CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-3092 – MB connect line: Observable response discrepancy in mbCONNECT24/mymbCONNECT24
https://notcve.org/view.php?id=CVE-2025-3092
24 Jun 2025 — An unauthenticated remote attacker can enumerate valid user names from an unprotected endpoint. • https://certvde.com/en/advisories/VDE-2025-035 • CWE-204: Observable Response Discrepancy •
CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-3091 – MB connect line: Authorization bypass in mbCONNECT24/mymbCONNECT24
https://notcve.org/view.php?id=CVE-2025-3091
24 Jun 2025 — An low privileged remote attacker in possession of the second factor for another user can login as that user without knowledge of the other user`s password. • https://certvde.com/en/advisories/VDE-2025-035 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 8.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-3090 – MB connect line: Missing Authentication in mbCONNECT24/mymbCONNECT24
https://notcve.org/view.php?id=CVE-2025-3090
24 Jun 2025 — An unauthenticated remote attacker can obtain limited sensitive information and/or DoS the device due to missing authentication for critical function. • https://certvde.com/en/advisories/VDE-2025-034 • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30972 – WordPress Woocommerce Line Notify plugin <= 1.1.7 - Cross Site Scripting (XSS) Vulnerability
https://notcve.org/view.php?id=CVE-2025-30972
18 Jun 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in iamapinan Woocommerce Line Notify allows Stored XSS. This issue affects Woocommerce Line Notify: from n/a through 1.1.7. The Woocommerce Line Notify plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in ... • https://patchstack.com/database/wordpress/plugin/woo-line-notify/vulnerability/wordpress-woocommerce-line-notify-1-1-7-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 4EXPL: 0CVE-2024-23943 – MB connect line: Cloud API access due to a lack of authentication for a critical function
https://notcve.org/view.php?id=CVE-2024-23943
18 Mar 2025 — An unauthenticated remote attacker can gain access to the cloud API due to a lack of authentication for a critical function in the affected devices. Availability is not affected. • https://cert.vde.com/en/advisories/VDE-2024-010 • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2024-23942 – MB connect line: Configuration File on the client workstation is not encrypted
https://notcve.org/view.php?id=CVE-2024-23942
18 Mar 2025 — A local user may find a configuration file on the client workstation with unencrypted sensitive data. This allows an attacker to impersonate the device or prevent the device from accessing the cloud portal which leads to a DoS. • https://cert.vde.com/en/advisories/VDE-2024-010 • CWE-311: Missing Encryption of Sensitive Data •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26545 – WordPress Related Posts Line-up-Exactly by Milliard plugin <= 0.0.22 - CSRF to Stored XSS vulnerability
https://notcve.org/view.php?id=CVE-2025-26545
13 Feb 2025 — Cross-Site Request Forgery (CSRF) vulnerability in shisuh Related Posts Line-up-Exactly by Milliard allows Stored XSS. This issue affects Related Posts Line-up-Exactly by Milliard: from n/a through 0.0.22. The Related Posts Line-up-Exactly by Milliard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.0.22. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and injec... • https://patchstack.com/database/wordpress/plugin/related-posts-line-up-exactry-by-milliard/vulnerability/wordpress-related-posts-line-up-exactly-by-milliard-plugin-0-0-22-csrf-to-stored-xss-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23791 – WordPress Horizontal Line Shortcode Plugin <= 1.0 - Stored Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-23791
16 Jan 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RocaPress Horizontal Line Shortcode allows Stored XSS.This issue affects Horizontal Line Shortcode: from n/a through 1.0. The Horizontal Line Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, t... • https://patchstack.com/database/wordpress/plugin/horizontal-line-shortcode/vulnerability/wordpress-horizontal-line-shortcode-plugin-1-0-stored-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-45276 – MB connect line/Helmholz: tmp directory exposed via webservice
https://notcve.org/view.php?id=CVE-2024-45276
15 Oct 2024 — An unauthenticated remote attacker can get read access to files in the "/tmp" directory due to missing authentication. Un atacante remoto no autenticado puede obtener acceso de lectura a los archivos en el directorio "/tmp" debido a la falta de autenticación. • https://cert.vde.com/en/advisories/VDE-2024-056 • CWE-306: Missing Authentication for Critical Function CWE-552: Files or Directories Accessible to External Parties •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-45275 – MB connect line/Helmholz: Hardcoded user accounts with hard-coded passwords
https://notcve.org/view.php?id=CVE-2024-45275
15 Oct 2024 — The devices contain two hard coded user accounts with hardcoded passwords that allow an unauthenticated remote attacker for full control of the affected devices. Los dispositivos contienen dos cuentas de usuario codificadas con contraseñas codificadas que permiten a un atacante remoto no autenticado tener control total de los dispositivos afectados. • https://cert.vde.com/en/advisories/VDE-2024-056 • CWE-798: Use of Hard-coded Credentials •