| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuantumCloud Conversational Forms for ChatBot conversational-forms allows Stored XSS.This issue affects Conversational Forms for ChatBot: from n/a through <= 1.4.2. |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme Simen snssimen allows PHP Local File Inclusion.This issue affects Simen: from n/a through <= 4.6. |
| pleezer is a headless Deezer Connect player. Hook scripts in pleezer can be triggered by various events like track changes and playback state changes. In versions before 0.16.0, these scripts were spawned without proper process cleanup, leaving zombie processes in the system's process table. Even during normal usage, every track change and playback event would leave behind zombie processes. This leads to inevitable resource exhaustion over time as the system's process table fills up, eventually preventing new processes from being created. The issue is exacerbated if events occur rapidly, whether through normal use (e.g., skipping through a playlist) or potential manipulation of the Deezer Connect protocol traffic. This issue has been fixed in version 0.16.0. |
| Cross-Site Request Forgery (CSRF) vulnerability in Dylan James Zephyr Admin Theme zephyr-modern-admin-theme allows Cross Site Request Forgery.This issue affects Zephyr Admin Theme: from n/a through <= 1.4.1. |
| Incorrect Privilege Assignment vulnerability in AA-Team Premium Age Verification / Restriction for WordPress, AA-Team Responsive Coming Soon Landing Page / Holding Page for WordPress allows Privilege Escalation.This issue affects Premium Age Verification / Restriction for WordPress: from n/a through 3.0.2; Responsive Coming Soon Landing Page / Holding Page for WordPress: from n/a through 3.0. |
| Missing Authorization vulnerability in Themovation Bellevue bellevuex.This issue affects Bellevue: from n/a through <= 4.2.2. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codetrendy Power Mag power-mag allows DOM-Based XSS.This issue affects Power Mag: from n/a through <= 1.1.5. |
| Missing Authorization vulnerability in centangle Direct Checkout for WooCommerce Lite woo-direct-checkout-lite allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Direct Checkout for WooCommerce Lite: from n/a through <= 1.0.3. |
| Argo Events is an event-driven workflow automation framework for Kubernetes. A user with permission to create/modify EventSource and Sensor custom resources can gain privileged access to the host system and cluster, even without having direct administrative privileges. The EventSource and Sensor CRs allow the corresponding orchestrated pod to be customized with spec.template and spec.template.container (with type k8s.io/api/core/v1.Container), thus, any specification under container such as command, args, securityContext , volumeMount can be specified, and applied to the EventSource or Sensor pod. With these, a user would be able to gain privileged access to the cluster host, if he/she specified the EventSource/Sensor CR with some particular properties under template. This vulnerability is fixed in v1.9.6. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Venutius BP Profile Shortcodes Extra bp-profile-shortcodes-extra allows Stored XSS.This issue affects BP Profile Shortcodes Extra: from n/a through <= 2.6.0. |
| Missing Authorization vulnerability in LMSACE LMSACE Connect lmsace-connect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LMSACE Connect: from n/a through <= 3.4. |
| Unquoted search path for some PRI Driver software before version 03.03.1002 within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires active user interaction. The potential vulnerability may impact the confidentiality (high), integrity (high) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts. |
| Server-Side Request Forgery (SSRF) vulnerability in ShawonPro SocialMark socialmark allows Server Side Request Forgery.This issue affects SocialMark: from n/a through <= 2.0.7. |
| The Creative Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 1.5.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Roberto Bottalico Qr Code and Barcode Scanner Reader qr-code-and-barcode-scanner-reader allows Stored XSS.This issue affects Qr Code and Barcode Scanner Reader: from n/a through <= 1.0.0. |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ashraful Sarkar Naiem License For Envato license-envato allows PHP Local File Inclusion.This issue affects License For Envato: from n/a through <= 1.0.0. |
| The Announce from the Dashboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in goldsounds VR Views vr-views allows Stored XSS.This issue affects VR Views: from n/a through <= 1.5.1. |
| The PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. CVE-2024-5447 may be a duplicate of this issue. |
| The WP Font Awesome Share Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's
'wpfai_social' shortcode in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
