Unauthenticated Insecure Direct Object References (IDOR) in Simple Shopping Cart <= 5.2.9 versions.
Unauthenticated Cross Site Scripting (XSS) in Quiz And Survey Master <= 11.1.2 versions.
Unauthenticated Cross Site Scripting (XSS) in Post SMTP <= 3.6.2 versions.
Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions.
Unauthenticated Broken Access Control in Contact Form by WPForms <= 1.10.0.4 versions.
OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, The ValidateArgumentType RPC endpoint in service/internal/api/api.go does not perform any authentication or authorization checks. Unlike all other data-returning API endpoints, it does not call a...
OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, the template engine uses a single shared text/template.Template instance (tpl package-level variable in service/internal/tpl/templates.go) across all goroutines. Every action execution calls tpl....
MultiJuicer is used to run separate Juice Shop instances on a central kubernetes cluster without the need for local instances. In versions 8.0.0 through 10.0.0, the team join endpoint (POST /multi-juicer/api/teams/{team}/join) accepted requests with any Content-Type, including text/plain. Because th...
Cursor is a code editor built for programming with AI. In versions prior to 3.0.0, the Cursor Desktop could execute workspace-defined Claude hook commands from .claude/settings.local.json without dedicated user approval. A malicious workspace or agent-created file could configure hooks that run loca...
Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies in certain configuration scenarios. This affects both the WebMVC and WebFlux Gateway Servers. Affected versions: Spring Cloud Gateway 3.1.x (fix 3.1.13). Spring Cloud Gateway 4.1.x (fix 4.1.13). Sp...
Unauthenticated Other Vulnerability Type in WpEvently <= 5.3.3 versions.
Unauthenticated SQL Injection in Realtyna Organic IDX plugin <= 5.1.0 versions.
Unauthenticated Cross Site Scripting (XSS) in Product Filter Widget for Elementor <= 1.0.6 versions.
Unauthenticated Cross Site Scripting (XSS) in AutomatorWP <= 5.7.2 versions.
Unauthenticated Bypass Vulnerability in Stripe Payments <= 2.0.98 versions.
Unauthenticated Broken Authentication in Masteriyo - LMS <= 2.1.8 versions.
Subscriber Cross Site Scripting (XSS) in Modula Image Gallery <= 2.14.23 versions.
Unauthenticated PHP Object Injection in EventPrime <= 4.3.2.1 versions.
Subscriber Cross Site Scripting (XSS) in EventPrime <= 4.3.2.1 versions.
Unauthenticated Broken Authentication in Email Marketing for WooCommerce by Omnisend <= 1.18.0 versions.