A vulnerability classified as problematic was found in Drivin Soluções up to 20250226. This vulnerability affects unknown code of the file /api/school/registerSchool of the component API Handler. The manipulation of the argument message leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

In X.Org X server 20.11 through 21.1.16, when a client application uses easystroke for mouse gestures, the main thread modifies various data structures used by the input thread without acquiring a lock, aka a race condition. In particular, AttachDevice in dix/devices.c does not acquire an input lock.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in cookforweb All In Menu all-in-menu allows Blind SQL Injection.This issue affects All In Menu: from n/a through <= 1.1.5.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in fs-code FS Poster fs-poster.This issue affects FS Poster: from n/a through <= 6.5.8.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aldo Latino PrivateContent private-content.This issue affects PrivateContent: from n/a through <= 8.11.4.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound PrivateContent private-content.This issue affects PrivateContent: from n/a through <= 8.11.5.

Missing Authorization vulnerability in Aldo Latino PrivateContent private-content.This issue affects PrivateContent: from n/a through <= 8.11.5.

Missing Authorization vulnerability in FRESHFACE Fresh Framework fresh-framework allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Fresh Framework: from n/a through <= 1.70.0.

Path Traversal: '.../...//' vulnerability in NotFound Pie Register Premium pie-register-premium.This issue affects Pie Register Premium: from n/a through <= 3.8.3.2.

Improper Control of Generation of Code ('Code Injection') vulnerability in colabrio Ohio Extra ohio-extra allows Code Injection.This issue affects Ohio Extra: from n/a through <= 3.4.7.

Deserialization of Untrusted Data vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Object Injection.This issue affects Booking and Rental Manager: from n/a through <= 2.2.6.

Cross-Site Request Forgery (CSRF) vulnerability in Recapture Cart Recovery and Email Marketing Recapture for WooCommerce recapture-for-woocommerce allows Cross Site Request Forgery.This issue affects Recapture for WooCommerce: from n/a through <= 1.0.43.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in maennchen1.de m1.DownloadList m1downloadlist allows DOM-Based XSS.This issue affects m1.DownloadList: from n/a through <= 0.19.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PublishPress PublishPress Authors publishpress-authors allows SQL Injection.This issue affects PublishPress Authors: from n/a through <= 4.7.3.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in silverplugins217 Multiple Shipping And Billing Address For Woocommerce different-shipping-and-billing-address-for-woocommerce allows SQL Injection.This issue affects Multiple Shipping And Billing Address For Woocommerce: from n/a through <= 1.3.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zzmaster WP AntiDDOS wpantiddos allows Reflected XSS.This issue affects WP AntiDDOS: from n/a through <= 2.0.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Thorsten Ott Debug-Bar-Extender debug-bar-extender allows Reflected XSS.This issue affects Debug-Bar-Extender: from n/a through <= 0.5.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nicola Mustone WP Discord Post wp-discord-post allows Reflected XSS.This issue affects WP Discord Post: from n/a through <= 2.1.0.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spring Devs Pre Order Addon for WooCommerce – Advance Order/Backorder Plugin wc-pre-order allows Reflected XSS.This issue affects Pre Order Addon for WooCommerce – Advance Order/Backorder Plugin: from n/a through <= 2.2.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kdmurray Random Image Selector random-image-selector allows Reflected XSS.This issue affects Random Image Selector: from n/a through <= 2.4.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dvs11 Random Posts, Mp3 Player + ShareButton random-posts-mp3-player-sharebutton allows Reflected XSS.This issue affects Random Posts, Mp3 Player + ShareButton: from n/a through <= 1.4.1.

A flaw was found in Keylime, a remote attestation solution, where strict type checking introduced in version 7.12.0 prevents the registrar from reading database entries created by previous versions, for example, 7.11.0. Specifically, older versions store agent registration data as bytes, whereas the updated registrar expects str. This issue leads to an exception when processing agent registration requests, causing the agent to fail.

A flaw was found in Foreman/Red Hat Satellite. Improper file permissions allow low-privileged OS users to monitor and access temporary files under /var/tmp, exposing sensitive command outputs, such as /etc/shadow. This issue can lead to information disclosure and privilege escalation if exploited effectively.

The WP01 plugin for WordPress is vulnerable to Arbitrary File Download in all versions up to, and including, 2.6.2 due to a missing capability check and insufficient restrictions on the make_archive() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to download and read the contents of arbitrary files on the server, which can contain sensitive information. CVE-2025-30567 is a duplicate of this issue.

The School Management System – WPSchoolPress plugin for WordPress is vulnerable to SQL Injection via the 'cid' parameter in all versions up to, and including, 2.2.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Custom-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.