Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2025-68969 Multi-thread race condition vulnerability in the thermal management module. Impact: Successful exploitation of this vulnerability may affect availability. | 6.8 | MEDIUM | — | 0 |
| CVE-2025-68970 Permission verification bypass vulnerability in the media library module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 6.1 | MEDIUM | — | 0 |
| CVE-2026-22718 The VSCode extension for Spring CLI are vulnerable to command injection, resulting in command execution on the users machine. | 6.8 | MEDIUM | — | 0 |
| CVE-2025-12178 The SpiceForms Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'spiceforms' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitiz... | 6.4 | MEDIUM | — | 0 |
| CVE-2025-13627 The Makesweat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'makesweat_clubid' setting in all versions up to, and including, 0.1 due to insufficient input sanitization and ... | 4.4 | MEDIUM | — | 0 |
| CVE-2025-14301 The Integration Opvius AI for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.0. This is due to the `process_table_bulk_actions()` function p... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-14379 The Testimonials Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in version 1.6 due to insufficient input sanitization and output escaping. This makes it p... | 4.4 | MEDIUM | — | 0 |
| CVE-2025-14389 The WPBlogSyn plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation. This makes it possible for u... | 4.3 | MEDIUM | — | 0 |
| CVE-2025-14464 The PDF Resume Parser plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0. This is due to the plugin registering an AJAX action handler that ... | 5.3 | MEDIUM | — | 0 |
| CVE-2025-14482 The Crush.pics Image Optimizer - Image Compression and Optimization plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple functions in al... | 4.3 | MEDIUM | — | 0 |
| CVE-2025-14502 The News and Blog Designer Bundle plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1 via the template parameter. This makes it possible for unauthenti... | 9.8 | CRITICAL | — | 0 |
| CVE-2025-14613 The GetContentFromURL plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0. This is due to the plugin using wp_remote_get() instead of wp_safe_re... | 7.2 | HIGH | — | 0 |
| CVE-2025-14615 The DASHBOARD BUILDER – WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonc... | 7.1 | HIGH | — | 0 |
| CVE-2025-14725 The Internal Link Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and outp... | 4.4 | MEDIUM | — | 0 |
| CVE-2025-14854 The WP-CRM System plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on the wpcrm_get_email_recipients and wpcrm_system_ajax_task_change_status AJAX functions i... | 5.4 | MEDIUM | — | 0 |
| CVE-2025-14880 The Netcash WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_return_url function in all versions up t... | 5.3 | MEDIUM | — | 0 |
| CVE-2025-15020 The Gotham Block Extra Light plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.5.0 via the 'ghostban' shortcode. This makes it possible for authenticat... | 6.5 | MEDIUM | — | 0 |
| CVE-2025-15021 The Gotham Block Extra Light plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.0 due to insufficient input sanitization and... | 4.4 | MEDIUM | — | 0 |
| CVE-2025-15266 The GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the chat message field in all versions up to, and i... | 7.2 | HIGH | — | 0 |
| CVE-2025-15283 The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name_directory_name' and 'name_directory_description' parameters in all versions up to, and including, 1.... | 7.2 | HIGH | — | 0 |
| CVE-2025-15512 The Aplazo Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the check_success_response() function in all versions up to, and... | 5.3 | MEDIUM | — | 0 |
| CVE-2025-15377 The Sosh Share Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the 'admin_page_content'... | 4.3 | MEDIUM | — | 0 |
| CVE-2025-15378 The AJS Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'note_list_class' and 'popup_display_effect_in' parameters in all versions up to, and including, 1.0 due to ... | 7.2 | HIGH | — | 0 |
| CVE-2025-15486 The Kunze Law plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's shortcode in all versions up to, and including, 2.1 due to the plugin fetching HTML content from a remote s... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-0594 The List Site Contributors plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'alpha' parameter in versions up to, and including, 1.1.8 due to insufficient input sanitization... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-0635 The Responsive Accordion Slider plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'resp_accordion_silder_save_images' function in all ver... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-0678 The Flat Shipping Rate by City for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the 'cities' parameter in all versions up to, and including, 1.0.3 due to insufficient... | 4.9 | MEDIUM | — | 0 |
