5.3
CVE-2024-13538 - BigBuy Dropshipping Connector for WooCommerce <= 2.0.0 - Unauthenticated Full Path Disclosute
The BigBuy Dropshipping Connector for WooCommerce plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.0.0. This is due the /vendor/cocur/slugify/bin/generate-default.php file being directly accessible and triggering an error. This makes it possible forβ¦
6.4
CVE-2024-13581 - Simple Charts <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Simple Charts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'simple_chart' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated atβ¦
6.4
CVE-2024-13587 - Zigaform β Price Calculator & Cost Estimation Form Builder Lite <= 7.4.7 - Authenticated (Contributβ¦
The Zigaform β Price Calculator & Cost Estimation Form Builder Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'zgfm_fvar' shortcode in all versions up to, and including, 7.4.7 due to insufficient input sanitization and output escaping on user supplied attribβ¦
6.1
CVE-2024-13522 - magayo Lottery Results <= 2.0.12 - Cross-Site Request Forgery to Stored Cross-Site Scripting
The magayo Lottery Results plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.12. This is due to missing or incorrect nonce validation on the 'magayo-lottery-results' page. This makes it possible for unauthenticated attackers to update settingβ¦
6.1
CVE-2025-1390 - pam_cap: Fix potential configuration parsing error
The PAM module pam_cap.so of libcap configuration supports group names starting with β@β, during actual parsing, configurations not starting with β@β are incorrectly recognized as group names. This may result in nonintended users being granted an inherited capability set, potentially leading to secβ¦
4.3
CVE-2024-13740 - ProfileGrid β User Profiles, Groups and Communities <= 5.9.4.2 - Insecure Direct Object Reference tβ¦
The ProfileGrid β User Profiles, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.9.4.2 via the pm_messenger_show_messages function due to missing validation on a user controlled key. This makes it possible for autβ¦
5.4
CVE-2024-13741 - ProfileGrid β User Profiles, Groups and Communities <= 5.9.4.2 - Authenticated (Subscriber+) Limiteβ¦
The ProfileGrid β User Profiles, Groups and Communities plugin for WordPress is vulnerable to Limited Server-Side Request Forgery in all versions up to, and including, 5.9.4.2 via the pm_upload_image function. This makes it possible for authenticated attackers, with Subscriber-level access and abovβ¦
7.5
CVE-2025-25224 -
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a missing authentication vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained.
5.3
CVE-2025-25223 -
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a path traversal vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained.
9.8
CVE-2025-25222 -
The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in retrieve.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved.