9.8
CVE-2024-13442 - Service Finder Bookings <= 5.0 - Unauthenticated Privilege Escalation via Account Takeover
The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.0. This is due to the plugin not properly validating a user's identity prior to (1) performing a post-booking auto-login or (2) updating their profile β¦
8.8
CVE-2024-13933 - FoodBakery | Delivery Restaurant Directory WordPress Theme <= 4.7 - Cross-Site Request Forgery in Mβ¦
The FoodBakery | Delivery Restaurant Directory WordPress Theme theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.7. This is due to missing or incorrect nonce validation on the foodbakery_var_backup_file_delete, foodbakery_widget_file_delete, theβ¦
6.3
CVE-2025-27018 - Apache Airflow MySQL Provider: SQL injection in MySQL provider core function
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Airflow MySQL Provider. When user triggered a DAG with dump_sql or load_sql functions they could pass a table parameter from a UI, that could cause SQL injection by running SQL that was notβ¦
6.9
CVE-2024-12136 - Improper Access Control in Elfatek Elektronics' ANKA JPD-00028
Missing Critical Step in Authentication vulnerability in Elfatek Elektronics ANKA JPD-00028 allows Authentication Bypass.This issue affects ANKA JPD-00028: before V.01.01.
7.6
CVE-2024-12137 - Authentication Bypass in Elfatek Elektronics' ANKA JPD-00028
Authentication Bypass by Capture-replay vulnerability in Elfatek Elektronics ANKA JPD-00028 allows Session Hijacking.This issue affects ANKA JPD-00028: before V.01.01.
9.8
CVE-2024-13790 - MinimogWP β The High Converting eCommerce WordPress Theme <= 3.7.0 - Unauthenticated Local PHP Fileβ¦
The MinimogWP β The High Converting eCommerce WordPress Theme theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.7.0 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the serverβ¦
7.5
CVE-2024-13412 - CozyStay <= 1.7.0 - Missing Authorization to Arbitrary Action Execution in ajax_handler
The CozyStay theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_handler function in all versions up to, and including, 1.7.0. This makes it possible for unauthenticated attackers to execute arbitrary actions.
9.8
CVE-2024-13410 - CozyStay <= 1.7.0 and TinySalt <= 3.9.0 - Unauthenticated PHP Object Injection in ajax_handler
The CozyStay and TinySalt plugins for WordPress are vulnerable to PHP Object Injection in all versions up to, and including, 1.7.0, and in all versions up to, and including 3.9.0, respectively, via deserialization of untrusted input in the 'ajax_handler' function. This makes it possible for unautheβ¦
8.8
CVE-2025-1232 - Site Reviews < 7.2.5 - Unauthenticated Stored XSS
The Site Reviews WordPress plugin before 7.2.5 does not properly sanitise and escape some of its Review fields, which could allow unauthenticated users to perform Stored XSS attacks
7.5
CVE-2024-50631 -
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in the system syncing daemon in Synology Drive Server before 3.0.4-12699, 3.2.1-23280, 3.5.0-26085 and 3.5.1-26102 allows remote attackers to inject SQL commands, limited to write operations, via unspβ¦