5.3
CVE-2025-0968 - ElementsKit Elementor addons <= 3.4.0 - Unauthenticated Information Exposure via get_megamenu_conte…
The ElementsKit Elementor addons plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.4.0 due to a missing capability checks on the get_megamenu_content() function. This makes it possible for unauthenticated attackers to view any item created…
7.5
CVE-2024-13478 - LTL Freight Quotes – TForce Edition <= 3.6.4 - Unauthenticated SQL Injection
The LTL Freight Quotes – TForce Edition plugin for WordPress is vulnerable to SQL Injection via the 'dropship_edit_id' and 'edit_id' parameters in all versions up to, and including, 3.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing …
7.2
CVE-2025-0916 - YaySMTP 2.4.9 - 2.6.2 - Unauthenticated Stored Cross-Site Scripting
The YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions 2.4.9 to 2.6.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated …
5.6
CVE-2025-1075 - LDAP credentials logged to Apache error log
Insertion of Sensitive Information into Log File in Checkmk GmbH's Checkmk versions <2.3.0p27, <2.2.0p40, and 2.1.0p51 (EOL) causes LDAP credentials to be written to Apache error log file accessible to administrators.
7.5
CVE-2024-13489 - LTL Freight Quotes – Old Dominion Edition <= 4.2.10 - Unauthenticated SQL Injection
The LTL Freight Quotes – Old Dominion Edition plugin for WordPress is vulnerable to SQL Injection via the 'edit_id' and 'dropship_edit_id' parameters in all versions up to, and including, 4.2.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the ex…
9.3
CVE-2025-1135 - SQL Injection in ChurchCRM CurrentFundraiser Parameter via BatchWinnerEntry.php
A vulnerability exists in ChurchCRM 5.13.0. and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based and time-based blind SQL Injection vulnerability in the BatchWinnerEntry functionality. The CurrentFundraiser parameter is directly concatenated into an SQL q…
9.3
CVE-2025-1134 - SQL Injection in ChurchCRM CurrentFundraiser Parameter via DonatedItemEditor.php
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based and time-based blind SQL Injection vulnerability in the DonatedItemEditor functionality. The CurrentFundraiser parameter is directly concatenated into an SQL q…
9.3
CVE-2025-1133 - SQL Injection in ChurchCRM EID Parameter via EditEventAttendees.php
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based blind SQL Injection vulnerability in the EditEventAttendees functionality. The EID parameter is directly concatenated into an SQL query without proper sanitiza…
9.3
CVE-2025-1132 - SQL Injection in ChurchCRM EN_tyid Parameter via EditEventAttendees.php
A time-based blind SQL Injection vulnerability exists in the ChurchCRM 5.13.0 and prior EditEventAttendees.php within the EN_tyid parameter. The parameter is directly inserted into an SQL query without proper sanitization, allowing attackers to inject malicious SQL commands. Please note that the vu…
6.9
CVE-2025-1007 - Improper Authorization in /user/namespace/{namespace}/details
In OpenVSX version v0.9.0 to v0.20.0, the /user/namespace/{namespace}/details API allows a user to edit all namespace details, even if the user is not a namespace Owner or Contributor. The details include: name, description, website, support link and social media links. The same issues existed …