Subscriber SQL Injection in WP Sessions Time Monitoring Full Automatic <= 1.1.4 versions.

Unauthenticated Broken Access Control in JupiterX Core <= 4.14.1 versions.

Unauthenticated Cross Site Scripting (XSS) in Min Max Step Quantity Limits Manager for WooCommerce <= 5.2.2 versions.

Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.12 versions.

The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'curselrevs[]' parameter of the wpfb_find_reviews AJAX action in versions up to, and including, 12.6.8. This is due to the handler reading $_POST['curselrevs'] raw with no sanitization or type ca...

The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'stypes' and 'slocations' parameters of the wppro_get_overall_chart_data AJAX action in versions up to, and including, 12.6.8. This is due to the use of stripslashes() on user-supplied JSON strin...

The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution via missing authorization in versions up to and including 2.0. This is due to the 'generatePluginHandler' function lacking any authorization check before processing user-supplied POST data, combined with th...

A stack-based buffer overflow vulnerability in the CGI program of Zyxel GS1900-48HPv2 firmware versions through 2.90(ABTQ.1)C0 could allow a LAN-based, unauthenticated attacker to exploit the flaw and potentially execute OS commands via a crafted HTTP request.

Improper input validation in the SSH Elevate Shell feature in Devolutions Remote Desktop Manager 2026.2.7 allows an authenticated user with permission to create or modify a shared SSH entry to execute arbitrary commands on a remote SSH host using stored elevation credentials via a crafted altern...

The browserstack-cypress-cli is BrowserStack's CLI which allows users to run Cypress tests on BrowserStack. Versions prior to 1.36.4 are vulnerable to OS command injection via the cypress_config_file configuration parameter. In readCypressConfigUtil.js, the loadJsFile() function constructs a sh...

Unauthenticated Cross Site Scripting (XSS) in SEO Redirection <= 9.17 versions.

Subscriber SQL Injection in WCMultiShipping <= 3.0.2 versions.

Unauthenticated Insecure Direct Object References (IDOR) in VikRentCar <= 1.4.5 versions.

Subscriber SQL Injection in Taskbuilder <= 5.0.7 versions.

Unauthenticated Sensitive Data Exposure in ABC Crypto Checkout <= 1.8.2 versions.

Unauthenticated Sensitive Data Exposure in Signature Add-On for WooCommerce <= 2.0 versions.

Unauthenticated Sensitive Data Exposure in Affiliates Manager <= 2.9.50 versions.

Customer Privilege Escalation in Dokan <= 5.0.2 versions.

Unauthenticated Path Traversal in Shared Files <= 1.7.64 versions.

Unauthenticated Broken Authentication in Upsell Order Bump Offer for WooCommerce <= 3.1.4 versions.