CVE Catalog

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Uncanny Owl Uncanny Toolkit Pro for LearnDash plugin, affecting versions prior to 4.1.4.1. This vulnerability allows attackers to trick users with higher privileges into performing actions they did not intend to.

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Automattic WP Job Manager - Resume Manager plugin, affecting versions through 2.1.0. This vulnerability allows attackers to trick users with higher privileges into performing actions they did not intend to.

A Cross-Site Request Forgery (CSRF) vulnerability exists in the FS Poster WordPress plugin, affecting versions through 6.5.8. This vulnerability allows attackers to trick users with higher privileges into performing actions they did not intend to.

A critical vulnerability has been identified in version 1.9.2 of the Yunfan Learning Examination System by Beijing Yunfan Internet Technology. The issue resides in the JWT Token Handler component, specifically within the SysUserControl file. The vulnerability allows for improper authentication, as the system's JWT tokens can be exploited universally across any server using this application. The flaw arises because the application does not properly validate JWT tokens during the login process. As a result, an attacker can replace the existing JWT with a crafted token that bypasses authentication and grants administrative privileges.

An information disclosure vulnerability has been identified in version 1.9.2 of the Yunfan Learning Examination System by Beijing Yunfan Internet Technology. The issue arises in the Exam Answer Handler component, specifically within the PaperController.java file. The vulnerability allows remote attackers to view answers during the exam process by manipulating input IDs, thereby facilitating cheating.

A stored cross-site scripting vulnerability has been identified in the WP Hait Post Grid Elementor Addon, affecting versions through 2.0.18. This vulnerability arises from improper input sanitization during web page generation, allowing malicious scripts to be injected and executed when users visit the affected site.

A DOM-based cross-site scripting vulnerability has been identified in the CoolPlugins Coins MarketCap WordPress plugin, affecting versions through 5.5.8. This vulnerability arises from improper input sanitization during web page generation, allowing malicious actors to inject and execute harmful scripts on the site.

A reflected cross-site scripting vulnerability has been identified in the Markyis Cool Olivia WordPress theme, specifically in versions through 0.9.5. This issue allows attackers to inject malicious scripts that are executed when users visit the affected site.

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the CridioStudio ListingPro WordPress theme, specifically in versions through 2.9.4. This vulnerability allows for authentication bypass, enabling attackers to manipulate actions on behalf of users with higher privileges.

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Epsiloncool WP Fast Total Search plugin for WordPress, affecting versions through 1.69.234. This vulnerability allows attackers to trick users with higher privileges into performing actions they did not intend to.

A Cross-Site Request Forgery (CSRF) vulnerability exists in the WordPress i-Transform theme, affecting versions through 3.0.9. This vulnerability allows attackers to trick users with higher privileges into performing actions they did not intend to.

A critical vulnerability has been identified in version 1.9.2 of the Yunfan Learning Examination System by Beijing Yunfan Internet Technology. The issue arises from the file 'doc.html', which lacks proper access permissions, allowing unauthorized users to view all interfaces. This vulnerability can be exploited remotely.

A critical vulnerability has been identified in the D-Link DIR-816 A2 router, specifically in version 1.10CNB05_R1B011D88210. The issue arises in the file form2NetSniper.cgi, where improper access controls allow for unauthorized actions to be performed. This vulnerability can be exploited remotely, potentially leading to unauthorized access or manipulation of the device.

A stored cross-site scripting vulnerability has been identified in the ConvertCalculator plugin for WordPress, affecting versions through 1.1.1. This issue allows attackers to inject malicious scripts that are executed when users visit the affected site.

A stored cross-site scripting vulnerability has been identified in the Fla-shop.com Interactive UK Map plugin, affecting versions through 3.4.8. This issue arises from improper input neutralization during web page generation, allowing malicious users to inject harmful scripts that are executed when the affected page is viewed.

A broken access control vulnerability has been identified in the Sonaar Music MP3 Audio Player for Music, Radio & Podcast plugin, affecting versions through 5.8. This vulnerability allows users to access functionalities that are not properly restricted by access control lists (ACLs).

