Critical · CVSS 9.8
Stack-based buffer overflow on Allen-Bradley MicroLogix 1100 devices before B FRN 15.000 and 1400 devices through B FRN 15.003 allows remote attackers to execute arbitrary code via unspecified vectors.
Published Oct 28, 2015 · Updated Jun 3, 2026
High · CVSS 7.5
Allen-Bradley MicroLogix 1100 devices before B FRN 15.000 and 1400 devices before B FRN 15.003 allow remote attackers to cause a denial of service (memory corruption and device crash) via a crafted HTTP request.
Published Oct 28, 2015 · Updated Jun 3, 2026
Critical · CVSS 10
Omron CX-One CX-Programmer before 9.6, CJ2M PLC devices before 2.1, and CJ2H PLC devices before 1.5 rely on cleartext password transmission, which allows remote attackers to obtain sensitive information by sniffing the network during a PLC unlock request.
Published Oct 3, 2015 · Updated Jun 2, 2026
Medium · CVSS 6.1
Multiple cross-site scripting (XSS) vulnerabilities in the Wind Farm Portal application in Nordex Control 2 (NC2) SCADA 16 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Published Oct 18, 2015 · Updated Jun 2, 2026
Medium · CVSS 4.9
The Easy Testimonial Slider and Form plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 1.0.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published Oct 29, 2025 · Updated Apr 8, 2026
Medium · CVSS 4.9
The Thumbnail Slider With Lightbox plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 1.0.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published Oct 29, 2025 · Updated Apr 8, 2026
High · CVSS 7.8 · CISA KEV
Adobe Flash Player 18.x through 18.0.0.252 and 19.x through 19.0.0.207 on Windows and OS X and 11.x through 11.2.202.535 on Linux allows remote attackers to execute arbitrary code via a crafted SWF file, as exploited in the wild in October 2015.
Published Oct 15, 2015 · Updated Oct 21, 2025
Medium · CVSS 5.3 · CISA KEV
Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60 allows remote attackers to affect integrity via unknown vectors related to Deployment.
Published Oct 21, 2015 · Updated Oct 21, 2025
Medium · CVSS 6.5
A vulnerability classified as critical was found in Easy2Map Photos Plugin 1.0.1 on WordPress. This vulnerability affects unknown code. The manipulation leads to sql injection. The attack can be initiated remotely. Upgrading to version 1.1.0 is able to address this issue. The patch is identified as 503d9ee2482d27c065f78d9546f076a406189908. It is recommended to upgrade the affected component. VDB-241318 is the identifier assigned to this vulnerability.
Published Oct 6, 2023 · Updated Jun 16, 2025
Unknown · CVSS Not scored
The wp-slimstat (aka Slimstat Analytics) plugin before 4.1.6.1 for WordPress has XSS via an HTTP Referer header, or via a field associated with JavaScript-based Referer tracking.
Published Oct 7, 2018 · Updated Sep 17, 2024
Unknown · CVSS Not scored
OpenNMS has a default password of rtc for the rtc account, which makes it easier for remote attackers to obtain access by leveraging knowledge of the credentials.
Published Oct 16, 2015 · Updated Sep 17, 2024
Unknown · CVSS Not scored
The arkeiad daemon in the Arkeia Backup Agent in Western Digital Arkeia 11.0.12 and earlier allows remote attackers to bypass authentication and execute arbitrary commands via a series of crafted requests involving the ARKFS_EXEC_CMD operation.
Published Oct 5, 2015 · Updated Sep 17, 2024
Unknown · CVSS Not scored
ZOHO ManageEngine OpManager 11.5 build 11600 and earlier uses a hardcoded password of "plugin" for the IntegrationUser account, which allows remote authenticated users to obtain administrator access by leveraging knowledge of this password.
Published Oct 9, 2015 · Updated Sep 17, 2024
Unknown · CVSS Not scored
Buffer overflow in Konica Minolta FTP Utility 1.0 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a long USER command.
Published Oct 9, 2015 · Updated Sep 17, 2024
Unknown · CVSS Not scored
The videowhisper-video-presentation plugin 3.31.17 for WordPress allows remote attackers to execute arbitrary code because vp/vw_upload.php considers a file safe when "html" are the last four characters, as demonstrated by a .phtml file containing PHP code.
Published Oct 5, 2018 · Updated Sep 17, 2024
Unknown · CVSS Not scored
PGSQL:SubmitQuery.do in ZOHO ManageEngine OpManager 11.6, 11.5, and earlier allows remote administrators to bypass SQL query restrictions via a comment in the query to api/json/admin/SubmitQuery, as demonstrated by "INSERT/**/INTO."
Published Oct 9, 2015 · Updated Sep 17, 2024
Unknown · CVSS Not scored
SAP 3D Visual Enterprise Viewer (VEV) allows remote attackers to execute arbitrary code via a crafted Filmbox document, which triggers memory corruption.
Published Oct 30, 2015 · Updated Sep 17, 2024
Unknown · CVSS Not scored
SolarWinds Log and Event Manager (LEM) allows remote attackers to execute arbitrary commands on managed computers via a request to services/messagebroker/nonsecurestreamingamf involving the traceroute functionality.
Published Oct 15, 2015 · Updated Sep 16, 2024
Unknown · CVSS Not scored
SAP 3D Visual Enterprise Viewer (VEV) allows remote attackers to execute arbitrary code via a crafted (1) U3D, (2) LWO, (3) JPEG2000, or (4) FBX file, aka "Out-Of-Bounds Indexing" vulnerabilities.
Published Oct 30, 2015 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in 4images 1.7.11 and earlier allows remote attackers to inject arbitrary web script or HTML via the cat_description parameter in an updatecat action to admin/categories.php.
Published Oct 5, 2015 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Multiple cross-site request forgery (CSRF) vulnerabilities in the Organizations page in Enterprise Manager in McAfee Vulnerability Manager (MVM) 7.5.9 and earlier allow remote attackers to hijack the authentication of administrators for requests that have unspecified impact via unknown vectors.
Published Oct 1, 2015 · Updated Sep 16, 2024
Unknown · CVSS Not scored
ProcessFileUpload.jsp in SolarWinds Storage Manager before 6.2 allows remote attackers to upload and execute arbitrary files via unspecified vectors.
Published Oct 15, 2015 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Multiple buffer overflows in SAP 3D Visual Enterprise Viewer (VEV) allow remote attackers to execute arbitrary code via a crafted (1) 3DM or (2) Flic Animation file.
Published Oct 30, 2015 · Updated Sep 16, 2024
Unknown · CVSS Not scored
LINE for Android version 5.0.2 and earlier and LINE for iOS version 5.0.0 and earlier are vulnerable to MITM (man-in-the-middle) attack since the application allows non-SSL/TLS communications. As a result, any API may be invoked from a script injected by a MITM (man-in-the-middle) attacker.
Published Oct 31, 2023 · Updated Sep 12, 2024
Unknown · CVSS Not scored
LINE@ for Android version 1.0.0 and LINE@ for iOS version 1.0.0 are vulnerable to MITM (man-in-the-middle) attack since the application allows non-SSL/TLS communications. As a result, any API may be invoked from a script injected by a MITM (man-in-the-middle) attacker.
Published Oct 31, 2023 · Updated Sep 12, 2024
Unknown · CVSS Not scored
JHipster generator-jhipster before 2.23.0 allows a timing attack against validateToken due to a string comparison that stops at the first character that is different. Attackers can guess tokens by brute forcing one character at a time and observing the timing. This of course drastically reduces the search space to a linear amount of guesses based on the token length times the possible characters.
Published Oct 31, 2023 · Updated Sep 6, 2024
Unknown · CVSS Not scored
Remote file download in simple-image-manipulator v1.0 wordpress plugin
Published Oct 6, 2016 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Remote file upload vulnerability in fast-image-adder v1.1 Wordpress plugin
Published Oct 6, 2016 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Remote file download vulnerability in wptf-image-gallery v1.03
Published Oct 6, 2016 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Open proxy in Wordpress plugin google-adsense-and-hotel-booking v1.05
Published Oct 6, 2016 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Remote file download vulnerability in candidate-application-form v1.0 wordpress plugin
Published Oct 6, 2016 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Blind SQL Injection in filedownload v1.4 wordpress plugin
Published Oct 6, 2016 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Path Disclosure Vulnerability in wordpress plugin MP3-jPlayer v2.3.2
Published Oct 6, 2016 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Remote file upload vulnerability in wordpress plugin csv2wpec-coupon v1.1
Published Oct 6, 2016 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Remote file download vulnerability in recent-backups v0.7 wordpress plugin
Published Oct 6, 2016 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Remote file upload vulnerability in mailcwp v1.99 wordpress plugin
Published Oct 6, 2016 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Local File Inclusion Vulnerability in mypixs v0.3 wordpress plugin
Published Oct 6, 2016 · Updated Aug 6, 2024
Medium · CVSS 5
A vulnerability classified as problematic has been found in WP Ultimate CSV Importer Plugin 3.7.2 on WordPress. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. Upgrading to version 3.7.3 is able to address this issue. The identifier of the patch is 13c30af721d3f989caac72dd0f56cf0dc40fad7e. It is recommended to upgrade the affected component. The identifier VDB-241317 was assigned to this vulnerability.
Published Oct 5, 2023 · Updated Aug 6, 2024
Unknown · CVSS Not scored
XSS in filedownload v1.4 wordpress plugin
Published Oct 6, 2016 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Open Proxy in filedownload v1.4 wordpress plugin
Published Oct 6, 2016 · Updated Aug 6, 2024
Medium · CVSS 6.5
A vulnerability was found in Most Popular Posts Widget Plugin up to 0.8 on WordPress. It has been classified as critical. Affected is the function add_views/show_views of the file functions.php. The manipulation leads to sql injection. It is possible to launch the attack remotely. Upgrading to version 0.9 is able to address this issue. The patch is identified as a99667d11ac8d320006909387b100e9a8b5c12e1. It is recommended to upgrade the affected component. VDB-241026 is the identifier assigned to this vulnerability.
Published Oct 2, 2023 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Blind SQL Injection in wordpress plugin dukapress v2.5.9
Published Oct 6, 2016 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The Easy Digital Downloads (EDD) Content Restriction extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
Published Oct 23, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The Easy Digital Downloads (EDD) Amazon S3 extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
Published Oct 23, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The pretty-link plugin before 1.6.8 for WordPress has PrliLinksController::list_links SQL injection via the group parameter.
Published Oct 10, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The Easy Digital Downloads (EDD) core component 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7 for WordPress has XSS because add_query_arg is misused.
Published Oct 23, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The Easy Digital Downloads (EDD) QR Code extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
Published Oct 23, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The Showbiz Pro plugin through 1.7.1 for WordPress has PHP code execution by uploading a .php file within a ZIP archive.
Published Oct 22, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The incoming-links plugin before 0.9.10b for WordPress has referrers.php XSS via the Referer HTTP header.
Published Oct 10, 2019 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The Easy Digital Downloads (EDD) Per Product Emails extension for WordPress, as used with EDD 1.8.x before 1.8.7, 1.9.x before 1.9.10, 2.0.x before 2.0.5, 2.1.x before 2.1.11, 2.2.x before 2.2.9, and 2.3.x before 2.3.7, has XSS because add_query_arg is misused.
Published Oct 23, 2019 · Updated Aug 6, 2024