CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2025-67830 Mura before 10.1.14 allows beanFeed.cfc getQuery sortby SQL injection. | 9.8 | CRITICAL | β | 0 |
| CVE-2014-0497 Integer underflow in Adobe Flash Player before 11.7.700.261 and 11.8.x through 12.0.x before 12.0.0.44 on Windows and Mac OS X, and before 11.2.202.336 on Linux, allows remote attackers to execute arb... | 9.8 | CRITICAL | KEV | 0 |
| CVE-2024-11613 The WordPress File Upload plugin for WordPress is vulnerable to Remote Code Execution, Arbitrary File Read, and Arbitrary File Deletion in all versions up to, and including, 4.24.15 via the 'wfu_file_... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-2276 The WCFM Membership β WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 2.10.7. This is due ... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-2297 The Profile Builder β User Profile & User Registration Forms plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 3.9.0. This is due to the plugin using... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-2734 The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.1. This is due to insufficient verification on the user being supplied during the cart ... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-2704 The BP Social Connect plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.5. This is due to insufficient verification on the user being supplied during a Fa... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-2005 The Front End Users plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the file uploads field of the registration form in all versions up to, and inclu... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-3605 The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.1. This is due to the plugin not pr... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-35700 Incorrect Privilege Assignment vulnerability in DeluxeThemes Userpro userpro.This issue affects Userpro: from n/a through <= 5.1.8. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-10412 The Product Options and Price Calculation Formulas for WooCommerce β Uni CPO (Premium) plugin for WordPress is vulnerable to arbitrary file uploads due to misconfigured file type validation in the 'un... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-2499 The RegistrationMagic plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.2.1.0. This is due to insufficient verification on the user being supplied during ... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-41352 An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0. An attacker can upload arbitrary files through amavis via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) ... | 9.8 | CRITICAL | KEV | 0 |
| CVE-2023-2732 The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.2. This is due to insufficient verification on the user being supplied during the add l... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-2982 The WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 7.6.4. This is due to insuffi... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-48026 Deserialization of Untrusted Data vulnerability in GMRobbins Disc Golf Manager disc-golf-manager allows Object Injection.This issue affects Disc Golf Manager: from n/a through <= 1.0.0. | 9.8 | CRITICAL | β | 0 |
| CVE-2021-4340 The uListing plugin for WordPress is vulnerable to generic SQL Injection via the βlisting_idβ parameter in versions up to, and including, 1.6.6 due to insufficient escaping on the user supplied parame... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-33654 nanobot is a personal AI assistant. Prior to version 0.1.6, an indirect prompt injection vulnerability exists in the email channel processing module (`nanobot/channels/email.py`), allowing a remote, u... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-5432 The Lifeline Donation plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.2.6. This is due to insufficient verification on the user being supplied during th... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-48028 Deserialization of Untrusted Data vulnerability in Boyan Raichev IP Loc8 ip-loc8 allows Object Injection.This issue affects IP Loc8: from n/a through <= 1.1. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-6172 The Email Subscribers by Icegram Express β Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the db parameter in a... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-28461 Array Networks Array AG Series and vxAG (9.4.0.481 and earlier) allow remote code execution. An attacker can browse the filesystem on the SSL VPN gateway using a flags attribute in an HTTP header with... | 9.8 | CRITICAL | KEV | 0 |
| CVE-2024-28986 SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. Wh... | 9.8 | CRITICAL | KEV | 0 |
