7
CVE-2025-20881 -
Out-of-bounds write in accessing buffer storing the decoded video frames in libsthmbc.so prior to SMR Jan-2025 Release 1 allows local attackers to execute arbitrary code with privilege. User interaction is required for triggering this vulnerability.
4.3
CVE-2024-13607 - JS Help Desk β The Ultimate Help Desk & Support Plugin <= 2.8.8 - Authenticated (Subscriber+) Insecβ¦
The JS Help Desk β The Ultimate Help Desk & Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.8.8 via the 'exportusereraserequest' due to missing validation on a user controlled key. This makes it possible for authenticatedβ¦
6.4
CVE-2024-12597 - HT Mega <= 2.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via block_css and innerβ¦
The HT Mega β Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'block_css' and 'inner_css' parameters in all versions up to, and including, 2.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticatβ¦
5.3
CVE-2025-0466 - Sensei LMS < 4.24.4 - Unauthenticated sensei_email/sensei_message Disclosure
The Sensei LMS WordPress plugin before 4.24.4 does not properly protect some its REST API routes, allowing unauthenticated attackers to leak sensei_email and sensei_message Information.
6.1
CVE-2025-0368 - Banner Garden Plugin for WordPress <= 0.1.3 - Reflected XSS
The Banner Garden Plugin for WordPress plugin through 0.1.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin or unauthenticated users.
6.1
CVE-2024-13332 - TransFinanz <= 1.0.0 - Reflected XSS
The TransFinanz WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
6.1
CVE-2024-13331 - WP Dream Carousel <= 1.0.1b - Reflected XSS
The WP Dream Carousel WordPress plugin through 1.0.1b does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
7.1
CVE-2024-13330 - Justrows Free <= 0.2 - Reflected XSS
The JustRows free WordPress plugin through 0.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
7.1
CVE-2024-13329 - Solidres <= 0.9.4 - Reflected XSS
The Solidres WordPress plugin through 0.9.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
6.1
CVE-2024-13328 - Giga Messenger Bots <= 2.3.1 - Reflected XSS
The Giga Messenger WordPress plugin through 2.3.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin