CVE-2025-54140

pyLoad is a free and open-source Download Manager written in pure Python. In version 0.5.0b3.dev89, an authenticated path traversal vulnerability exists in the /json/upload endpoint of pyLoad. By manipulating the filename of an uploaded file, an attacker can traverse out of the intended upload...

CVE-2025-7959 Station Pro <= 2.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via width and height Parameters

The Station Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘width' and 'height’ parameter in all versions up to, and including, 2.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-lev...

CVE-2025-6539 Voltax Video Player <= 1.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

The Voltax Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level acces...

CVE-2025-6382 Taeggie Feed <= 0.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via name Attribute

The Taeggie Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's taeggie-feed shortcode in all versions up to, and including, 0.1.10. The plugin’s render method takes the user-supplied name attribute and injects it directly into a tag - both in the id attribute...

CVE-2025-6387

The WP Get The Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the url parameter in versions up to 1.5. Authenticated attackers with Contributor-level access and above can inject scripts that execute when a user visits the affected page. The vulnerability details and r...

CVE-2025-3669 Supreme Addons for Beaver Builder <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via auto_qrcodesabb Shortcode

The Supreme Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's autoqrcodesabb shortcode in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

CVE-2025-4968

The CVE-2025-4968 entry concerns the WPBakery Page Builder for WordPress plugin (affected: WPBakery Page Builder

CVE-2025-46099

In Pluck CMS 4.7.20-dev, an authenticated attacker can upload or create a crafted PHP file under the albums module directory and access it via the module routing logic in albums.site.php, resulting in arbitrary command execution through a GET parameter...

CVE-2025-7722 Social Streams <= 1.2.1 - Authenticated (Subscriber+) Privilege Escalation

The Social Streams plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.1. This is due to the plugin not properly validating a user's identity prior to updating their user meta information in the updateusermeta function. This makes it possible for...

CVE-2025-5818 Featured Image Plus – Quick & Bulk Edit with Unsplash <= 1.6.6 - Authenticated (Admin+) Server-Side Request Forgery

The Featured Image Plus – Quick & Bulk Edit with Unsplash plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.6 via the fipgetimageoptions function. This makes it possible for authenticated attackers, with administrator-level access and abov...

CVE-2025-6261

CVE-2025-6261 describes a Stored Cross-Site Scripting flaw in the Fleetwire Fleet Management WordPress plugin (versions

CVE-2025-46099

In Pluck CMS 4.7.20-dev, an authenticated attacker can upload or create a crafted PHP file under the albums module directory and access it via the module routing logic in albums.site.php, resulting in arbitrary command execution through a GET parameter...

CVE-2025-46099

CVE-2025-46099 affects Pluck CMS 4.7.20-dev. An authenticated attacker can upload or create a crafted PHP file in the albums module directory and access it via the albums.site.php routing logic, enabling arbitrary command execution through a GET parameter. Root cause: flaw in the module routing l...

CVE-2025-7354 WP Shortcodes Plugin — Shortcodes Ultimate <= 7.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin Shortcodes

The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 7.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible f...

PT-2025-30348 · Unknown · Haxcms-Nodejs

Name of the Vulnerable Software and Affected Versions: HAX CMS NodeJs versions 11.0.8 and below Description: HAX CMS NodeJs, a system for managing microsite universes with a NodeJs backend, is susceptible to a crash issue. An authenticated attacker can trigger this issue by sending API requests t...

CVE-2025-46117

An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, and in Ruckus ZoneDirector prior to 10.5.1.0.279, where a hidden debug script .apdebug.sh invoked from the restricted CLI does not properly sanitize its input, allowing an authenticated attacker to...

CVE-2025-7653

CVE-2025-7653 describes a stored XSS in the WordPress EPay.bg Payments plugin (versions

CVE-2025-7661 Partnerský systém Martinus <= 1.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Partnerský systém Martinus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'martinus' shortcode in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

Azure Linux 3.0 Security Update: libssh (CVE-2025-5318)

The version of libssh installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-5318 advisory. - A flaw was found in the libssh library in versions less than 0.11.2. An out-of-bounds read can be triggered i...

CVE-2025-5800 Testimonial Post type <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via auto_play Parameter

The Testimonial Post type plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘autoplay’ parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-lev...