Export limit exceeded: 337974 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (337974 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-45887 | 1 Wanglongcn | 1 Yifang | 2025-06-12 | 9.1 Critical |
| Yifang CMS v2.0.2 is vulnerable to Server-Side Request Forgery (SSRF) in /api/file/getRemoteContent. | ||||
| CVE-2025-47786 | 1 Emlog | 1 Emlog | 2025-06-12 | 4.8 Medium |
| Emlog is an open source website building system. Version 2.5.13 has a stored cross-site scripting vulnerability that allows any registered user to construct malicious JavaScript, inducing all website users to click. In `/admin/comment.php`, the parameter `perpage_num` is not validated and is directly stored in the `admin_commend_perpage_num` field of the `emlog_options` table in the database. Moreover, the output is not filtered, resulting in the direct output of malicious code. As of time of publication, it is unclear if a patch exists. | ||||
| CVE-2025-47785 | 1 Emlog | 1 Emlog | 2025-06-12 | 8.3 High |
| Emlog is an open source website building system. In versions up to and including 2.5.9, SQL injection occurs because the $origContent parameter in admin/article_save.php is not strictly filtered. Since admin/article_save.php can be accessed by ordinary registered users, this will cause SQL injection to occur when the registered site is enabled, resulting in the injection of the admin account and password, which is then exploited by the backend remote code execution. As of time of publication, it is unknown whether a fix exists. | ||||
| CVE-2025-2203 | 1 Funnelkit | 1 Funnel Builder | 2025-06-12 | 6.1 Medium |
| The FunnelKit WordPress plugin before 3.10.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks | ||||
| CVE-2025-1454 | 1 Ninja Pages Project | 1 Ninja Pages | 2025-06-12 | 5.4 Medium |
| The Ninja Pages WordPress plugin through 1.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2025-1288 | 1 Bulktheme | 1 Wooexim | 2025-06-12 | 6.1 Medium |
| The WOOEXIM WordPress plugin through 5.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make an unauthenticated user vulnerable to reflected XSS via a CSRF attack. | ||||
| CVE-2025-1286 | 1 Sfarbota | 1 Download Html Tinymce Button | 2025-06-12 | 6.1 Medium |
| The Download HTML TinyMCE Button WordPress plugin through 1.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | ||||
| CVE-2024-9182 | 1 Wpmaspik | 1 Maspik | 2025-06-12 | 4.8 Medium |
| The Maspik WordPress plugin before 2.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. | ||||
| CVE-2025-1033 | 1 Danielpowney | 1 Badgearoo | 2025-06-12 | 4.8 Medium |
| The Badgearoo WordPress plugin through 1.0.14 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2025-0329 | 1 Quantumcloud | 1 Wpbot | 2025-06-12 | 4.8 Medium |
| The AI ChatBot for WordPress WordPress plugin before 6.2.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2024-9882 | 1 Salonbookingsystem | 1 Salon Booking System | 2025-06-12 | 4.8 Medium |
| The Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses WordPress plugin before 1.9.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2025-28200 | 1 Govicture | 2 Rx1800, Rx1800 Firmware | 2025-06-12 | 9.8 Critical |
| Victure RX1800 EN_V1.0.0_r12_110933 was discovered to utilize a weak default password which includes the last 8 digits of the Mac address. | ||||
| CVE-2024-9879 | 1 Melapress | 1 Melapress File Monitor | 2025-06-12 | 5.4 Medium |
| The Melapress File Monitor WordPress plugin before 2.1.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks | ||||
| CVE-2024-9838 | 1 Flamescorpion | 1 Auto Affiliate Links | 2025-06-12 | 5.4 Medium |
| The Auto Affiliate Links WordPress plugin before 6.4.7 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks | ||||
| CVE-2024-8759 | 1 Kylephillips | 1 Nested Pages | 2025-06-12 | 4.8 Medium |
| The Nested Pages WordPress plugin before 3.2.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2024-9831 | 1 Taskbuilder | 1 Taskbuilder | 2025-06-12 | 7.2 High |
| The Taskbuilder WordPress plugin before 3.0.9 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks | ||||
| CVE-2024-9663 | 1 Toolstack | 1 Cyan Backup | 2025-06-12 | 5.4 Medium |
| The CYAN Backup WordPress plugin before 2.5.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2024-9662 | 1 Toolstack | 1 Cyan Backup | 2025-06-12 | 5.4 Medium |
| The CYAN Backup WordPress plugin before 2.5.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2024-9238 | 1 Grandplugins | 1 Avif Uploader | 2025-06-12 | 5.4 Medium |
| The AVIF Uploader WordPress plugin before 1.1.1 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. | ||||
| CVE-2025-28201 | 1 Govicture | 2 Rx1800, Rx1800 Firmware | 2025-06-12 | 6.8 Medium |
| An issue in Victure RX1800 EN_V1.0.0_r12_110933 allows physically proximate attackers to execute arbitrary code or gain root access. | ||||