| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The Counter Box – Add Countdowns, Timers & Dynamic Counters to WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.0.13 via deserialization of untrusted input . This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. Deserialization is triggered automatically upon the post-import redirect that renders the list table, and again when any item is opened for editing, requiring no additional navigation beyond the import action itself. |
| Unauthenticated SQL Injection in wpDataTables <= 7.3.6 versions. |
| Subscriber Arbitrary Code Execution in Cornerstone < 7.8.8 versions. |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpWax Directorist Booking allows Blind SQL Injection.
This issue affects Directorist Booking: from n/a through 3.0.3. |
| Unrestricted Upload of File with Dangerous Type vulnerability in Kodezen LLC Academy LMS Pro allows Upload a Web Shell to a Web Server.
This issue affects Academy LMS Pro: from n/a before 3.5.2. |
| Improper Control of Generation of Code ('Code Injection') vulnerability in ACPT ACPT (Pro) - Custom Post Types Plugin for WordPress allows Remote Code Inclusion.
This issue affects ACPT (Pro) - Custom Post Types Plugin for WordPress: from n/a through 2.0.47. |
| Missing Authorization vulnerability in Yoast BV Yoast SEO Premium allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Yoast SEO Premium: from n/a through 26.6. |
| telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable. |
| OS command injection vulnerability exists in ELECOM wireless LAN products. A crafted request from a logged-in user may lead to an arbitrary OS command execution. |
| An OS command injection vulnerability in the app.py component of openlabs docker-wkhtmltopdf-aas up to commit 9f50579 allows attackers to execute arbitrary commands via a crafted POST request. |
| Subscriber Broken Authentication in Melhor Envio <= 2.16.3 versions. |
| Unauthenticated Cross Site Scripting (XSS) in JetEngine <= 3.8.10 versions. |
| Unauthenticated Cross Site Scripting (XSS) in JetEngine <= 3.8.10 versions. |
| Subscriber SQL Injection in Cornerstone < 7.8.8 versions. |
| Unauthenticated PHP Object Injection in JetEngine <= 3.8.10 versions. |
| Unauthenticated Arbitrary File Upload in SigmaForms Pro – AI Generated Forms <= 1.4.5 versions. |
| Unauthenticated Cross Site Scripting (XSS) in WPFunnels Pro <= 2.9.4 versions. |
| Unauthenticated SQL Injection in JetEngine < 3.8.9.1 versions. |
| Unauthenticated SQL Injection in JetEngine <= 3.8.9.1 versions. |
| Unauthenticated Cross Site Scripting (XSS) in JetEngine <= 3.8.9.1 versions. |
