Total
8206 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-13641 | 1 Wpswings | 1 Return Refund And Exchange For Woocommerce | 2025-02-25 | N/A | 5.9 MEDIUM |
| The Return Refund and Exchange For WooCommerce – Return Management System, RMA Exchange, Wallet And Cancel Order Features plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.5 via the 'attachment' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/attachment directory which can contain file attachments for order refunds. | |||||
| CVE-2025-21626 | 2025-02-25 | N/A | 5.8 MEDIUM | ||
| GLPI is a free asset and IT management software package. Starting in version 0.71 and prior to version 10.0.18, an anonymous user can fetch sensitive information from the `status.php` endpoint. Version 10.0.18 contains a fix for the issue. Some workarounds are available. One may delete the `status.php` file, restrict its access, or remove any sensitive values from the `name` field of the active LDAP directories, mail servers authentication providers and mail receivers. | |||||
| CVE-2025-1063 | 2025-02-25 | N/A | 5.3 MEDIUM | ||
| The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.4 via the rtcl_taxonomy_settings_export function. This makes it possible for unauthenticated attackers to extract sensitive data including API keys and tokens. | |||||
| CVE-2022-48348 | 1 Huawei | 2 Emui, Harmonyos | 2025-02-24 | N/A | 9.1 CRITICAL |
| The MediaProvider module has a vulnerability of unauthorized data read. Successful exploitation of this vulnerability may affect confidentiality and integrity. | |||||
| CVE-2024-13525 | 1 Wpfactory | 1 Customer Email Verification For Woocommerce | 2025-02-24 | N/A | 6.5 MEDIUM |
| The Customer Email Verification for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.4 via Shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including emails as well as hashed passwords of any user. | |||||
| CVE-2024-13600 | 1 Majesticsupport | 1 Majestic Support | 2025-02-24 | N/A | 7.5 HIGH |
| The Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.5 via the 'majesticsupportdata' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/majesticsupportdata directory which can contain file attachments included in support tickets. | |||||
| CVE-2022-20821 | 1 Cisco | 28 8201, 8202, 8208 and 25 more | 2025-02-24 | 6.4 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the health check RPM of Cisco IOS XR Software could allow an unauthenticated, remote attacker to access the Redis instance that is running within the NOSi container. This vulnerability exists because the health check RPM opens TCP port 6379 by default upon activation. An attacker could exploit this vulnerability by connecting to the Redis instance on the open port. A successful exploit could allow the attacker to write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database. Given the configuration of the sandboxed container that the Redis instance runs in, a remote attacker would be unable to execute remote code or abuse the integrity of the Cisco IOS XR Software host system. | |||||
| CVE-2025-1595 | 2025-02-23 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability has been found in Anhui Xufan Information Technology EasyCVR up to 2.7.0 and classified as problematic. This vulnerability affects unknown code of the file /api/v1/getbaseconfig. The manipulation leads to information disclosure. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-57716 | 2025-02-21 | N/A | 7.5 HIGH | ||
| An issue in trenoncourt AutoQueryable v.1.7.0 allows a remote attacker to obtain sensitive information via the Unselectable function. | |||||
| CVE-2024-13609 | 1 1clickmigration | 1 1 Click Migration | 2025-02-21 | N/A | 5.9 MEDIUM |
| The 1 Click WordPress Migration Plugin – 100% FREE for a limited time plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1 via the class-ocm-backup.php. This makes it possible for unauthenticated attackers to extract sensitive data including usernames and their respective password hashes during a short window of time in which the backup is in process. | |||||
| CVE-2021-31567 | 1 Wpchill | 1 Download Monitor | 2025-02-20 | 6.8 MEDIUM | 6.8 MEDIUM |
| Authenticated (admin+) Arbitrary File Download vulnerability discovered in Download Monitor WordPress plugin (versions <= 4.4.6). The plugin allows arbitrary files, including sensitive configuration files such as wp-config.php, to be downloaded via the &downloadable_file_urls[0] parameter data. It's also possible to escape from the web server home directory and download any file within the OS. | |||||