A vulnerability allowing unrestricted file upload of dangerous types has been identified in the Beee ACF City Selector WordPress plugin, affecting versions through 1.14.0. This vulnerability could be exploited to upload a web shell to the server, potentially leading to unauthorized access or control over the website.

A DOM-based cross-site scripting vulnerability has been identified in the GS Shots for Dribbble WordPress plugin, affecting versions through 1.2.0. This issue arises from improper input sanitization during web page generation, allowing malicious actors to inject and execute harmful scripts on the site.

A stored cross-site scripting vulnerability has been identified in the GS Coaches WordPress plugin, affecting versions through 1.1.0. This issue allows for the injection of malicious scripts that could be executed when users visit the affected site.

A stored cross-site scripting vulnerability has been identified in the GS Plugins Project Showcase WordPress plugin, affecting versions through 1.1.1. This vulnerability allows attackers to inject malicious scripts that are executed when users visit the affected site.

A stored cross-site scripting vulnerability has been identified in the StorePlugin ShopElement for WordPress, affecting versions through 2.0.0. This issue allows attackers to inject malicious scripts that are executed when users visit the affected site.

A stored cross-site scripting vulnerability has been identified in the AyeCode GeoDirectory WordPress plugin, affecting versions through 2.3.84. This issue allows attackers to inject malicious scripts that are executed when users visit the affected site.

A stored cross-site scripting vulnerability has been identified in the WPBlockArt Magazine Blocks plugin, affecting versions through 1.3.20. This issue arises from improper input sanitization during web page generation, allowing malicious scripts to be injected and executed when users visit the affected site.

A missing authorization vulnerability has been identified in the AyeCode Connect WordPress plugin, specifically in versions through 1.3.8. This vulnerability arises from incorrectly configured access control security levels, which can be exploited to perform actions that require higher privileges.

A stored cross-site scripting vulnerability has been identified in the Move Addons for Elementor WordPress plugin, affecting versions through 1.3.6. This vulnerability allows attackers to inject malicious scripts that are executed when users visit the affected site.

A broken access control vulnerability has been identified in the Data Tables Generator by Supsystic WordPress plugin, affecting versions through 1.10.36. This vulnerability arises from missing authorization checks, allowing unprivileged users to perform actions reserved for higher privileges.

A stored cross-site scripting vulnerability has been identified in the ThemeLooks Enter Addons plugin for WordPress, affecting versions through 2.1.9. This vulnerability allows attackers to inject malicious scripts that are executed when users visit the affected site.

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Event Espresso 4 Decaf plugin for WordPress, specifically in versions through 5.0.28.decaf. This vulnerability allows attackers to trick users with higher privileges into performing actions they did not intend to.

A SQL injection vulnerability has been identified in the WordPress Just Writing Statistics plugin, affecting versions through 4.7. This vulnerability allows for improper neutralization of special elements used in SQL commands, enabling malicious actors to interact with the database in unauthorized ways, such as stealing information.

A vulnerability allowing unrestricted file upload has been identified in the Webdeclic WPMasterToolKit WordPress plugin, affecting versions through 1.13.1. This vulnerability could be exploited to upload a web shell to the server, potentially leading to unauthorized access or control over the website.

A path traversal vulnerability has been identified in the Webdeclic WPMasterToolKit WordPress plugin, affecting versions through 1.13.1. This vulnerability allows for arbitrary file download, which could lead to the exposure of sensitive files such as login credentials or backup files.

A SQL injection vulnerability has been identified in the AF Themes WP Post Author plugin, affecting versions through 3.8.2. This vulnerability allows for improper neutralization of special elements used in SQL commands, potentially enabling malicious actors to interact with the database and steal information.

A DOM-based cross-site scripting vulnerability has been identified in the POSIMYTH Nexter Blocks WordPress plugin, affecting versions through 4.0.4. This vulnerability arises from improper input sanitization during web page generation, allowing malicious actors to inject and execute harmful scripts on the site.

