CVE-2025-15368 SportsPress <= 2.7.26 - Authenticated (Contributor+) Local File Inclusion via Shortcode

The SportsPress plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.7.26 via shortcodes 'templatename' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files...

GHSA-V756-4WHV-48VC Code Injection in cd-messenger

cd-messenger through 2.7.26 is vulnerable to Arbitrary Code Execution. User input provided to the color argument executed by the eval function resulting in code execution...