Export limit exceeded: 44463 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (339907 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-6479 | 1 Shopitpress | 1 Sip Reviews Shortcode For Woocommerce | 2025-07-11 | 6.5 Medium |
| The SIP Reviews Shortcode for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'no_of_reviews' attribute in the woocommerce_reviews shortcode in all versions up to, and including, 1.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2024-6480 | 1 Shopitpress | 1 Sip Reviews Shortcode For Woocommerce | 2025-07-11 | 6.4 Medium |
| The SIP Reviews Shortcode for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'no_of_reviews' attribute in the woocommerce_reviews shortcode in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-28265 | 1 Ibos | 1 Ibos | 2025-07-11 | 9.1 Critical |
| IBOS v4.5.5 has an arbitrary file deletion vulnerability via \system\modules\dashboard\controllers\LoginController.php. | ||||
| CVE-2024-48059 | 1 Gaizhenbiao | 2 Chuanhuchatgpt, Gaizhenbiao\/chuanhuchatgpt | 2025-07-11 | 6.1 Medium |
| gaizhenbiao/chuanhuchatgpt project, version <=20240802 is vulnerable to stored Cross-Site Scripting (XSS) in WebSocket session transmission. An attacker can inject malicious content into a WebSocket message. When a victim accesses this session, the malicious JavaScript is executed in the victim's browser. | ||||
| CVE-2024-40715 | 1 Veeam | 2 Backup \& Replication, Veeam Backup \& Replication | 2025-07-11 | N/A |
| A vulnerability in Veeam Backup & Replication Enterprise Manager has been identified, which allows attackers to perform authentication bypass. Attackers must be able to perform Man-in-the-Middle (MITM) attack to exploit this vulnerability. | ||||
| CVE-2024-10683 | 1 Wpplugin | 1 Paypal \& Stripe Add-on | 2025-07-11 | 6.1 Medium |
| The Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.3.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This is only exploitable when the leave a review notice is present in the dashboard. | ||||
| CVE-2025-1290 | 2 Google, Linux | 2 Chrome Os, Linux Kernel | 2025-07-11 | 8.1 High |
| A race condition Use-After-Free vulnerability exists in the virtio_transport_space_update function within the Kernel 5.4 on ChromeOS. Concurrent allocation and freeing of the virtio_vsock_sock structure during an AF_VSOCK connect syscall can occur before a worker thread accesses it resulting in a dangling pointer and potential kernel code execution. | ||||
| CVE-2024-10717 | 1 Wpmonks | 1 Styler For Ninja Forms | 2025-07-11 | 6.5 Medium |
| The Styler for Ninja Forms plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the deactivate_license function in all versions up to, and including, 3.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary option values on the WordPress site. This can be leveraged to delete an option that would create an error on the site and deny service to legitimate users. Note: This issue can also be used to add arbitrary options with an empty value. | ||||
| CVE-2024-39710 | 1 Ivanti | 2 Connect Secure, Policy Secure | 2025-07-11 | N/A |
| Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution. | ||||
| CVE-2024-39711 | 1 Ivanti | 2 Connect Secure, Policy Secure | 2025-07-11 | N/A |
| Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution. | ||||
| CVE-2024-39712 | 1 Ivanti | 2 Connect Secure, Policy Secure | 2025-07-11 | N/A |
| Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution. | ||||
| CVE-2024-9614 | 1 Mailmunch | 1 Constant Contact Forms | 2025-07-11 | 6.1 Medium |
| The Constant Contact Forms by MailMunch plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.1.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-1532 | 1 Honor | 1 Phoneservice | 2025-07-11 | 8.1 High |
| Phoneservice module is affected by code injection vulnerability, successful exploitation of this vulnerability may affect service confidentiality and integrity. | ||||
| CVE-2025-28131 | 1 Nagios | 1 Network Analyzer | 2025-07-11 | 4.6 Medium |
| A Broken Access Control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows low-privilege users with "Read-Only" access to perform administrative actions, including stopping system services and deleting critical resources. This flaw arises due to improper authorization enforcement, enabling unauthorized modifications that compromise system integrity and availability. | ||||
| CVE-2025-2188 | 1 Honor | 1 Gamecenter | 2025-07-11 | 8.1 High |
| There is a whitelist mechanism bypass in GameCenter ,successful exploitation of this vulnerability may affect service confidentiality and integrity. | ||||
| CVE-2025-28059 | 1 Nagios | 1 Network Analyzer | 2025-07-11 | 7.5 High |
| An access control vulnerability in Nagios Network Analyzer 2024R1.0.3 allows deleted users to retain access to system resources due to improper session invalidation and stale token handling. When an administrator deletes a user account, the backend fails to terminate active sessions and revoke associated API tokens, enabling unauthorized access to restricted functions. | ||||
| CVE-2025-42965 | 2025-07-11 | 4.1 Medium | ||
| SAP CMC Promotion Management allows an authenticated attacker to enumerate internal network systems by submitting crafted requests during job source configuration. By analysing response times for various IP addresses and ports, the attacker can infer valid network endpoints. Successful exploitation may lead to information disclosure. This vulnerability does not impact the integrity or availability of the application. | ||||
| CVE-2025-2197 | 1 Honor | 1 Baidu | 2025-07-11 | 4.3 Medium |
| Browser is affected by type confusion vulnerability, successful exploitation of this vulnerability may affect service availability. | ||||
| CVE-2025-32526 | 1 Zephyr-one | 1 Zephyr Project Manager | 2025-07-11 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dylan James Zephyr Project Manager allows Reflected XSS. This issue affects Zephyr Project Manager: from n/a through 3.3.101. | ||||
| CVE-2025-4102 | 1 Fastlinemedia | 1 Beaver Builder | 2025-07-11 | 7.2 High |
| The Beaver Builder Plugin (Starter Version) plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'save_enabled_icons' function in all versions up to, and including, 2.9.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability was partially patched in version 2.9.1. | ||||