| CVE-2025-24011 | 1 Umbraco | 1 Umbraco Cms | 2025-02-20 | N/A | 5.3 MEDIUM |
| Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, it's possible to determine whether an account exists based on an analysis of response codes and timing of Umbraco management API responses. Versions 14.3.2 and 15.1.2 contain a patch. No known workarounds are available. | |||||
| CVE-2023-21067 | 1 Google | 1 Android | 2025-02-20 | N/A | 7.5 HIGH |
| Product: AndroidVersions: Android kernelAndroid ID: A-254114726References: N/A | |||||
| CVE-2020-13481 | 2025-02-20 | N/A | 6.1 MEDIUM | ||
| Certain Lexmark products through 2020-05-25 allow XSS which allows an attacker to obtain session credentials and other sensitive information. | |||||
| CVE-2024-24867 | 1 Plugins-market | 1 Wp Visitor Statistics | 2025-02-20 | N/A | 5.3 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Osamaesh WP Visitor Statistics (Real Time Traffic).This issue affects WP Visitor Statistics (Real Time Traffic): from n/a through 6.9.4. | |||||
| CVE-2023-25722 | 1 Veracode | 1 Veracode | 2025-02-19 | N/A | 5.5 MEDIUM |
| A credential-leak issue was discovered in related Veracode products before 2023-03-27. Veracode Scan Jenkins Plugin before 23.3.19.0, when configured for remote agent jobs, invokes the Veracode Java API Wrapper in a manner that allows local users (with OS-level access of the Jenkins remote) to discover Veracode API credentials by listing the process and its arguments. Veracode Scan Jenkins Plugin before 23.3.19.0, when configured for remote agent jobs and when the "Connect using proxy" option is enabled and configured with proxy credentials, allows local users of the Jenkins remote to discover proxy credentials by listing the process and its arguments. Veracode Azure DevOps Extension before 3.20.0 invokes the Veracode Java API Wrapper in a manner that allows local users (with OS-level access to the Azure DevOps Services cloud infrastructure or Azure DevOps Server) to discover Veracode API credentials by listing the process and its arguments. Veracode Azure DevOps Extension before 3.20.0, when configured with proxy credentials, allows users (with shell access to the Azure DevOps Services cloud infrastructure or Azure DevOps Server) to discover proxy credentials by listing the process and its arguments. | |||||
| CVE-2022-48347 | 1 Huawei | 2 Emui, Harmonyos | 2025-02-19 | N/A | 7.5 HIGH |
| The MediaProvider module has a vulnerability in permission verification. Successful exploitation of this vulnerability may affect confidentiality. | |||||
| CVE-2022-48346 | 1 Huawei | 2 Emui, Harmonyos | 2025-02-19 | N/A | 7.5 HIGH |
| The HwContacts module has a logic bypass vulnerability. Successful exploitation of this vulnerability may affect confidentiality. | |||||
| CVE-2025-20158 | 2025-02-19 | N/A | 4.4 MEDIUM | ||
| A vulnerability in the debug shell of Cisco Video Phone 8875 and Cisco Desk Phone 9800 Series could allow an authenticated, local attacker to access sensitive information on an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials with SSH access on the affected device. SSH access is disabled by default. This vulnerability is due to insufficient validation of user-supplied input by the debug shell of an affected device. An attacker could exploit this vulnerability by sending a crafted SSH client command to the CLI. A successful exploit could allow the attacker to access sensitive information on the underlying operating system. | |||||
| CVE-2025-24373 | 1 Wpovernight | 1 Woocommerce Pdf Invoices\& Packing Slips | 2025-02-19 | N/A | 6.5 MEDIUM |
| woocommerce-pdf-invoices-packing-slips is an extension which allows users to create, print & automatically email PDF invoices & packing slips for WooCommerce orders. This vulnerability allows unauthorized users to access any PDF document from a store if they: 1. Have access to a guest document link and 2. Replace the URL variable `my-account` with `bulk`. The issue occurs when: 1. The store's document access is set to "guest." and 2. The user is logged out. This vulnerability compromises the confidentiality of sensitive documents, affecting all stores using the plugin with the guest access option enabled. This issue has been addressed in version 4.0.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||