CVE Database

Unauthenticated Broken Authentication in RegistrationMagic <= 6.0.8.6 versions.

Unauthenticated PHP Object Injection in Integration for Contact Form 7 HubSpot <= 1.3.7 versions.

Unauthenticated Path Traversal in Shared Files <= 1.7.64 versions.

Unauthenticated Broken Authentication in Upsell Order Bump Offer for WooCommerce <= 3.1.4 versions.

Unauthenticated PHP Object Injection in Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.4.3 versions.

Unauthenticated PHP Object Injection in Integration for Contact Form 7 and Constant Contact <= 1.1.6 versions.

Unauthenticated PHP Object Injection in WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 versions.

Unauthenticated PHP Object Injection in Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.2.1 versions.

Unauthenticated PHP Object Injection in WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms <= 1.1.4 versions.

Contributor Privilege Escalation in LatePoint <= 5.5.1 versions.

Subscriber Sensitive Data Exposure in Chatway Live Chat &#8211; AI Chatbot, Customer Support, FAQ &amp; Helpdesk Customer Service &amp; Chat Buttons <= 1.4.8 versions.

Unauthenticated Other Vulnerability Type in WP Travel Engine <= 6.7.10 versions.

Unauthenticated Broken Access Control in Knit Pay <= 9.4.0.0 versions.

Subscriber Sensitive Data Exposure in Coupon Affiliates <= 7.8.1 versions.

Unauthenticated SQL Injection in Advanced 301 and 302 Redirect <= 1.6.9 versions.

Unauthenticated Sensitive Data Exposure in Conekta Payment Gateway <= 6.0.0 versions.

Unauthenticated Broken Access Control in Hippoo Mobile App for WooCommerce <= 1.9.5 versions.

Unauthenticated Privilege Escalation in Listdom <= 5.5.0 versions.

Unauthenticated Arbitrary File Download in WPC Product Options for WooCommerce <= 3.2.1 versions.

Unauthenticated Sensitive Data Exposure in WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels <= 4.9.4 versions.

Unauthenticated Cross Site Scripting (XSS) in Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.9.7 versions.

Unauthenticated Cross Site Request Forgery (CSRF) in WP Migrate Lite <= 2.7.8 versions.

Unauthenticated Broken Authentication in Really Simple SSL <= 9.5.10 versions.

Unauthenticated Cross Site Scripting (XSS) in Funnel Builder by FunnelKit <= 3.15.0.2 versions.

Subscriber Sensitive Data Exposure in XCloner <= 4.8.6 versions.

Subscriber SQL Injection in ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.6 versions.

Subscriber Privilege Escalation in Amelia <= 2.3 versions.

Unauthenticated Broken Access Control in JS Help Desk <= 3.0.9 versions.

Unauthenticated SQL Injection in JS Help Desk <= 3.0.9 versions.

Unauthenticated Cross Site Scripting (XSS) in HollerBox <= 2.3.10.1 versions.

Unauthenticated Broken Access Control in WPC Product Bundles for WooCommerce <= 8.5.3 versions.

Subscriber SQL Injection in WP Time Slots Booking Form <= 1.2.50 versions.

Unauthenticated Broken Access Control in TrueBooker <= 1.1.9 versions.

Subscriber Cross Site Scripting (XSS) in WP Job Portal <= 2.5.2 versions.

Subscriber Sensitive Data Exposure in Visual Link Preview <= 2.4.1 versions.

Unauthenticated Cross Site Scripting (XSS) in Stop Spammers <= 2026.3 versions.

Subscriber SQL Injection in GamiPress <= 7.8.7 versions.

Unauthenticated Broken Access Control in Montonio for WooCommerce <= 10.1.2 versions.

Unauthenticated Sensitive Data Exposure in EmbedPress <= 4.5.2 versions.

Unauthenticated Cross Site Scripting (XSS) in MW WP Form <= 5.1.3 versions.

Subscriber Cross Site Scripting (XSS) in King Addons for Elementor <= 51.1.62 versions.

Unauthenticated Insecure Direct Object References (IDOR) in Simple Shopping Cart <= 5.2.9 versions.

Unauthenticated Cross Site Scripting (XSS) in Quiz And Survey Master <= 11.1.2 versions.

Unauthenticated Cross Site Scripting (XSS) in Post SMTP <= 3.6.2 versions.

Unauthenticated Remote Code Execution (RCE) in Easy Invoice <= 2.1.19 versions.

Unauthenticated Broken Access Control in Contact Form by WPForms <= 1.10.0.4 versions.

OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, The ValidateArgumentType RPC endpoint in service/internal/api/api.go does not perform any authentication or authorization checks. Unlike all other data-returning API endpoints, it does not call auth.UserFromApiCall or checkDashboardAccess. When AuthRequireGuestsToLogin is enabled (the security-conscious configuration), this endpoint remains accessible to unauthenticated users and can be used as an oracle to enumerate valid action binding IDs and their argument configurations. This issue has been fixed in version 3000.13.0.

OliveTin gives access to predefined shell commands from a web interface. In versions 3000.0.0 and prior, the template engine uses a single shared text/template.Template instance (tpl package-level variable in service/internal/tpl/templates.go) across all goroutines. Every action execution calls tpl.Parse(source) followed by t.Execute() on this shared instance with no synchronization. When two or more actions execute concurrently (which is the normal case — each ExecRequest spawns a goroutine), a race condition occurs: one goroutine's Parse overwrites the template tree while another goroutine is calling Execute, causing cross-user command contamination, Go runtime panic, and incorrect command execution. This issue has been resolved in version 3000.13.0.

MultiJuicer is used to run separate Juice Shop instances on a central kubernetes cluster without the need for local instances. In versions 8.0.0 through 10.0.0, the team join endpoint (POST /multi-juicer/api/teams/{team}/join) accepted requests with any Content-Type, including text/plain. Because that content type does not trigger a CORS preflight, an attacker could host a cross-site HTML form that auto-submits to the endpoint and forces a victim's browser to log in as the attacker's team. A successful, undetected attacker can cause victims to unwittingly solve Juice Shop challenges under the attacker's team identity. In a CTF context this lets the attacker inflate their team's score using other players' activity, and any sensitive data the victim enters into "their" Juice Shop ends up in the attacker's instance. The vulnerability is exploitable without any prior authentication; the victim only needs to visit a page the attacker controls while having network access to the MultiJuicer deployment. SameSite=Strict on the session cookie does not mitigate this, because the attack plants a new cookie rather than relying on an existing one. This issue was fixed in version 10.0.1.

Cursor is a code editor built for programming with AI. In versions prior to 3.0.0, the Cursor Desktop could execute workspace-defined Claude hook commands from .claude/settings.local.json without dedicated user approval. A malicious workspace or agent-created file could configure hooks that run local commands in the user's context when an agent turn ends. This could allow sandbox escape, persistence across turns, local data access, or follow-on compromise. This issue has been fixed in version 3.0.0.