Lucene search
+L

654 matches found

RedhatCVE
RedhatCVE
added 2026/01/07 9:12 a.m.6 views

CVE-2025-14997

The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'deletefield' function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level...

7.2CVSS7.2AI score0.00615EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/07 9:11 a.m.7 views

CVE-2025-1295

The Templines Elementor Helper Core plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.7. This is due to allowing arbitrary user meta updates. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update thei...

8.8CVSS6.9AI score0.00466EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/07 9:9 a.m.11 views

CVE-2024-2025

The "BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages" plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.20 via deserialization of untrusted input in the getsimplerequest function. This makes it possible for...

8.8CVSS7.4AI score0.00821EPSS
Exploits0References1
Patchstack
Patchstack
added 2026/01/06 6:26 a.m.8 views

WordPress BuddyPress Xprofile Custom Field Types plugin <= 1.2.8 - Authenticated (Subscriber+) Arbitrary File Deletion vulnerability

Authenticated Subscriber+ Arbitrary File Deletion vulnerability discovered by Sarawut Poolkhet MisterHelloz in WordPress Plugin BuddyPress Xprofile Custom Field Types versions = 1.2.8...

7.2CVSS6.8AI score0.00615EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/01/06 5:16 a.m.6 views

CVE-2025-14997

The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'deletefield' function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level...

8.8CVSS0.00615EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/01/06 4:31 a.m.35 views

CVE-2025-14997 BuddyPress Xprofile Custom Field Types <= 1.2.8 - Authenticated (Subscriber+) Arbitrary File Deletion

The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'deletefield' function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level...

8.8CVSS0.00615EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/01/06 4:31 a.m.2 views

CVE-2025-14997 BuddyPress Xprofile Custom Field Types <= 1.2.8 - Authenticated (Subscriber+) Arbitrary File Deletion

The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'deletefield' function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level...

8.8CVSS7AI score0.00615EPSS
Exploits0References3
CVE
CVE
added 2026/01/06 4:31 a.m.24 views

CVE-2025-14997

CVE-2025-14997 affects the BuddyPress Xprofile Custom Field Types plugin for WordPress. The root cause is insufficient file-path validation in the delete_field function across versions up to 1.2.8, enabling an authenticated attacker (Subscriber+) to delete arbitrary server files (e.g., wp-config....

8.8CVSS7AI score0.00615EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/01/06 12:0 a.m.3 views

WordPress plugin BuddyPress Xprofile Custom Field Types 路径遍历漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A path traversal...

8.8CVSS7.7AI score0.00615EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/01/06 12:0 a.m.7 views

PT-2026-1414

Name of the Vulnerable Software and Affected Versions BuddyPress Xprofile Custom Field Types plugin versions through 1.2.8 Description The BuddyPress Xprofile Custom Field Types plugin for WordPress has a flaw that allows authenticated attackers with Subscriber-level access or higher to delete...

7.2CVSS7.2AI score0.00615EPSS
Exploits0References8
RedhatCVE
RedhatCVE
added 2026/01/01 9:12 a.m.9 views

CVE-2025-62760

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in BuddyDev BuddyPress Activity Shortcode bp-activity-shortcode allows Stored XSS.This issue affects BuddyPress Activity Shortcode: from n/a through = 1.1.8...

6.5CVSS5.9AI score0.00137EPSS
Exploits0References1
EUVD
EUVD
added 2025/12/31 8:52 a.m.4 views

EUVD-2025-205914

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in BuddyDev BuddyPress Activity Shortcode allows Stored XSS.This issue affects BuddyPress Activity Shortcode: from n/a through 1.1.8...

6.5CVSS5.5AI score0.00137EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2025/12/31 8:52 a.m.3 views

CVE-2025-62760 WordPress BuddyPress Activity Shortcode plugin <= 1.1.8 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in BuddyDev BuddyPress Activity Shortcode allows Stored XSS.This issue affects BuddyPress Activity Shortcode: from n/a through 1.1.8...

6.5CVSS5.6AI score0.00137EPSS
Exploits0References1
CVE
CVE
added 2025/12/31 8:52 a.m.14 views

CVE-2025-62760

CVE-2025-62760 refers to an authenticated Stored Cross-Site Scripting (XSS) vulnerability in the BuddyPress Activity Shortcode plugin. According to the Wordfence Vulnerability report, the affected component is the BuddyPress Activity Shortcode, with versions up to and including 1.1.8. It is categ...

6.5CVSS5.9AI score0.00137EPSS
Exploits0References1
Patchstack
Patchstack
added 2025/12/31 8:50 a.m.9 views

WordPress BuddyPress Activity Shortcode plugin <= 1.1.8 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin BuddyPress Activity Shortcode versions = 1.1.8...

6.5CVSS5.9AI score0.00137EPSS
Exploits0Affected Software1
CNNVD
CNNVD
added 2025/12/31 12:0 a.m.4 views

WordPress plugin BuddyPress Activity Shortcode 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin ... A cross-site scripting...

6.5CVSS5.8AI score0.00137EPSS
Exploits0References1
Patchstack
Patchstack
added 2025/12/31 12:0 a.m.6 views

WordPress Activity Plus Reloaded for BuddyPress plugin <= 1.1.1 - Authenticated (Subscriber+) Blind Server-Side Request Forgery vulnerability

Authenticated Subscriber+ Blind Server-Side Request Forgery vulnerability discovered by Francesco Carlucci in WordPress Plugin Activity Plus Reloaded for BuddyPress versions = 1.1.1...

5.4CVSS5.3AI score0.00231EPSS
Exploits0References1Affected Software1
Patchstack
Patchstack
added 2025/12/31 12:0 a.m.7 views

WordPress Push Notification for Post and BuddyPress plugin <= 2.07 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by vgo0 in WordPress Plugin Push Notification for Post and BuddyPress versions = 2.07...

6.1CVSS5.5AI score0.00348EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2025/12/13 4:31 a.m.36 views

CVE-2025-9218 rtMedia for WordPress, BuddyPress and bbPress 4.7.0 - 4.7.3 - Missing Authorization to Unauthenticated Information Disclosure via handle_rest_pre_dispatch Function

The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to to Information Disclosure due to missing authorization in the handlerestpredispatch function when the Godam plugin is active, in versions 4.7.0 to 4.7.3. This makes it possible for unauthenticated attackers to...

3.7CVSS0.00234EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2025/12/13 3:59 a.m.10 views

CVE-2025-14064

The BuddyTask plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on multiple AJAX endpoints in all versions up to, and including, 1.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...

6.5CVSS5.2AI score0.0019EPSS
Exploits0References1
Rows per page
Query Builder