CVE-2026-8228 - Wavlink NU516U1 wireless.cgi advance os command injection
CVE ID :CVE-2026-8228
Published : May 10, 2026, 5:16 a.m. | 3 hours, 11 minutes ago
Description :A security vulnerability has been detected in Wavlink NU516U1 240425. Impacted is the function advance of the file /cgi-bin/wireless.cgi. Such manipulation of the argument wlan_conf/Channel/skiplist/ieee_80211h leads to os command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-8228
Published : May 10, 2026, 5:16 a.m. | 3 hours, 11 minutes ago
Description :A security vulnerability has been detected in Wavlink NU516U1 240425. Impacted is the function advance of the file /cgi-bin/wireless.cgi. Such manipulation of the argument wlan_conf/Channel/skiplist/ieee_80211h leads to os command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-8229 - Wavlink NU516U1 wireless.cgi WifiBasic os command injection
CVE ID :CVE-2026-8229
Published : May 10, 2026, 5:16 a.m. | 3 hours, 11 minutes ago
Description :A vulnerability was detected in Wavlink NU516U1 240425. The affected element is the function WifiBasic of the file /cgi-bin/wireless.cgi. Performing a manipulation of the argument AuthMethod/EncrypType results in os command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-8229
Published : May 10, 2026, 5:16 a.m. | 3 hours, 11 minutes ago
Description :A vulnerability was detected in Wavlink NU516U1 240425. The affected element is the function WifiBasic of the file /cgi-bin/wireless.cgi. Performing a manipulation of the argument AuthMethod/EncrypType results in os command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-8230 - Wavlink NU516U1 login.cgi sys_login1 os command injection
CVE ID :CVE-2026-8230
Published : May 10, 2026, 5:16 a.m. | 3 hours, 11 minutes ago
Description :A flaw has been found in Wavlink NU516U1 240425. The impacted element is the function sys_login1 of the file /cgi-bin/login.cgi. Executing a manipulation of the argument ipaddr can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-8230
Published : May 10, 2026, 5:16 a.m. | 3 hours, 11 minutes ago
Description :A flaw has been found in Wavlink NU516U1 240425. The impacted element is the function sys_login1 of the file /cgi-bin/login.cgi. Executing a manipulation of the argument ipaddr can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-6104 - Global buffer over-read in mb_convert_encoding() with attacker-supplied encoding
CVE ID :CVE-2026-6104
Published : May 10, 2026, 6:16 a.m. | 2 hours, 11 minutes ago
Description :In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-6104
Published : May 10, 2026, 6:16 a.m. | 2 hours, 11 minutes ago
Description :In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns 0 it means the strings have the same length. This can lead to out-of-bounds read of global memory, potentially causing a crash or information disclosure or crash. Affected functions include mb_convert_encoding(), mb_detect_encoding(), mb_convert_variables(), and mb_detect_order(), as well as the mbstring.detect_order and mbstring.http_output INI settings.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-7263 - DoS attack via DOMNode::C14N()
CVE ID :CVE-2026-7263
Published : May 10, 2026, 6:16 a.m. | 2 hours, 11 minutes ago
Description :In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-7263
Published : May 10, 2026, 6:16 a.m. | 2 hours, 11 minutes ago
Description :In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial of service in the processing application.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-8231 - CodeAstro Online Catering Ordering System deleteorder.php sql injection
CVE ID :CVE-2026-8231
Published : May 10, 2026, 6:16 a.m. | 2 hours, 11 minutes ago
Description :A vulnerability has been found in CodeAstro Online Catering Ordering System 1.0. This affects an unknown function of the file /deleteorder.php. The manipulation of the argument ID leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-8231
Published : May 10, 2026, 6:16 a.m. | 2 hours, 11 minutes ago
Description :A vulnerability has been found in CodeAstro Online Catering Ordering System 1.0. This affects an unknown function of the file /deleteorder.php. The manipulation of the argument ID leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-8232 - Dotouch XproUPF UPF Process libvlib.so vlib_worker_loop denial of service
CVE ID :CVE-2026-8232
Published : May 10, 2026, 6:16 a.m. | 2 hours, 11 minutes ago
Description :A vulnerability was found in Dotouch XproUPF 2.0.0-release-088aa7c4. This impacts the function vlib_worker_loop in the library /usr/xpro/upf/tools/libs/libvlib.so of the component UPF Process. The manipulation results in denial of service. The vendor was contacted early about this disclosure.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-8232
Published : May 10, 2026, 6:16 a.m. | 2 hours, 11 minutes ago
Description :A vulnerability was found in Dotouch XproUPF 2.0.0-release-088aa7c4. This impacts the function vlib_worker_loop in the library /usr/xpro/upf/tools/libs/libvlib.so of the component UPF Process. The manipulation results in denial of service. The vendor was contacted early about this disclosure.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-8233 - Dotouch XproUPF access control
CVE ID :CVE-2026-8233
Published : May 10, 2026, 6:16 a.m. | 2 hours, 11 minutes ago
Description :A vulnerability was determined in Dotouch XproUPF 2.0.0-release-088aa7c4. Affected is an unknown function of the component UPF. This manipulation causes improper access controls. A high degree of complexity is needed for the attack. The exploitability is told to be difficult. The vendor was contacted early about this disclosure.
Severity: 4.6 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-8233
Published : May 10, 2026, 6:16 a.m. | 2 hours, 11 minutes ago
Description :A vulnerability was determined in Dotouch XproUPF 2.0.0-release-088aa7c4. Affected is an unknown function of the component UPF. This manipulation causes improper access controls. A high degree of complexity is needed for the attack. The exploitability is told to be difficult. The vendor was contacted early about this disclosure.
Severity: 4.6 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-45186 - Apache libexpat XML Denial of Service
CVE ID :CVE-2026-45186
Published : May 10, 2026, 7:16 a.m. | 1 hour, 11 minutes ago
Description :In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input.
Severity: 2.9 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-45186
Published : May 10, 2026, 7:16 a.m. | 1 hour, 11 minutes ago
Description :In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input.
Severity: 2.9 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-8234 - EFM ipTIME A8004T WifiBasicSet formWifiBasicSet stack-based overflow
CVE ID :CVE-2026-8234
Published : May 10, 2026, 7:16 a.m. | 1 hour, 11 minutes ago
Description :A security vulnerability has been detected in EFM ipTIME A8004T 14.18.2. This vulnerability affects the function formWifiBasicSet of the file /goform/WifiBasicSet. The manipulation of the argument security_5g leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 9.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-8234
Published : May 10, 2026, 7:16 a.m. | 1 hour, 11 minutes ago
Description :A security vulnerability has been detected in EFM ipTIME A8004T 14.18.2. This vulnerability affects the function formWifiBasicSet of the file /goform/WifiBasicSet. The manipulation of the argument security_5g leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 9.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-8235 - 8421bit MiniClaw System kernel.ts resolveSkillScriptPath os command injection
CVE ID :CVE-2026-8235
Published : May 10, 2026, 7:16 a.m. | 1 hour, 11 minutes ago
Description :A vulnerability was detected in 8421bit MiniClaw 0.8.0/0.9.0. This issue affects the function resolveSkillScriptPath of the file src/kernel.ts of the component System Command Handler. The manipulation results in os command injection. The exploit is now public and may be used. The patch is identified as 223c16a1088e138838dcbd18cd65a37c35ac5a84. It is best practice to apply a patch to resolve this issue.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-8235
Published : May 10, 2026, 7:16 a.m. | 1 hour, 11 minutes ago
Description :A vulnerability was detected in 8421bit MiniClaw 0.8.0/0.9.0. This issue affects the function resolveSkillScriptPath of the file src/kernel.ts of the component System Command Handler. The manipulation results in os command injection. The exploit is now public and may be used. The patch is identified as 223c16a1088e138838dcbd18cd65a37c35ac5a84. It is best practice to apply a patch to resolve this issue.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-8241 - Industrial Application Software IAS Canias ERP RMI iasGetServerInfoEvent improper authorization
CVE ID :CVE-2026-8241
Published : May 10, 2026, 9:16 a.m. | 3 hours, 13 minutes ago
