CVE-2025-5365 - Campcodes Online Hospital Management System SQL Injection Vulnerability
CVE ID : CVE-2025-5365
Published : May 31, 2025, 1:15 a.m. | 17 minutes ago
Description : A vulnerability was found in Campcodes Online Hospital Management System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/patient-search.php. The manipulation of the argument searchdata leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-5365
Published : May 31, 2025, 1:15 a.m. | 17 minutes ago
Description : A vulnerability was found in Campcodes Online Hospital Management System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/patient-search.php. The manipulation of the argument searchdata leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-5367 - "PHPGurukul Online Shopping Portal SQL Injection Vulnerability"
CVE ID : CVE-2025-5367
Published : May 31, 2025, 2:15 a.m. | 3 hours, 17 minutes ago
Description : A vulnerability was found in PHPGurukul Online Shopping Portal Project 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /category.php. The manipulation of the argument Product leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-5367
Published : May 31, 2025, 2:15 a.m. | 3 hours, 17 minutes ago
Description : A vulnerability was found in PHPGurukul Online Shopping Portal Project 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /category.php. The manipulation of the argument Product leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-5016 - Relevanssi WordPress Stored Cross-Site Scripting Vulnerability
CVE ID : CVE-2025-5016
Published : May 31, 2025, 4:15 a.m. | 1 hour, 17 minutes ago
Description : The Relevanssi – A Better Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Excerpt Highlights in all versions up to, and including, 4.24.5 (Free) and 2.27.6 (Premium) due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 4.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-5016
Published : May 31, 2025, 4:15 a.m. | 1 hour, 17 minutes ago
Description : The Relevanssi – A Better Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Excerpt Highlights in all versions up to, and including, 4.24.5 (Free) and 2.27.6 (Premium) due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 4.7 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-5368 - PHPGurukul Daily Expense Tracker System SQL Injection Vulnerability
CVE ID : CVE-2025-5368
Published : May 31, 2025, 4:15 a.m. | 1 hour, 17 minutes ago
Description : A vulnerability was found in PHPGurukul Daily Expense Tracker System 1.1. It has been rated as critical. This issue affects some unknown processing of the file /expense-yearwise-reports-detailed.php. The manipulation of the argument todate leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-5368
Published : May 31, 2025, 4:15 a.m. | 1 hour, 17 minutes ago
Description : A vulnerability was found in PHPGurukul Daily Expense Tracker System 1.1. It has been rated as critical. This issue affects some unknown processing of the file /expense-yearwise-reports-detailed.php. The manipulation of the argument todate leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-5369 - SourceCodester PHP Display Username After Login SQL Injection Vulnerability
CVE ID : CVE-2025-5369
Published : May 31, 2025, 5:15 a.m. | 17 minutes ago
Description : A vulnerability classified as critical has been found in SourceCodester PHP Display Username After Login 1.0. Affected is an unknown function of the file /login.php. The manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-5369
Published : May 31, 2025, 5:15 a.m. | 17 minutes ago
Description : A vulnerability classified as critical has been found in SourceCodester PHP Display Username After Login 1.0. Affected is an unknown function of the file /login.php. The manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-5370 - PHPGurukul News Portal SQL Injection Vulnerability
CVE ID : CVE-2025-5370
Published : May 31, 2025, 6:15 a.m. | 3 hours, 17 minutes ago
Description : A vulnerability classified as critical was found in PHPGurukul News Portal 4.1. Affected by this vulnerability is an unknown functionality of the file /admin/forgot-password.php. The manipulation of the argument Username leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-5370
Published : May 31, 2025, 6:15 a.m. | 3 hours, 17 minutes ago
Description : A vulnerability classified as critical was found in PHPGurukul News Portal 4.1. Affected by this vulnerability is an unknown functionality of the file /admin/forgot-password.php. The manipulation of the argument Username leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-4103 - WordPress WP-GeoMeta Privilege Escalation Vulnerability
CVE ID : CVE-2025-4103
Published : May 31, 2025, 7:15 a.m. | 2 hours, 17 minutes ago
Description : The WP-GeoMeta plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the wp_ajax_wpgm_start_geojson_import() function in versions 0.3.4 to 0.3.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-4103
Published : May 31, 2025, 7:15 a.m. | 2 hours, 17 minutes ago
Description : The WP-GeoMeta plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the wp_ajax_wpgm_start_geojson_import() function in versions 0.3.4 to 0.3.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-4590 - Daisycon prijsvergelijkers WordPress Stored Cross-Site Scripting Vulnerability
CVE ID : CVE-2025-4590
Published : May 31, 2025, 7:15 a.m. | 2 hours, 17 minutes ago
Description : The Daisycon prijsvergelijkers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'daisycon_uitvaart' shortcode in all versions up to, and including, 4.8.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-4590
Published : May 31, 2025, 7:15 a.m. | 2 hours, 17 minutes ago
