CVE Database

An attacker can get information about the groups of the smart home devices for arbitrary users (i.e., "rooms").

Unauthenticated attackers can trigger device actions associated with specific "scenes" of arbitrary users.

Unauthenticated attackers can query information about total energy consumed by EV chargers of arbitrary users.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dzynit SEO Tools seo-automatic-seo-tools allows Reflected XSS.This issue affects SEO Tools: from n/a through <= 4.0.7.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zookatron MyBookProgress by Stormhill Media mybookprogress allows Stored XSS.This issue affects MyBookProgress by Stormhill Media: from n/a through <= 1.0.8.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in scottwallick Easy Contact easy-contact allows Reflected XSS.This issue affects Easy Contact: from n/a through <= 0.1.2.

Cross-Site Request Forgery (CSRF) vulnerability in NotFound WPJobBoard wpjobboard allows Upload a Web Shell to a Web Server.This issue affects WPJobBoard: from n/a through < 5.11.1.

Path Traversal: '.../...//' vulnerability in NotFound WPJobBoard wpjobboard allows Path Traversal.This issue affects WPJobBoard: from n/a through < 5.11.1.

Unauthenticated attackers can send configuration settings to device and possible perform physical actions remotely (e.g., on/off).

An attacker can upload an arbitrary file instead of a plant image.

Unauthenticated attackers can retrieve serial number of smart meters associated to a specific user account.

Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts.

An unauthenticated attackers can obtain a list of smart devices by knowing a valid username through an unprotected API.

Unauthenticated attackers can query an API endpoint and get device details.

An unauthenticated attacker can obtain EV charger version and firmware upgrading history by knowing the charger ID.

An unauthenticated attacker can delete any user's "rooms" by knowing the user's and room IDs.

Unauthenticated attackers can rename "rooms" of arbitrary users.

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows PHP Local File Inclusion.This issue affects Booking and Rental Manager: from n/a through <= 2.2.8.

Missing Authorization vulnerability in NotFound Unlimited Timeline unlimited-timeline allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Unlimited Timeline: from n/a through < 1.6.1.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Blocks skt-blocks allows Stored XSS.This issue affects SKT Blocks: from n/a through <= 1.8.

Improper Control of Generation of Code ('Code Injection') vulnerability in Fetch Designs Sign-up Sheets sign-up-sheets allows Code Injection.This issue affects Sign-up Sheets: from n/a through <= 2.3.0.1.

Missing Authorization vulnerability in Crocoblock JetMenu jet-menu allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JetMenu: from n/a through <= 2.4.9.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in covertnine C9 Blocks c9-blocks allows DOM-Based XSS.This issue affects C9 Blocks: from n/a through <= 1.7.7.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AddonsPress Nepali Date Converter nepali-date-converter allows Stored XSS.This issue affects Nepali Date Converter: from n/a through <= 2.0.8.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in graphthemes Glossy Blog glossy-blog allows Stored XSS.This issue affects Glossy Blog: from n/a through <= 1.0.3.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in alleythemes Home Services home-services allows DOM-Based XSS.This issue affects Home Services: from n/a through <= 1.2.6.

Unrestricted Upload of File with Dangerous Type vulnerability in LiquidThemes AI Hub aihub allows Upload a Web Shell to a Web Server.This issue affects AI Hub: from n/a through <= 1.3.7.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tainacan Tainá taina allows Stored XSS.This issue affects Tainá: from n/a through < 0.2.5.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Gurmehub Kargo Entegratör kargo-entegrator allows SQL Injection.This issue affects Kargo Entegratör: from n/a through <= 1.1.14.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ren Ventura WP Delete User Accounts wp-delete-user-accounts allows DOM-Based XSS.This issue affects WP Delete User Accounts: from n/a through <= 1.2.3.

Cross-Site Request Forgery (CSRF) vulnerability in RealMag777 InPost Gallery inpost-gallery allows Cross Site Request Forgery.This issue affects InPost Gallery: from n/a through <= 2.1.4.3.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Skill Bar skt-skill-bar allows Stored XSS.This issue affects SKT Skill Bar: from n/a through <= 2.3.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows DOM-Based XSS.This issue affects JetEngine: from n/a through <= 3.6.4.1.

Unauthenticated attackers can rename arbitrary devices of arbitrary users (i.e., EV chargers).

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Additional Custom Product Tabs for WooCommerce product-tabs-for-woocommerce allows Stored XSS.This issue affects Additional Custom Product Tabs for WooCommerce: from n/a through <= 1.7.0.

Cross-Site Request Forgery (CSRF) vulnerability in looswebstudio Arkhe arkhe allows PHP Local File Inclusion.This issue affects Arkhe: from n/a through <= 3.12.0.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in caalami Advanced Custom Fields: Link Picker Field acf-link-picker-field allows Reflected XSS.This issue affects Advanced Custom Fields: Link Picker Field: from n/a through <= 1.2.8.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in burgersoftware SpaBiz spabiz allows DOM-Based XSS.This issue affects SpaBiz: from n/a through <= 1.0.18.

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in NotFound Macro Calculator with Admin Email Optin & Data macro-admin-email-data-optin-calculator.This issue affects Macro Calculator with Admin Email Optin & Data: from n/a through <= 1.0.

An unauthenticated attacker can hijack other users' devices and potentially control them.

An attacker can export other users' plant information.

Unauthenticated attackers can add devices of other users to their scenes (or arbitrary scenes of other arbitrary users).

Due to lack of server-side input validation, attackers can inject malicious JavaScript code into users personal spaces of the web portal.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ShapedPlugin LLC Real Testimonials testimonial-free allows Stored XSS.This issue affects Real Testimonials: from n/a through <= 3.1.6.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Uncanny Owl Uncanny Toolkit for LearnDash uncanny-learndash-toolkit allows Stored XSS.This issue affects Uncanny Toolkit for LearnDash: from n/a through <= 3.7.0.1.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Global Gallery global-gallery allows Reflected XSS.This issue affects Global Gallery: from n/a through <= 8.8.0.

Web-Check is an all-in-one OSINT tool for analyzing any website. A command injection vulnerability exists in the screenshot API of the Web Check project (Lissy93/web-check). The issue stems from user-controlled input (url) being passed unsanitized into a shell command using exec(), allowing attackers to execute arbitrary system commands on the underlying host. This could be exploited by sending crafted url parameters to extract files or even establish remote access. The vulnerability has been patched by replacing exec() with execFile(), which avoids using a shell and properly isolates arguments.

An authenticated attacker can obtain any plant name by knowing the plant ID.

An unauthenticated attacker can obtain a list of smart devices by knowing a valid username.

An unauthenticated attacker can check the existence of usernames in the system by querying an API.