Abuse of remote unlock in Find My Mobile prior to version 7.3.13.4 allows physical attacker to unlock the device remotely by resetting the Samsung Account password with SMS verification when user lost the device.

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Scribit Shortcodes Finder plugin <= 1.5.3 versions.

Super Store Finder 3.7 and below is vulnerable to authenticated Arbitrary PHP Code Injection that could lead to Remote Code Execution when settings overwrite config.inc.php content.

Super Store Finder v3.6 and below was discovered to contain a SQL injection vulnerability via the Search parameter at /admin/stores.php.

The Super Store Finder plugin for WordPress is vulnerable to unauthenticated arbitrary email creation and relay in versions up to, and including, 6.9.3. This is due to insufficient restrictions on the sendMail.php file that allows direct access. This makes it possible for unauthenticated attackers to send emails utilizing the vulnerable site's server, with arbitrary content. Please note that this vulnerability has already been publicly disclosed with an exploit which is why we are publishing the details without a patch available, we are attempting to initiate contact with the developer.

Super Store Finder v3.6 was discovered to contain multiple SQL injection vulnerabilities in the store locator component via the products, distance, lat, and lng parameters.

A hard coded password in Super Store Finder v3.6 allows attackers to access the administration panel.

find-exec is a utility to discover available shell commands. Versions prior to 1.0.3 did not properly escape user input and are vulnerable to Command Injection via an attacker controlled parameter. As a result, attackers may run malicious shell commands in the context of the running process. This issue has been addressed in version 1.0.3. users are advised to upgrade. Users unable to upgrade should ensure that all input passed to find-exec comes from a trusted source.

A vulnerability was found in Super Store Finder 3.6. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /index.php of the component POST Parameter Handler. The manipulation of the argument products leads to sql injection. The attack can be launched remotely. The identifier VDB-234421 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

_joinPath in elFinderVolumeLocalFileSystem.class.php in elFinder before 2.1.62 allows path traversal in the PHP LocalVolumeDriver connector.