6.4
CVE-2024-6432 - Content Blocks (Custom Post Widget) <= 3.3.5 - Authenticated (Contributor+) Stored Cross-Site Scrip…
The Content Blocks (Custom Post Widget) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘content’ parameter within the plugin's shortcode Content Block in all versions up to, and including, 3.3.5 due to insufficient input sanitization and output escaping. This makes it pos…
5.3
CVE-2024-13520 - Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported) <= 4.4.9 - Missing Authorization to…
The Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported) plugin for WordPress is vulnerable to unauthorized modification of data|loss of data due to a missing capability check on the 'update_voucher_price', 'update_voucher_date', 'update_voucher_note' functions in all versions up to, and…
5.3
CVE-2025-1483 - LTL Freight Quotes – GlobalTranz Edition <= 2.3.12 - Missing Authorization to Unauthenticated Setti…
The LTL Freight Quotes – GlobalTranz Edition plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the engtz_wd_save_dropship AJAX endpoint in all versions up to, and including, 2.3.12. This makes it possible for unauthenticated attackers to up…
6.4
CVE-2025-0897 - Modal Window <= 6.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via iframeBox Shor…
The Modal Window – create popup modal window plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'iframeBox' shortcode in all versions up to, and including, 6.1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it pos…
6.4
CVE-2025-1064 - Login/Signup Popup ( Inline Form + Woocommerce ) <= 2.8.5 - Authenticated (Contributor+) Stored Cro…
The Login/Signup Popup ( Inline Form + Woocommerce ) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's xoo_el_action shortcode in all versions up to, and including, 2.8.5 due to insufficient input sanitization and output escaping on user supplied attributes. This ma…
7.2
CVE-2024-13888 - WPMobile.App <= 11.56 - Open Redirect via 'redirect' Parameter
The WPMobile.App plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 11.56. This is due to insufficient validation on the redirect URL supplied via the 'redirect' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially m…
6.4
CVE-2024-13155 - Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.140 - Authenticated (Cont…
The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Transparent Split Hero widget in all versions up to, and including, 1.5.140 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it p…
7.2
CVE-2025-26856 -
Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. If an attacker logs in to the affected product with an administrative account and manipulates requests for a certain screen operation, an arbitrary…
6.4
CVE-2024-13445 - Elementor Website Builder – More Than Just a Page Builder <= 3.27.4 - Authenticated (Contributor+) …
The Elementor Website Builder – More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the border, margin and gap parameters in all versions up to, and including, 3.27.4 due to insufficient input sanitization and output escaping. This makes it possible f…
5.3
CVE-2024-49780 - IBM OpenPages path traversal
IBM OpenPages with Watson 8.3 and 9.0 IBM OpenPages could allow a remote attacker to traverse directories on the system. An attacker with privileges to perform Import Configuration could send a specially crafted http request containing "dot dot" sequences (/../) in the file name parameter used in I…