A vulnerability classified as problematic has been found in code-projects Public Chat Room 1.0. This affects an unknown part of the file /send_message.php. The manipulation of the argument chat_msg/your_name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

CVE Database V5

Detailed information about CVE-2025-7951: Cross Site Scripting in code-projects Public Chat Room affecting code-projects Public Chat Room. Get real-time updates

CVE-2025-7951: Cross Site Scripting in code-projects Public Chat Room - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-7951: Cross Site Scripting in code-projects Public Chat Room

A vulnerability was found in Sanluan PublicCMS up to 5.202506.a. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file publiccms-parent/publiccms/src/main/resources/templates/admin/cmsDiy/preview.html. The manipulation of the argument url leads to open redirect. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The patch is named c1e79f124e3f4c458315d908ed7dee06f9f12a76/f1af17af004ca9345c6fe4d5936d87d008d26e75. It is recommended to apply a patch to fix this issue.

CVE-2025-7949 is an open redirect vulnerability identified in Sanluan PublicCMS versions up to 5.202506.a. The vulnerability resides in the handling of the 'url' argument within the template file located at publiccms-parent/publiccms/src/main/resources/templates/admin/cmsDiy/preview.html. An attacker can manipulate this 'url' parameter to redirect users to arbitrary external websites. This type of vulnerability is classified as an open redirect, which can be exploited remotely without requiring authentication. The vulnerability has a CVSS 4.0 base score of 5.1, indicating a medium severity level. The vector details show that the attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:L, which actually means low privileges required), and user interaction is required (UI:P). The impact on confidentiality is none (VC:N), integrity is low (VI:L), and availability is none (VA:N). The vulnerability does not affect system confidentiality or availability but can impact integrity by redirecting users to malicious sites, potentially facilitating phishing, malware distribution, or social engineering attacks. A patch has been developed and is referenced by commit hashes c1e79f124e3f4c458315d908ed7dee06f9f12a76 and f1af17af004ca9345c6fe4d5936d87d008d26e75, and it is strongly recommended to apply this patch to remediate the issue. No known exploits are currently observed in the wild, but public disclosure of the exploit code increases the risk of exploitation.

Detailed information about CVE-2025-7949: Open Redirect in Sanluan PublicCMS affecting Sanluan PublicCMS. Get real-time updates, technical details, and mitigati

CVE-2025-7949: Open Redirect in Sanluan PublicCMS - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-7949: Open Redirect in Sanluan PublicCMS

The User Registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's urcr_restrict shortcode in all versions up to, and including, 4.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2025-6831 is a medium-severity stored Cross-Site Scripting (XSS) vulnerability affecting the WordPress plugin 'User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin' developed by wpeverest. This vulnerability exists in all versions up to and including 4.2.4. The root cause is improper neutralization of user-supplied input during web page generation, specifically within the plugin's 'urcr_restrict' shortcode. Authenticated users with contributor-level privileges or higher can exploit this flaw by injecting malicious scripts into pages via insufficient input sanitization and output escaping of shortcode attributes. When other users access these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the context of the affected website. The vulnerability requires no user interaction beyond visiting the injected page and does not require higher privileges than contributor, making it a significant risk in environments where multiple users have content creation rights. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required at the contributor level, no user interaction, and a scope change due to impact on other users. Confidentiality and integrity are impacted, but availability is not affected. No known exploits are currently reported in the wild, and no official patches have been linked yet, indicating that mitigation may rely on plugin updates or manual code fixes.

Detailed information about CVE-2025-6831: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in wpeverest User Registra

CVE-2025-6831: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in wpeverest User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-6831: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in wpeverest User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin

The CRM and Lead Management by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘type’ parameter in all versions up to, and including, 2.7.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2025-5240 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WordPress plugin 'CRM and Lead Management by vcita' affecting all versions up to and including 2.7.5. The vulnerability arises from improper neutralization of input during web page generation, specifically in the handling of the 'type' parameter. Due to insufficient input sanitization and output escaping, authenticated users with Contributor-level access or higher can inject arbitrary malicious scripts into pages. These scripts are stored persistently and executed whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed on behalf of users. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based with low attack complexity, requiring privileges equivalent to Contributor or above, and no user interaction is needed for exploitation once the malicious script is injected. The scope is changed, meaning the vulnerability affects resources beyond the initially compromised component, and the impact includes low confidentiality and integrity loss but no availability impact. No known exploits are currently reported in the wild, and no official patches have been linked yet. This vulnerability is classified under CWE-79, which covers improper neutralization of input leading to XSS attacks.

Detailed information about CVE-2025-5240: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in vcita CRM and Lead Mana

CVE-2025-5240: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in vcita CRM and Lead Management by vcita - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-5240: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in vcita CRM and Lead Management by vcita

A vulnerability was found in code-projects Public Chat Room 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /login.php. The manipulation of the argument Username leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Detailed information about CVE-2025-7950: SQL Injection in code-projects Public Chat Room affecting code-projects Public Chat Room. Get real-time updates, techn

CVE-2025-7950: SQL Injection in code-projects Public Chat Room

CVE-2025-7950: SQL Injection in code-projects Public Chat Room

Description

Technical Details

Related Threats

CVE-2025-7951: Cross Site Scripting in code-projects Public Chat Room

CVE-2025-7949: Open Redirect in Sanluan PublicCMS

CVE-2025-6831: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in wpeverest User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin

CVE-2025-5240: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in vcita CRM and Lead Management by vcita

CVE-2025-7948: Weak Password Recovery in jshERP

Actions

External Links

Need enhanced features?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility