection in Muโฆ
The Head, Footer and Post Injections plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 3.3.0. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject PHP Code in multisite environments.