Description :A vulnerability has been found in Industrial Application Software IAS Canias ERP 8.03. The affected element is the function iasGetServerInfoEvent of the component RMI Interface. Such manipulation leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-8241
Published : May 10, 2026, 9:16 a.m. | 3 hours, 13 minutes ago
Description :A vulnerability has been found in Industrial Application Software IAS Canias ERP 8.03. The affected element is the function iasGetServerInfoEvent of the component RMI Interface. Such manipulation leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-8242 - Industrial Application Software IAS Canias ERP Login RMI doAction response discrepancy
CVE ID :CVE-2026-8242
Published : May 10, 2026, 9:16 a.m. | 3 hours, 13 minutes ago
Description :A vulnerability was found in Industrial Application Software IAS Canias ERP 8.03. The impacted element is the function doAction of the component Login RMI Interface. Performing a manipulation results in observable response discrepancy. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitability is regarded as difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 3.7 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-8242
Published : May 10, 2026, 9:16 a.m. | 3 hours, 13 minutes ago
Description :A vulnerability was found in Industrial Application Software IAS Canias ERP 8.03. The impacted element is the function doAction of the component Login RMI Interface. Performing a manipulation results in observable response discrepancy. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitability is regarded as difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 3.7 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-8243 - Industrial Application Software IAS Canias ERP JNLP Deployment Endpoint hard-coded key
CVE ID :CVE-2026-8243
Published : May 10, 2026, 9:16 a.m. | 3 hours, 13 minutes ago
Description :A vulnerability was determined in Industrial Application Software IAS Canias ERP 8.03. This affects an unknown function of the component JNLP Deployment Endpoint. Executing a manipulation can lead to use of hard-coded cryptographic key . The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-8243
Published : May 10, 2026, 9:16 a.m. | 3 hours, 13 minutes ago
Description :A vulnerability was determined in Industrial Application Software IAS Canias ERP 8.03. This affects an unknown function of the component JNLP Deployment Endpoint. Executing a manipulation can lead to use of hard-coded cryptographic key . The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-8244 - Industrial Application Software IAS Canias ERP Login RMI improper authentication
CVE ID :CVE-2026-8244
Published : May 10, 2026, 10:16 a.m. | 2 hours, 13 minutes ago
Description :A vulnerability was identified in Industrial Application Software IAS Canias ERP 8.03. This impacts an unknown function of the component Login RMI Interface. The manipulation of the argument clientVersion leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-8244
Published : May 10, 2026, 10:16 a.m. | 2 hours, 13 minutes ago
Description :A vulnerability was identified in Industrial Application Software IAS Canias ERP 8.03. This impacts an unknown function of the component Login RMI Interface. The manipulation of the argument clientVersion leads to improper authentication. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2021-47953 - OpenCart 3.0.3.7 Cross-Site Request Forgery via account/password
CVE ID :CVE-2021-47953
Published : May 10, 2026, 1:16 p.m. | 3 hours, 15 minutes ago
Description :OpenCart 3.0.3.7 contains a cross-site request forgery vulnerability that allows attackers to change user passwords by sending crafted requests to the account/password endpoint. Attackers can trick authenticated users into submitting hidden forms with new password values in the 'password' and 'confirm' parameters to hijack accounts.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2021-47953
Published : May 10, 2026, 1:16 p.m. | 3 hours, 15 minutes ago
Description :OpenCart 3.0.3.7 contains a cross-site request forgery vulnerability that allows attackers to change user passwords by sending crafted requests to the account/password endpoint. Attackers can trick authenticated users into submitting hidden forms with new password values in the 'password' and 'confirm' parameters to hijack accounts.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2022-50943 - Moodle LMS 4.0 Cross-Site Scripting via course search.php
CVE ID :CVE-2022-50943
Published : May 10, 2026, 1:16 p.m. | 3 hours, 15 minutes ago