| CVE-2023-4634 The Media Library Assistant plugin for WordPress is vulnerable to Local File Inclusion and Remote Code Execution in versions up to, and including, 3.09. This is due to insufficient controls on file pa... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-3844 The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fetch_gravatar_from_remote' function in all versions up to, and including, 2.4... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-6328 The MStore API β Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 4.14.7. This is due to insufficient ver... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-7094 The JS Help Desk β The Ultimate Help Desk & Support Plugin plugin for WordPress is vulnerable to PHP Code Injection leading to Remote Code Execution in all versions up to, and including, 2.8.6 via the... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-48030 Deserialization of Untrusted Data vulnerability in Webextends Telecash Ricaricaweb telecash-ricaricaweb allows Object Injection.This issue affects Telecash Ricaricaweb: from n/a through <= 2.2. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-47636 Deserialization of Untrusted Data vulnerability in eyecix JobSearch wp-jobsearch allows Object Injection.This issue affects JobSearch: from n/a through <= 2.5.9. | 9.8 | CRITICAL | β | 0 |
| CVE-2023-3277 The MStore API plugin for WordPress is vulnerable to Unauthorized Account Access and Privilege Escalation in versions up to, and including, 4.10.7 due to improper implementation of the Apple login fea... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-4449 The ZoomSounds plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'savepng.php' file in versions up to, and including, 5.96. This makes it possible... | 9.8 | CRITICAL | β | 0 |
| CVE-2010-3765 Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before 3.0.10, and SeaMonkey 2.x before 2.0.10, when JavaScript is enabled, allows remote attack... | 9.8 | CRITICAL | KEV | 0 |
| CVE-2023-3197 The MStore API plugin for WordPress is vulnerable to Unauthenticated Blind SQL Injection via the 'id' parameter in versions up to, and including, 4.0.1 due to insufficient escaping on the user supplie... | 9.8 | CRITICAL | β | 0 |
| CVE-2022-45063 xterm before 375 allows code execution via font ops, e.g., because an OSC 50 response may have Ctrl-g and therefore lead to command execution within the vi line-editing mode of Zsh. NOTE: font ops are... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-6972 The Backup Migration plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.9 via the 'content-backups' and 'content-name', 'content-manifest', or 'content-bmit... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-6989 The Shield Security β Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 18.5.9 via the render_action_t... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-12402 The Themes Coder β Create Android & iOS Apps For Your Woocommerce Site plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.4. This... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-4343 The Unauthenticated Account Creation plugin for WordPress is vulnerable to Unauthenticated Account Creation in versions up to, and including, 1.6.6. This is due to the stm_listing_register AJAX action... | 9.8 | CRITICAL | β | 0 |
| CVE-2016-10174 The NETGEAR WNR2000v5 router contains a buffer overflow in the hidden_lang_avi parameter when invoking the URL /apply.cgi?/lang_check.html. This buffer overflow can be exploited by an unauthenticated ... | 9.8 | CRITICAL | KEV | 0 |
| CVE-2024-1514 The WP eCommerce plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'cart_contents' parameter in all versions up to, and including, 3.15.1 due to insufficient escaping on the... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-2027 The ZM Ajax Login & Register plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.0.2. This is due to insufficient verification on the user being supplied du... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-6951 Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for [CVE-2022-25912](https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221) th... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-4393 The Social Connect plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.2. This is due to insufficient verification on the OpenID server being supplied durin... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-4413 The Hotel Booking Lite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.11.1 via deserialization of untrusted input. This makes it possible for unauth... | 9.8 | CRITICAL | β | 0 |
| CVE-2021-4341 The uListing plugin for WordPress is vulnerable to authorization bypass via Ajax due to missing capability checks, missing input validation, and a missing security nonce in the stm_update_email_data A... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-4434 The LearnPress β WordPress LMS Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the βterm_idβ parameter in versions up to, and including, 4.2.6.5 due to insufficient escaping ... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-2771 The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the /wp-json/f... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-3495 The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the βcntβ and 'sid' parameters in versions up to, and including, 2.7.2 due to insufficient escaping on the u... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-0556 The ContentStudio plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several functions in versions up to, and including, 1.2.5. This makes it possible for ... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-33879 Federated Learning and Interoperability Platform (FLIP) is an open-source platform for federated training and evaluation of medical imaging AI models across healthcare institutions. The FLIP login pag... | 9.8 | CRITICAL | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.