CVE-2025-12186 Weekly Planner <= 1.0 - Authenticated (Admin+) Stored Cross-Site Scripting

The Weekly Planner plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions an...

CVE-2025-66302

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A path traversal vulnerability has been identified in Grav CMS, allowing authenticated attackers with administrative privileges to read arbitrary files on the underlying server filesystem. This vulnerability arises due to insufficient inp...

CVE-2025-13879

Directory traversal vulnerability in SOLIDserver IPAM v8.2.3. This vulnerability allows an authenticated user with administrator privileges to list directories other than those to which the have authorized access using the 'directory' parameter in '/mod/ajax.php?action=sections/list/list'.For...

CVE-2025-13879

SOLIDserver IPAM 8.2.3 is affected by a directory traversal in the /mod/ajax.php?action=sections/list/list endpoint. An authenticated administrator can manipulate the directory parameter (e.g., directory set to '/') to access files outside the LOCAL:/// folder, revealing directories not authorize...

CVE-2025-13090 WP Directory Kit <= 1.4.6 - Authenticated (Admin+) SQL Injection

The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'search' parameter in all versions up to, and including, 1.4.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

PT-2025-48656

The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'month' parameter in all versions up to, and including, 1.4.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL...

WordPress WP Directory Kit plugin <= 1.4.6 - Authenticated (Admin+) SQL Injection vulnerability

Authenticated Admin+ SQL Injection vulnerability discovered by tmrswrr in WordPress Plugin WP Directory Kit versions = 1.4.6...

Directory Traversal

Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Directory Traversal. Due to insufficient input sanitization in the backup tool, user-supplied paths are not properly restricted, allowing acce...

CVE-2025-66302 Grav vulnerable to Path Traversal allowing server files backup

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, A path traversal vulnerability has been identified in Grav CMS, allowing authenticated attackers with administrative privileges to read arbitrary files on the underlying server filesystem. This vulnerability arises due to insufficient inp...

CVE-2025-27232

An authenticated Zabbix Super Admin can exploit the oauth.authorize action to read arbitrary files from the webserver leading to potential confidentiality loss...

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the URL references when following referrals. An attacker can manipulate application behavior by configuring a malicious LDAP server and triggering deserialization of untrusted Java objects as an...

CVE-2025-13385 Bookme <= 4.2 - Authenticated (Admin+) SQL Injection via 'filter[status]' Parameter

The Bookme – Free Online Appointment Booking and Scheduling Plugin for WordPress is vulnerable to time-based SQL Injection via the filterstatus parameter in all versions up to, and including, 4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

CVE-2025-12032

CVE-2025-12032 (ZWeb – Social Mobile for WordPress) is a stored cross-site scripting vulnerability affecting the Zweb Social Mobile – Ứng Dụng Nút Gọi Mobile plugin for WordPress (versions ≤ 1.0.0). The issue arises from insufficient input sanitization and output escaping in the parameters vithan...

WordPress YouTube Subscribe plugin <= 3.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting via Title and Channel ID vulnerability

Authenticated Admin+ Stored Cross-Site Scripting via Title and Channel ID vulnerability discovered by ZAST.AI - ZAST.AI in WordPress Plugin YouTube Subscribe versions = 3.0.0...

WordPress ZWeb - Social Mobile plugin <= 1.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting vulnerability

WordPress ZWeb - Social Mobile plugin = 1.0.0 - Authenticated Admin+ Stored Cross-Site Scripting vulnerability discovered by dayea song - Ahnlab in WordPress Plugin Zweb Social Mobile versions = 1.0.0...

CVE-2025-12750

The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to SQL Injection via the 'term' parameter in all versions up to, and including, 4.2.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL...

CVE-2025-64027

Snipe-IT v8.3.4 build 20218 contains a reflected cross-site scripting XSS vulnerability in the CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progressmessage value that is rendered as raw HTML in the admin interface. An attacker can intercept and modify the...

WordPress 简数采集器 plugin <= 2.6.3 - Authenticated (Admin+) Arbitrary File Read vulnerability

Authenticated Admin+ Arbitrary File Read vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin Keydatas versions = 2.6.3...

CVE-2025-13145

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.33.1. This is due to deserialization of untrusted data supplied via CSV file imports in the importsinglepostascsv function within...

GHSA-8X9V-8QGJ-945X Snipe-IT has Cross-site Scripting vulnerability in CSV import workflow

Snipe-IT v8.3.4 build 20218 contains a reflected cross-site scripting XSS vulnerability in the CSV Import workflow. When an invalid CSV file is uploaded, the application returns a progressmessage value that is rendered as raw HTML in the admin interface. An attacker can intercept and modify the...