| CVE-2026-0680 The Real Post Slider Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 2.4 due to insufficient input sanitization and... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-0694 The SearchWiz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in search results in all versions up to, and including, 1.0.0. This is due to the plugin using `esc_attr... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-0717 The LottieFiles – Lottie block for Gutenberg plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.0 via the `/wp-json/lottiefiles/v1/settings/... | 5.3 | MEDIUM | — | 0 |
| CVE-2025-14173 The Perfit WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. This is due to missing authorization checks on the `logout` function cal... | 5.3 | MEDIUM | — | 0 |
| CVE-2025-14770 The Shipping Rate By Cities plugin for WordPress is vulnerable to SQL Injection via the 'city' parameter in all versions up to, and including, 2.0.0 due to insufficient escaping on the user supplied p... | 7.5 | HIGH | — | 0 |
| CVE-2025-14846 The SocialChamp with WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.3. This is due to missing nonce validation on the wpsc_setting... | 4.3 | MEDIUM | — | 0 |
| CVE-2025-15376 The Stopwords for comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the 'set_stopwords_for... | 4.3 | MEDIUM | — | 0 |
| CVE-2025-15475 The PayHere Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to an improper validation logic in the check_payhere_response function in... | 5.3 | MEDIUM | — | 0 |
| CVE-2025-15513 The Float Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to improper error handling in the verifyFloatResponse() function in all versions up to, and includ... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-0734 The WP Allowed Hosts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'allowed-hosts' parameter in all versions up to, and including, 1.0.8 due to insufficient input sanitizat... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-0739 The WMF Mobile Redirector plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-0741 The Electric Studio Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 2.4 due to insufficient input sanit... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-0812 The LinkedIn SC plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'linkedin_sc_date_format', 'linkedin_sc_api_key', and 'linkedin_sc_secret_key' parameters in all versions up t... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-0813 The Short Link plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'short_link_post_title' and 'short_link_page_title' parameters in all versions up to, and including, 1.0 due to... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-0529 Improper Validation of Array Index (CWE-129) in Packetbeat’s MongoDB protocol parser can allow an attacker to cause Overflow Buffers (CAPEC-100) through specially crafted network traffic. This require... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-0532 External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON... | 8.6 | HIGH | — | 0 |
| CVE-2025-14338 Polkit authentication dis isabled by default and a race condition in the Polkit authorization check in versions before v0.69.0 can lead to the same issues as in CVE-2025-66005. | N/A | NONE | — | 0 |
| CVE-2025-66005 Lack of authorization of the InputManager D-Bus interface in InputPlumber versions before v0.63.0 can lead to local Denial-of-Service, information leak or even privilege escalation in the context of t... | N/A | NONE | — | 0 |
| CVE-2025-66169 Cypher Injection vulnerability in Apache Camel camel-neo4j component. This issue affects Apache Camel: from 4.10.0 before 4.10.8, from 4.14.0 before 4.14.3, from 4.15.0 before 4.17.0 Users are recom... | 5.3 | MEDIUM | — | 0 |
| CVE-2025-67859 A Improper Authentication vulnerability in TLP allows local users to arbitrarily control the power profile in use as well as the daemon’s log settings.This issue affects TLP: from 1.9 before 1.9.1. | N/A | NONE | — | 0 |
| CVE-2025-13175 Y Soft SafeQ 6 renders the Workflow Connector password field in a way that allows an administrator with UI access to reveal the value using browser developer/inspection tools. The affected customers a... | N/A | NONE | — | 0 |
| CVE-2025-14317 In Crazy Bubble Tea mobile application authenticated attacker can obtain personal information about other users by enumerating a `loyaltyGuestId` parameter. Server does not verify the permissions requ... | N/A | NONE | — | 0 |
| CVE-2023-7343 HiSecOS web server versions 05.0.00 to 08.3.01 prior to 08.3.02 contains a privilege escalation vulnerability that allows authenticated users with operator or auditor roles to escalate privileges to t... | 7.8 | HIGH | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.