| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Unauthenticated Cross Site Scripting (XSS) in Qreatix <= 1.9.4 versions. |
| Unauthenticated Local File Inclusion in Rosaleen <= 2.8 versions. |
| Unauthenticated PHP Object Injection in Hot Coffee <= 1.7 versions. |
| Unauthenticated Local File Inclusion in Raider Spirit <= 1.1.2 versions. |
| Unauthenticated Local File Inclusion in Corbesier <= 1.15.0 versions. |
| Unauthenticated Local File Inclusion in Deliciosa <= 1.10.0 versions. |
| Unauthenticated PHP Object Injection in SeaFood Company <= 1.4 versions. |
| Unauthenticated Local File Inclusion in Food Drop <= 1.3 versions. |
| Unauthenticated Arbitrary File Download in WordPress & WooCommerce Scraper Plugin, Import Data from Any Site <= 1.0.7 versions. |
| Unauthenticated Local File Inclusion in Wanium <= 1.9.8 versions. |
| Subscriber Broken Access Control in Genemy <= 1.6.6 versions. |
| Unauthenticated Local File Inclusion in Kelly Young <= 1.1.0 versions. |
| Unauthenticated Local File Inclusion in Top Dog <= 1.0.5 versions. |
| Unauthenticated Local File Inclusion in Roneous <= 2.1.5 versions. |
| Unauthenticated Local File Inclusion in Truemag <= 4.3.14.2 versions. |
| Unauthenticated PHP Object Injection in Nifty <= 1.4.1 versions. |
| Unauthenticated Local File Inclusion in Thegov Core < 2.0.23 versions. |
| Unauthenticated Local File Inclusion in Integrio Core < 1.2.8 versions. |
| The Bit integrations – Form Integration, Webhook, Spreadsheets, CRM, LMS & Email Automation plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.8.7 via the upload_attachment. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Exploitation requires a form integration to be configured with a field mapped to a WooCommerce product image, product gallery, downloadable files, or Google Contacts attachment field, which is a default use case for these integrations. |
| The Woosa – Marktplaats for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Read via Path Traversal in versions up to and including 2.0.4. This is due to insufficient path sanitization in the render_logs_ui() function, which accepts a base64-encoded file name from the 'log_file' GET parameter and concatenates it directly with the plugin's log directory path without validating that the resolved path remains within the intended directory. This makes it possible for authenticated attackers, with Administrator-level access, to read the contents of arbitrary files on the server, including wp-config. |