Unauthenticated Cross Site Scripting (XSS) in NanoMag <= 1.8 versions.
Unauthenticated Broken Access Control in GIFT4U <= 1.0.10 versions.
Unauthenticated Broken Access Control in Flash & HTML5 Video <= 2.11.0 versions.
Unauthenticated Cross Site Scripting (XSS) in weMail <= 2.1.2 versions.
Contributor Arbitrary File Deletion in H5P <= 1.17.7 versions.
Unauthenticated Cross Site Scripting (XSS) in FOX <= 1.4.8 versions.
Subscriber Sensitive Data Exposure in Site Reviews <= 8.0.11 versions.
Unauthenticated Cross Site Scripting (XSS) in Simply Schedule Appointments <= 1.6.12.2 versions.
Subscriber Sensitive Data Exposure in GetGenie <= 4.4.2 versions.
Contributor Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.45 versions.
Unauthenticated Cross Site Scripting (XSS) in SureCart <= 4.3.2 versions.
Subscriber Cross Site Scripting (XSS) in SureCart <= 4.2.2 versions.
Unauthenticated Cross Site Scripting (XSS) in Everest Forms <= 3.4.8 versions.
Teable's v2 REST API controller lacks @Permissions metadata on ORPC endpoints, allowing any authenticated user to bypass authorization checks. Attackers can read table schemas, create tables, and modify or delete records across bases and tables via endpoints like GET /api/v2/tables/get and POST...
Unauthenticated Cross Site Scripting (XSS) in WoodMart <= 8.5.3 versions.
Unauthenticated SQL Injection in Advance Product Search <= 1.4.4 versions.
Unauthenticated Insecure Direct Object References (IDOR) in Toolset Forms <= 2.6.24 versions.
Unauthenticated SQL Injection in JetEngine <= 3.8.10.2 versions.
Unauthenticated SQL Injection in JetSmartFilters <= 3.8.3 versions.
Unauthenticated Arbitrary File Deletion in ShortPixel Adaptive Images <= 3.11.4 versions.