Description : The Daisycon prijsvergelijkers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'daisycon_uitvaart' shortcode in all versions up to, and including, 4.8.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-4595 - FastSpring for WordPress Stored Cross-Site Scripting Vulnerability
CVE ID : CVE-2025-4595
Published : May 31, 2025, 7:15 a.m. | 2 hours, 17 minutes ago
Description : The FastSpring plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fastspring/block-fastspringblocks-complete-product-catalog' block in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping on the 'color' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-4595
Published : May 31, 2025, 7:15 a.m. | 2 hours, 17 minutes ago
Description : The FastSpring plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fastspring/block-fastspringblocks-complete-product-catalog' block in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping on the 'color' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-4607 - "PSW Front-end Login & Registration WordPress Privilege Escalation"
CVE ID : CVE-2025-4607
Published : May 31, 2025, 7:15 a.m. | 2 hours, 17 minutes ago
Description : The PSW Front-end Login & Registration plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.12 via the customer_registration() function. This is due to the use of a weak, low-entropy OTP mechanism in the forget() function. This makes it possible for unauthenticated attackers to initiate a password reset for any user, including administrators, and elevate their privileges for full site takeover.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-4607
Published : May 31, 2025, 7:15 a.m. | 2 hours, 17 minutes ago
Description : The PSW Front-end Login & Registration plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.12 via the customer_registration() function. This is due to the use of a weak, low-entropy OTP mechanism in the forget() function. This makes it possible for unauthenticated attackers to initiate a password reset for any user, including administrators, and elevate their privileges for full site takeover.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-4631 - WordPress Profitori Plugin Privilege Escalation Vulnerability
CVE ID : CVE-2025-4631
Published : May 31, 2025, 7:15 a.m. | 2 hours, 17 minutes ago
Description : The Profitori plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the stocktend_object endpoint in versions 2.0.6.0 to 2.1.1.3. This makes it possible to trigger the save_object_as_user() function for objects whose '_datatype' is set to 'users',. This allows unauthenticated attackers to write arbitrary strings straight into the user’s wp_capabilities meta field, potentially elevating the privileges of an existing user account or a newly created one to that of an administrator.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-4631
Published : May 31, 2025, 7:15 a.m. | 2 hours, 17 minutes ago
Description : The Profitori plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the stocktend_object endpoint in versions 2.0.6.0 to 2.1.1.3. This makes it possible to trigger the save_object_as_user() function for objects whose '_datatype' is set to 'users',. This allows unauthenticated attackers to write arbitrary strings straight into the user’s wp_capabilities meta field, potentially elevating the privileges of an existing user account or a newly created one to that of an administrator.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-4672 - Offsprout Page Builder WordPress Privilege Escalation Vulnerability
CVE ID : CVE-2025-4672
Published : May 31, 2025, 7:15 a.m. | 2 hours, 17 minutes ago
Description : The Offsprout Page Builder plugin for WordPress is vulnerable to Privilege Escalation due to improper authorization placed on the permission_callback() function in versions 2.2.1 to 2.15.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to read, create, update or delete any user meta, including flipping their own wp_capabilities to administrator and fully escalate their privileges.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-4672
Published : May 31, 2025, 7:15 a.m. | 2 hours, 17 minutes ago
Description : The Offsprout Page Builder plugin for WordPress is vulnerable to Privilege Escalation due to improper authorization placed on the permission_callback() function in versions 2.2.1 to 2.15.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to read, create, update or delete any user meta, including flipping their own wp_capabilities to administrator and fully escalate their privileges.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-5285 - WooCommerce Stored Cross-Site Scripting Vulnerability
CVE ID : CVE-2025-5285
Published : May 31, 2025, 7:15 a.m. | 2 hours, 17 minutes ago
Description : The Product Subtitle for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘htmlTag’ parameter in all versions up to, and including, 1.3.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-5285
Published : May 31, 2025, 7:15 a.m. | 2 hours, 17 minutes ago
Description : The Product Subtitle for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘htmlTag’ parameter in all versions up to, and including, 1.3.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-5292 - Elementor Element Pack Addons Stored Cross-Site Scripting Vulnerability
CVE ID : CVE-2025-5292
Published : May 31, 2025, 7:15 a.m. | 2 hours, 17 minutes ago
Description : The Element Pack Addons for Elementor – Best Elementor addons with Ready Templates, Blocks, Widgets and WooCommerce Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'marker_content’ parameter in all versions up to, and including, 5.11.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-5292
Published : May 31, 2025, 7:15 a.m. | 2 hours, 17 minutes ago
