| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The Custom Fonts – Host Your Fonts Locally plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'BCF_Google_Fonts_Compatibility' class constructor function in all versions up to, and including, 2.1.16. This makes it possible for unauthenticated attackers to delete font directory and rewrite theme.json file. |
| A data exfiltration vulnerability exists in Anthropic’s deprecated Slack Model Context Protocol (MCP) Server via automatic link unfurling. When an AI agent using the Slack MCP Server processes untrusted data, it can be manipulated to generate messages containing attacker-crafted hyperlinks embedding sensitive data. Slack’s link preview bots (e.g., Slack-LinkExpanding, Slackbot, Slack-ImgProxy) will then issue outbound requests to the attacker-controlled URL, resulting in zero-click exfiltration of private data. |
| Cross-Site Request Forgery (CSRF) vulnerability in Sourov Amin Insertify insertify allows Code Injection.This issue affects Insertify: from n/a through <= 1.1.4. |
| The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory creation in all versions up to, and including, 0.9.120. This is due to the check_filesystem_permissions() function not properly restricting the directories that can be created, or in what location. This makes it possible for authenticated attackers, with Administrator-level access and above, to create arbitrary directories. |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Chris Gardenberg EduAdmin Booking eduadmin-booking allows PHP Local File Inclusion.This issue affects EduAdmin Booking: from n/a through <= 5.2.0. |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Sabri Woolook woolook allows PHP Local File Inclusion.This issue affects Woolook: from n/a through <= 1.7.0. |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme SNS Anton snsanton allows PHP Local File Inclusion.This issue affects SNS Anton: from n/a through <= 4.1. |
| Missing Authorization vulnerability in blokhauswp Minterpress minterpress allows Privilege Escalation.This issue affects Minterpress: from n/a through <= 1.0.5. |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Filippo Bodei WP Cookies Enabler wp-cookies-enabler allows PHP Local File Inclusion.This issue affects WP Cookies Enabler: from n/a through <= 1.0.1. |
| A vulnerability was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014 and classified as critical. This issue affects the function FCGI_CheckStringIfContainsSemicolon of the file /api/wizard/getCapabilityWeb of the component HTTP POST Request Handler. The manipulation leads to command injection. Access to the local network is required for this attack to succeed. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. |
| Missing Authorization vulnerability in Dotstore Advance Menu Manager advance-menu-manager.This issue affects Advance Menu Manager: from n/a through <= 3.1.1. |
| Cross Site Scripting vulnerability in arnog MathLive Versions v0.103.0 and before (fixed in 0.104.0) allows an attacker to execute arbitrary code via the MathLive function. |
| SQL injection vulnerability in vipshop Saturn v.3.5.1 and before allows a remote attacker to execute arbitrary code via /console/dashboard/executorCount?zkClusterKey component. |
| Server-Side Request Forgery (SSRF) vulnerability in princeahmed Radio Player radio-player allows Server Side Request Forgery.This issue affects Radio Player: from n/a through <= 2.0.83. |
| Cross-Site Request Forgery (CSRF) vulnerability in pushmonkey Push Monkey Pro – Web Push Notifications and WooCommerce Abandoned Cart push-monkey-desktop-push-notifications allows Cross Site Request Forgery.This issue affects Push Monkey Pro – Web Push Notifications and WooCommerce Abandoned Cart: from n/a through <= 3.9. |
| Unraid 7.0.0 before 7.0.1 allows remote users to access the Unraid WebGUI and web console as root without authentication if a container is running in Host networking mode with Use Tailscale enabled. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jaytesh Barange Posts Date Ranges posts-date-ranges allows Reflected XSS.This issue affects Posts Date Ranges: from n/a through <= 2.2. |
| Cross-Site Request Forgery (CSRF) vulnerability in Eduardo addWeather myweather allows Cross Site Request Forgery.This issue affects addWeather: from n/a through <= 2.5.1. |
| Cross-Site Request Forgery (CSRF) vulnerability in mattwalters WordPress Filter wordpress-filter allows Stored XSS.This issue affects WordPress Filter: from n/a through <= 1.4.1. |
| Cross-Site Request Forgery (CSRF) vulnerability in midoks WP微信机器人 wp-weixin-robot allows Stored XSS.This issue affects WP微信机器人: from n/a through <= 5.3.5. |