Description :Moodle LMS 4.0 contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search parameter. Attackers can inject JavaScript code via the search field in course/search.php to execute arbitrary scripts in users' browsers and steal session cookies.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2022-50943
Published : May 10, 2026, 1:16 p.m. | 3 hours, 15 minutes ago
Description :Moodle LMS 4.0 contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search parameter. Attackers can inject JavaScript code via the search field in course/search.php to execute arbitrary scripts in users' browsers and steal session cookies.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2022-50944 - Aero CMS 0.0.1 PHP Code Injection via posts.php
CVE ID :CVE-2022-50944
Published : May 10, 2026, 1:16 p.m. | 3 hours, 15 minutes ago
Description :Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through the image parameter. Attackers can upload PHP files with embedded code to the admin posts.php endpoint with source=add_post parameter, and the uploaded files are executed by the server.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2022-50944
Published : May 10, 2026, 1:16 p.m. | 3 hours, 15 minutes ago
Description :Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through the image parameter. Attackers can upload PHP files with embedded code to the admin posts.php endpoint with source=add_post parameter, and the uploaded files are executed by the server.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2022-50945 - WordPress 3dady Real-Time Web Stats 1.0 Stored XSS
CVE ID :CVE-2022-50945
Published : May 10, 2026, 1:16 p.m. | 3 hours, 15 minutes ago
Description :WordPress 3dady real-time web stats plugin 1.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by exploiting unsanitized input fields. Attackers can insert JavaScript payloads in the dady_input_text or dady2_input_text fields via the plugin options panel to execute arbitrary code when the page is viewed.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2022-50945
Published : May 10, 2026, 1:16 p.m. | 3 hours, 15 minutes ago
Description :WordPress 3dady real-time web stats plugin 1.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by exploiting unsanitized input fields. Attackers can insert JavaScript payloads in the dady_input_text or dady2_input_text fields via the plugin options panel to execute arbitrary code when the page is viewed.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2022-50946 - WordPress Plugin Netroics Blog Posts Grid 1.0 Stored XSS
CVE ID :CVE-2022-50946
Published : May 10, 2026, 1:16 p.m. | 3 hours, 15 minutes ago
Description :WordPress Plugin Netroics Blog Posts Grid 1.0 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the post_title parameter. Attackers with editor privileges can inject script payloads through the testimonial title field that execute in the browsers of other users viewing the draft post, enabling cookie theft and session hijacking.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2022-50946
Published : May 10, 2026, 1:16 p.m. | 3 hours, 15 minutes ago
Description :WordPress Plugin Netroics Blog Posts Grid 1.0 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the post_title parameter. Attackers with editor privileges can inject script payloads through the testimonial title field that execute in the browsers of other users viewing the draft post, enabling cookie theft and session hijacking.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2022-50947 - WordPress Plugin Testimonial Slider and Showcase 2.2.6 Stored XSS
CVE ID :CVE-2022-50947
Published : May 10, 2026, 1:16 p.m. | 3 hours, 15 minutes ago
Description :WordPress Plugin Testimonial Slider and Showcase 2.2.6 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the post_title parameter. Attackers with editor privileges can inject JavaScript payloads through the testimonial title field that execute in the browsers of users viewing the draft post, enabling cookie theft and session hijacking.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2022-50947
Published : May 10, 2026, 1:16 p.m. | 3 hours, 15 minutes ago
Description :WordPress Plugin Testimonial Slider and Showcase 2.2.6 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the post_title parameter. Attackers with editor privileges can inject JavaScript payloads through the testimonial title field that execute in the browsers of users viewing the draft post, enabling cookie theft and session hijacking.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...