4.3
CVE-2024-12249 - GS Insever Portfolio <= 1.4.5 - Missing Authorization to Authenticated (Subscriber+) CSS Injection
The GS Insever Portfolio plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_settings() function in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with Subscriber-level access and above,β¦
6.4
CVE-2024-12496 - Linear <= 2.7.12 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Linear plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'linear_block_buy_commissions' shortcode in all versions up to, and including, 2.7.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authβ¦
6.4
CVE-2024-12493 - Files Download Delay <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Files Download Delay plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fddwrap' shortcode in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticateβ¦
6.1
CVE-2024-12122 - ResAds <= 2.0.6 - Reflected Cross-Site Scripting via Multiple Parameters
The ResAds plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via multiple parameters in all versions up to, and including, 2.0.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pagβ¦
4.3
CVE-2024-12618 - Newsletter2Go <= 4.0.14 - Missing Authorization to Authenticated (Subscriber+) Style Reset
The Newsletter2Go plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'resetStyles' AJAX action in all versions up to, and including, 4.0.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to rβ¦
8.7
CVE-2025-0349 - Tenda AC6 GetParentControlInfo stack-based overflow
A vulnerability classified as critical has been found in Tenda AC6 15.03.05.16. Affected is the function GetParentControlInfo of the file /goform/GetParentControlInfo. The manipulation of the argument src/mac leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exβ¦
5.3
CVE-2025-0348 - CampCodes DepEd Equipment Inventory System add_employee.php cross site scripting
A vulnerability was found in CampCodes DepEd Equipment Inventory System 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /data/add_employee.php. The manipulation of the argument data leads to cross site scripting. The attack may be initiated remotely. Thβ¦
6.9
CVE-2025-0347 - code-projects Admission Management System Login index.php sql injection
A vulnerability was found in code-projects Admission Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file index.php of the component Login. The manipulation of the argument u_id leads to sql injection. The attack can be initiated remotely. Theβ¦
9.1
CVE-2024-12802 -
SSL-VPN MFA Bypass in SonicWALL SSL-VPN can arise in specific cases due to the separate handling of UPN (User Principal Name) and SAM (Security Account Manager) account names when integrated with Microsoft Active Directory, allowing MFA to be configured independently for each login method and potenβ¦
5.1
CVE-2025-0346 - code-projects Content Management System Publish News Page publishnews.php unrestricted upload
A vulnerability was found in code-projects Content Management System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/publishnews.php of the component Publish News Page. The manipulation of the argument image leads to unrestricted upload. It is possible to inβ¦