Total
295090 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-4289 | 1 Jontasc | 1 Sailthru Triggermail | 2025-05-21 | N/A | 6.1 MEDIUM |
| The Sailthru Triggermail WordPress plugin through 1.1 does not sanitise and escape various parameters before outputting them back in pages and attributes, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | |||||
| CVE-2024-13119 | 1 Properfraction | 1 Profilepress | 2025-05-21 | N/A | 4.8 MEDIUM |
| The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-2189 | 1 Wpzoom | 1 Social Icons Widget | 2025-05-21 | N/A | 6.1 MEDIUM |
| The Social Icons Widget & Block by WPZOOM WordPress plugin before 4.2.18 does not sanitise and escape some of its Widget settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
| CVE-2024-3368 | 1 Aioseo | 1 All In One Seo | 2025-05-21 | N/A | 6.1 MEDIUM |
| The All in One SEO WordPress plugin before 4.6.1.1 does not validate and escape some of its Post fields before outputting them back, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2024-2744 | 1 Imagely | 1 Nextgen Gallery | 2025-05-21 | N/A | 4.3 MEDIUM |
| The NextGEN Gallery WordPress plugin before 3.59.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | |||||
| CVE-2024-13120 | 1 Properfraction | 1 Profilepress | 2025-05-21 | N/A | 4.8 MEDIUM |
| The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-13121 | 1 Properfraction | 1 Profilepress | 2025-05-21 | N/A | 3.5 LOW |
| The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.20 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-13125 | 1 Wpeverest | 1 Everest Forms | 2025-05-21 | N/A | 3.5 LOW |
| The Everest Forms WordPress plugin before 3.0.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-2054 | 1 Code-projects | 1 Blood Bank Management System | 2025-05-21 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was found in code-projects Blood Bank Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/edit_state.php. The manipulation of the argument state_id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-2059 | 1 Phpgurukul | 1 Emergency Ambulance Hiring Portal | 2025-05-21 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in PHPGurukul Emergency Ambulance Hiring Portal 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/booking-details.php. The manipulation of the argument ambulanceregnum leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-4427 | 1 Ivanti | 1 Endpoint Manager Mobile | 2025-05-21 | N/A | 5.3 MEDIUM |
| An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API. | |||||
| CVE-2025-4428 | 1 Ivanti | 1 Endpoint Manager Mobile | 2025-05-21 | N/A | 7.2 HIGH |
| Remote Code Execution in API component in Ivanti Endpoint Manager Mobile 12.5.0.0 and prior on unspecified platforms allows authenticated attackers to execute arbitrary code via crafted API requests. | |||||
| CVE-2025-2060 | 1 Phpgurukul | 1 Emergency Ambulance Hiring Portal | 2025-05-21 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in PHPGurukul Emergency Ambulance Hiring Portal 1.0. It has been classified as critical. This affects an unknown part of the file /admin/admin-profile.php. The manipulation of the argument contactnumber leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-11182 | 1 Mdaemon | 1 Mdaemon | 2025-05-21 | N/A | 6.1 MEDIUM |
| An XSS issue was discovered in MDaemon Email Server before version 24.5.1c. An attacker can send an HTML e-mail message with JavaScript in an img tag. This could allow a remote attacker to load arbitrary JavaScript code in the context of a webmail user's browser window. | |||||
| CVE-2024-27443 | 1 Zimbra | 1 Collaboration | 2025-05-21 | N/A | 6.1 MEDIUM |
| An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim's session, potentially leading to execution of arbitrary JavaScript code. | |||||
| CVE-2024-13805 | 1 Advancedfilemanager | 1 Advanced File Manager | 2025-05-21 | N/A | 6.4 MEDIUM |
| The Advanced File Manager — Ultimate WordPress File Manager and Document Library Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 5.2.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an Administrator, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | |||||
| CVE-2023-38950 | 1 Zkteco | 1 Biotime | 2025-05-21 | N/A | 7.5 HIGH |
| A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. | |||||
| CVE-2019-1064 | 1 Microsoft | 11 Windows 10 1607, Windows 10 1703, Windows 10 1709 and 8 more | 2025-05-21 | 7.2 HIGH | 7.8 HIGH |
| An elevation of privilege vulnerability exists when Windows AppX Deployment Service (AppXSVC) improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context. An attacker could then install programs; view, change or delete data. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The security update addresses the vulnerability by correcting how Windows AppX Deployment Service handles hard links. | |||||
| CVE-2019-1069 | 1 Microsoft | 11 Windows 10 1507, Windows 10 1607, Windows 10 1703 and 8 more | 2025-05-21 | 7.2 HIGH | 7.8 HIGH |
| An elevation of privilege vulnerability exists in the way the Task Scheduler Service validates certain file operations. An attacker who successfully exploited the vulnerability could gain elevated privileges on a victim system. To exploit the vulnerability, an attacker would require unprivileged code execution on a victim system. The security update addresses the vulnerability by correctly validating file operations. | |||||
| CVE-2025-26910 | 1 Iqonicdesign | 1 Wpbookit | 2025-05-21 | N/A | 7.1 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Iqonic Design WPBookit allows Stored XSS. This issue affects WPBookit: from n/a through 1.0.1. | |||||