Description : The Element Pack Addons for Elementor – Best Elementor addons with Ready Templates, Blocks, Widgets and WooCommerce Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'marker_content’ parameter in all versions up to, and including, 5.11.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-3813 - WordPress Royal Elementor Stored Cross-Site Scripting (XSS)
CVE ID : CVE-2025-3813
Published : May 31, 2025, 8:15 a.m. | 1 hour, 17 minutes ago
Description : The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_elementor_data’ parameter in all versions up to, and including, 1.7.1020 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-3813
Published : May 31, 2025, 8:15 a.m. | 1 hour, 17 minutes ago
Description : The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_elementor_data’ parameter in all versions up to, and including, 1.7.1020 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-5290 - Elementor Stored Cross-Site Scripting Vulnerability
CVE ID : CVE-2025-5290
Published : May 31, 2025, 8:15 a.m. | 1 hour, 17 minutes ago
Description : The Borderless – Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title’ parameter in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-5290
Published : May 31, 2025, 8:15 a.m. | 1 hour, 17 minutes ago
Description : The Borderless – Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title’ parameter in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-5371 - SourceCodester Health Center Patient Record Management System SQL Injection Vulnerability
CVE ID : CVE-2025-5371
Published : May 31, 2025, 8:15 a.m. | 1 hour, 17 minutes ago
Description : A vulnerability, which was classified as critical, has been found in SourceCodester Health Center Patient Record Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/admin.php. The manipulation of the argument Username leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-5371
Published : May 31, 2025, 8:15 a.m. | 1 hour, 17 minutes ago
Description : A vulnerability, which was classified as critical, has been found in SourceCodester Health Center Patient Record Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/admin.php. The manipulation of the argument Username leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-5373 - PHPGurukul Online Birth Certificate System SQL Injection Vulnerability
CVE ID : CVE-2025-5373
Published : May 31, 2025, 9:15 a.m. | 17 minutes ago
Description : A vulnerability has been found in PHPGurukul Online Birth Certificate System 2.0 and classified as critical. This vulnerability affects unknown code of the file /admin/users-applications.php. The manipulation of the argument userid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-5373
Published : May 31, 2025, 9:15 a.m. | 17 minutes ago
Description : A vulnerability has been found in PHPGurukul Online Birth Certificate System 2.0 and classified as critical. This vulnerability affects unknown code of the file /admin/users-applications.php. The manipulation of the argument userid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-5374 - PHPGurukul Online Birth Certificate System SQL Injection Vulnerability
CVE ID : CVE-2025-5374
Published : May 31, 2025, 10:15 a.m. | 3 hours, 17 minutes ago
Description : A vulnerability was found in PHPGurukul Online Birth Certificate System 2.0 and classified as critical. This issue affects some unknown processing of the file /admin/all-applications.php. The manipulation of the argument del leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-5374
Published : May 31, 2025, 10:15 a.m. | 3 hours, 17 minutes ago
Description : A vulnerability was found in PHPGurukul Online Birth Certificate System 2.0 and classified as critical. This issue affects some unknown processing of the file /admin/all-applications.php. The manipulation of the argument del leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-5375 - PHPGurukul HPGurukul Online Birth Certificate System SQL Injection Vulnerability
CVE ID : CVE-2025-5375
Published : May 31, 2025, 11:15 a.m. | 2 hours, 17 minutes ago
Description : A vulnerability was found in PHPGurukul HPGurukul Online Birth Certificate System 2.0. It has been classified as critical. Affected is an unknown function of the file /admin/registered-users.php. The manipulation of the argument del leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-5375
Published : May 31, 2025, 11:15 a.m. | 2 hours, 17 minutes ago
Description : A vulnerability was found in PHPGurukul HPGurukul Online Birth Certificate System 2.0. It has been classified as critical. Affected is an unknown function of the file /admin/registered-users.php. The manipulation of the argument del leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-4691 - "Free Booking Plugin for Hotels, Restaurants and Car Rentals - eaSYNC Booking Direct Object Reference Vulnerability"
CVE ID : CVE-2025-4691
Published : May 31, 2025, 12:15 p.m. | 1 hour, 17 minutes ago
Description : The Free Booking Plugin for Hotels, Restaurants and Car Rentals – eaSYNC Booking plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.21 via the 'view_request_details' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the details of any booking request. The vulnerability was partially patched in versions 1.3.18 and 1.3.21.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-4691
Published : May 31, 2025, 12:15 p.m. | 1 hour, 17 minutes ago
Description : The Free Booking Plugin for Hotels, Restaurants and Car Rentals – eaSYNC Booking plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.21 via the 'view_request_details' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the details of any booking request. The vulnerability was partially patched in versions 1.3.18 and 1.3.21.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...