A stored cross-site scripting vulnerability has been identified in the Leap13 Premium Blocks – Gutenberg Blocks for WordPress plugin, affecting versions through 2.1.42. This vulnerability allows for the injection of malicious scripts that are executed when users visit the affected site.

A missing authorization vulnerability has been identified in the WP Royal Ashe Extra plugin, specifically in versions through 1.2.92. This vulnerability allows exploitation of improperly configured access control security levels, potentially enabling unprivileged users to perform actions reserved for higher privileges.

A missing authorization vulnerability has been identified in the WPSSO Core WordPress plugin, affecting versions through 18.18.1. This vulnerability allows exploitation of improperly configured access control security levels, potentially enabling unprivileged users to perform actions reserved for higher privileges.

A stored cross-site scripting vulnerability has been identified in the Arconix Shortcodes WordPress plugin, affecting versions through 2.1.14. This issue arises from improper input sanitization during web page generation, allowing malicious scripts to be injected and executed when users visit the affected site.

A stored cross-site scripting vulnerability has been identified in the WPKoi Templates for Elementor plugin, affecting versions through 3.1.3. This vulnerability arises from improper input sanitization during web page generation, allowing malicious scripts to be injected and executed when users visit the affected site.

A stored cross-site scripting vulnerability has been identified in the Pronamic Google Maps WordPress plugin, affecting versions through 2.3.2. This issue allows attackers to inject malicious scripts that are executed when users visit the affected site.

A stored cross-site scripting vulnerability has been identified in the Themify Audio Dock WordPress plugin, affecting versions through 2.0.4. This issue allows attackers to inject malicious scripts that are executed when users visit the affected site.

A broken access control vulnerability has been identified in the QunatumCloud Floating Action Buttons plugin for WordPress, affecting versions through 0.9.1. This vulnerability allows users to access functionalities that are not properly restricted by access control lists (ACLs), potentially leading to unauthorized actions.

A stored cross-site scripting vulnerability has been identified in the WordPress Contest Gallery plugin, affecting versions through 24.0.3. This issue allows attackers to inject malicious scripts that are executed when users visit the affected site.

A broken access control vulnerability has been identified in the Hestia Nginx Cache WordPress plugin, affecting versions through 2.4.0. This vulnerability arises from missing authorization checks, which could allow an unprivileged user to perform actions reserved for higher privileges.

A reflected cross-site scripting vulnerability has been identified in the WordPress Simple Proxy plugin, affecting versions through 1.0. This issue allows attackers to inject malicious scripts that are executed when users visit the affected site.

A reflected cross-site scripting vulnerability has been identified in the AdWork Media EZ Content Locker WordPress plugin, affecting versions through 3.0. This issue allows attackers to inject malicious scripts that are executed when users visit the affected site.

A reflected cross-site scripting vulnerability has been identified in the DuoGeek Custom Dashboard Widget for WordPress, affecting versions through 1.0.0. This issue allows attackers to inject malicious scripts that are executed when users visit the affected site.

A reflected cross-site scripting vulnerability has been identified in the Perfect Solution WP eCommerce Quickpay plugin, affecting versions through 1.1.0. This issue arises from improper input sanitization during web page generation, allowing attackers to inject malicious scripts that are executed when users visit the affected site.

A reflected cross-site scripting vulnerability has been identified in the WordPress Preloader plugin by WordPress Monsters, affecting versions through 1.2.3. This issue allows attackers to inject malicious scripts that could be executed when users visit the affected site.

A reflected cross-site scripting vulnerability has been identified in the WordPress BU Section Editing plugin, affecting versions through 0.9.9. This issue allows for improper neutralization of input during web page generation, which could be exploited to inject malicious scripts that are executed when users visit the affected page.

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Till Krüss Email Address Encoder WordPress plugin, affecting versions through 1.0.23. This vulnerability allows attackers to trick users with higher privileges into performing actions they did not intend to.