Filtered by vendor Smartdatasoft Subscriptions
Total 7 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2025-6994 2 Smartdatasoft, Wordpress 2 Reveal Listing, Wordpress 2025-08-06 9.8 Critical
The Reveal Listing plugin by smartdatasoft for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.3. This is due to the plugin allowing users who are registering new accounts to set their own role or by supplying 'listing_user_role' field. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role.
CVE-2024-12725 1 Smartdatasoft 1 Clasify Classified Listing 2025-06-11 6.1 Medium
The Clasify Classified Listing WordPress plugin through 1.0.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
CVE-2024-13347 1 Smartdatasoft 1 Essential Wp Real Estate 2025-04-18 6.8 Medium
The Essential WP Real Estate WordPress plugin through 1.1.3 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting.
CVE-2025-23857 1 Smartdatasoft 1 Essential Wp Real Estate 2025-02-25 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Essential WP Real Estate allows Reflected XSS. This issue affects Essential WP Real Estate: from n/a through 1.1.3.
CVE-2024-13318 1 Smartdatasoft 1 Essential Wp Real Estate 2025-02-25 5.3 Medium
The Essential WP Real Estate plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the cl_delete_listing_func() function in all versions up to, and including, 1.1.3. This makes it possible for unauthenticated attackers to delete arbitrary pages and posts.
CVE-2021-37538 1 Smartdatasoft 1 Smartblog 2024-11-21 9.8 Critical
Multiple SQL injection vulnerabilities in SmartDataSoft SmartBlog for PrestaShop before 4.06 allow a remote unauthenticated attacker to execute arbitrary SQL commands via the day, month, or year parameter to the controllers/front/archive.php archive controller, or the id_category parameter to the controllers/front/category.php category controller.
CVE-2021-24335 1 Smartdatasoft 1 Car Repair Services \& Auto Mechanic 2024-11-21 6.1 Medium
The Car Repair Services & Auto Mechanic WordPress theme before 4.0 did not properly sanitise its serviceestimatekey search parameter before outputting it back in the page, leading to a reflected Cross-Site Scripting issue