Monitor and prioritize what really matters — the 1% of vulnerabilities that can cause real impact.
This vulnerability is an arbitrary file upload flaw caused by improper validation of file extensions in the Divi Form Builder plugin's do_image_upload() function. The root cause lies in the direct interpolation of user-supplied input from the acceptFileTypes POST parameter into a regular expression used for file validation. This affects the file upload component responsible for restricting executable file types, allowing bypass of intended security controls.
This vulnerability is an unauthenticated Cross-Site Scripting (XSS) flaw arising from improper sanitization of user-supplied input in the MapPress Maps for WordPress plugin, specifically versions up to 2.97.3. The issue resides in the plugin's handling of map-related parameters that are rendered in the frontend without adequate encoding or filtering, affecting the map display component responsible for embedding Google Maps within WordPress posts or pages.
This vulnerability is a Local File Inclusion (LFI) flaw in the BetterDocs Pro WordPress plugin, specifically affecting versions up to 3.8.0. The root cause lies in insufficient input validation of the `doc_style` parameter, which allows an attacker to manipulate file inclusion logic. The affected component is the file inclusion mechanism within the plugin that processes the `doc_style` parameter without proper sanitization, enabling arbitrary file inclusion on the server.
This vulnerability is an arbitrary file deletion flaw rooted in improper validation of file paths within the maybe_delete_files function of the Avada (Fusion) Builder plugin for WordPress. The issue arises from insufficient sanitization of user-supplied input, enabling path traversal attacks. The affected component is the Fusion_Form_DB_Privacy cleanup routine triggered during shutdown, which processes database entries related to form submissions.
This vulnerability is a Blind SQL Injection resulting from improper neutralization of special elements in SQL commands within Beardev JoomSport. The root cause lies in insufficient input sanitization of user-supplied data that is directly incorporated into SQL queries without parameterization or escaping. The affected component is the JoomSport plugin for WordPress, specifically versions up to and including 5.7.7, where database query construction fails to properly handle malicious input.
This vulnerability is an Incorrect Privilege Assignment flaw rooted in improper access control mechanisms within the Hippoo Mobile App for WooCommerce plugin. The issue arises because certain privileged functions or administrative features are accessible without proper authorization checks. The affected component is the privilege management system in versions up to 1.9.4, which fails to enforce restrictions on user capabilities, allowing unauthorized privilege escalation.
This vulnerability is a deserialization flaw in Jenkins core and plugins, allowing unsafe processing of attacker-controlled XML data. The root cause is insecure deserialization of arbitrary types from the `config.xml` submission, which is part of Jenkins' configuration management. The affected components include Jenkins versions 2.567 and earlier, and LTS 2.555.2 and earlier, specifically the configuration XML handling mechanism.
The vulnerability is an improper validation flaw related to the specified quantity input within the Product Slider Pro for WooCommerce plugin by ShapedPlugin, LLC. The root cause lies in insufficient sanitization and verification of user-supplied quantity parameters, allowing malicious data to bypass input controls. This flaw affects the input handling logic of the product quantity specification feature in versions prior to 3.5.4.
This vulnerability is a privilege escalation flaw caused by improper validation in the password reset functionality of the Kirki – Freeform Page Builder plugin for WordPress. The root cause lies in the plugin accepting an arbitrary email address when a username is submitted during a password reset request. The affected component is the password reset handler within the plugin's form processing logic, which fails to verify that the email corresponds to the username provided.
This vulnerability is a remote code execution flaw arising from improper handling of block registration and rendering in the Spectra Gutenberg Blocks plugin. The root cause is the ability for authenticated users with Contributor-level privileges or higher to register arbitrary block types prefixed with 'uagb-' and assign attacker-controlled render callbacks. During sequential block rendering, the plugin invokes these callbacks via call_user_func(), enabling execution of arbitrary PHP code on the server.
This vulnerability is a privilege escalation flaw caused by improper access control in the WP Maps Pro WordPress plugin. The root cause lies in the wpgmp_temp_access_ajax AJAX action being registered with wp_ajax_nopriv_, allowing unauthenticated access. The protection relies solely on a nonce embedded in the frontend JavaScript, which is publicly accessible, rendering the nonce check ineffective as an authentication barrier.
This vulnerability is a missing authorization flaw in the FunnelKit Funnel Builder for WooCommerce Checkout plugin prior to version 3.15.0.3. The root cause is the lack of access control on the public AJAX checkout endpoint, which permits unauthenticated requests to invoke internal methods. The affected component is the plugin's External Scripts global setting, which can be manipulated through this unauthorized access vector.
The vulnerability is an authentication bypass in the legacy Flask API server component of PraisonAI versions 2.5.6 through 4.6.33. The root cause is that the Flask API server ships with authentication disabled by default, allowing unauthenticated access to sensitive API endpoints. Specifically, the /agents endpoint and the /chat endpoint, which triggers workflows defined in agents.yaml, are exposed without requiring token-based authentication.
This vulnerability is an unauthenticated OS command injection affecting the GoAhead web server component embedded in MeiG Smart FORGE_SLT711 devices running firmware MDM9607.LE.1.0-00110-STD.PROD-1. The root cause lies in inadequate input validation on the /action/SetRemoteAccessCfg HTTP endpoint, which directly passes user-supplied data to system command execution functions without proper sanitization, allowing arbitrary commands to be injected and executed on the underlying operating system.
The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fetch_gravatar_from_remote' function in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability can only be exploited if "Host Files Locally - Gravatars" is enabled, which is disabled by default.
This vulnerability is an arbitrary file upload flaw caused by improper file type validation in the Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin. The root cause lies in the plugin's handling of custom blacklist configurations, which overwrite the default denylist instead of merging, combined with a sanitization bypass for filenames containing non-ASCII characters in the wpcf7_antiscript_file_name() function. The affected component is the file upload handler within the plugin's codebase for versions up to 1.3.9.7.
This vulnerability is a deserialization flaw caused by a hard-coded machineKey value in ASP.NET/IIS configurations within Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026. The fixed machineKey is used for ViewState validation, and its static nature allows attackers to craft malicious ViewState payloads that bypass integrity checks. The affected component is the ViewState validation mechanism in the ASP.NET application framework of KnowledgeDeliver.
This vulnerability is a path traversal flaw in Fortinet FortiSandbox versions 4.4.0 through 4.4.8 and 5.0.0 through 5.0.5. The root cause lies in improper validation of user-supplied input within HTTP request parameters, allowing directory traversal sequences such as '../filedir' to access unauthorized filesystem locations. The affected component is the HTTP interface of FortiSandbox, which fails to sanitize path inputs correctly, enabling manipulation of file paths beyond intended boundaries.
This vulnerability is a Sensitive Information Exposure caused by improper access control in the Gravity SMTP WordPress plugin. The root cause lies in a REST API endpoint (/wp-json/gravitysmtp/v1/tests/mock-data) that registers a permission callback which unconditionally returns true, effectively bypassing authentication checks. This flaw affects all versions of the Gravity SMTP plugin up to and including 2.1.4, specifically within the plugin's REST API implementation.
This vulnerability is a remote code execution flaw originating from unsafe dynamic function invocation in the Kali Forms WordPress plugin. The root cause lies in the 'prepare_post_data' function, which maps user-supplied input keys directly into internal placeholders without validation. Subsequently, the 'form_process' function invokes these placeholders via 'call_user_func', enabling execution of arbitrary code supplied by unauthenticated users. The affected component is the form processing mechanism within Kali Forms versions up to and including 2.4.9.
This vulnerability is a heap overflow caused by improper handling of network messages within the OpenSLP service in VMware ESXi. The flaw arises from insufficient bounds checking when processing requests received on UDP port 427, leading to memory corruption in the heap. The affected component is the OpenSLP daemon responsible for service location protocol operations in ESXi versions prior to specified patches.