CVE-2025-13610 RegistrationMagic <= 6.0.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'RM_Forms' Shortcode

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'RMForms' shortcode in all versions up to, and including, 6.0.6.7 due to insufficient input sanitization and output...

CVE-2025-13610

CVE-2025-13610 affects the RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login WordPress plugin. The vulnerability is a stored Cross-Site Scripting via the RM_Forms shortcode due to insufficient input sanitization and output escaping of the theme attribute, e...

EUVD-2025-203367

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'RMForms' shortcode in all versions up to, and including, 6.0.6.7 due to insufficient input sanitization and output...

CVE-2025-13610 RegistrationMagic <= 6.0.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'RM_Forms' Shortcode

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'RMForms' shortcode in all versions up to, and including, 6.0.6.7 due to insufficient input sanitization and output...

PT-2025-51225

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'RM Forms' shortcode in all versions up to, and including, 6.0.6.7 due to insufficient input sanitization and output...

CVE-2025-67730

Frappe Learning Management System LMS is a learning system that helps users structure their content. Versions prior to 2.42.0 allow authenticated users to add malicious HTML and JavaScript through description fields in the Job, Course and Batch forms. This issue is fixed in version 2.42.0...

Stored Cross-Site Scripting

Liferay Portal and Liferay DXP are vulnerable to Stored Cross-Site Scripting XSS. The vulnerability is due to insufficient sanitization of user-controlled input, where the name of a fieldset in Kaleo Forms Admin is stored without proper escaping, allowing an authenticated attacker to persistently...

CVE-2025-14344

The Multi Uploader for Gravity Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'pluploadajaxdeletefile' function in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to delete arbitrar...

CVE-2025-13993

The MailerLite – Signup forms official plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'formdescription' and 'successmessage' parameters in versions up to, and including, 1.7.16 due to insufficient input sanitization and output escaping. This makes it possible for...

Following the digital trail: what happens to data stolen in a phishing attack

Introduction A typical phishing attack involves a user clicking a fraudulent link and entering their credentials on a scam website. However, the attack is far from over at that point. The moment the confidential information falls into the hands of cybercriminals, it immediately transforms into a...

CVE-2025-13993

CVE-2025-13993 - MailerLite – Signup forms (official) plugin for WordPress is affected up to version 1.7.16. The vulnerability is a Stored Cross-Site Scripting (Stored XSS) in the parameters form_description and success_message caused by insufficient input sanitization and output escaping. Exploi...

CVE-2025-13993 MailerLite – Signup forms (official) <= 1.7.16 - Authenticated (Administrator+) Stored Cross-Site Scripting

The MailerLite – Signup forms official plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'formdescription' and 'successmessage' parameters in versions up to, and including, 1.7.16 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2025-67730

CVE-2025-67730 affects Frappe Learning Management System (LMS). Details across sources show that versions prior to 2.42.0 allow authenticated users to inject malicious HTML and JavaScript via description fields in the Job, Course, and Batch forms, leading to cross-site scripting (XSS). The issue ...

CVE-2025-67730 Frappe authenticated users can execute XSS through form description fields

Frappe Learning Management System LMS is a learning system that helps users structure their content. Versions prior to 2.42.0 allow authenticated users to add malicious HTML and JavaScript through description fields in the Job, Course and Batch forms. This issue is fixed in version 2.42.0...

WordPress Multi Uploader for Gravity Forms plugin <= 1.1.7 - Unauthenticated Arbitrary File Deletion vulnerability

Unauthenticated Arbitrary File Deletion vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Multi Uploader for Gravity Forms versions = 1.1.7...

EUVD-2025-203003

The Multi Uploader for Gravity Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'pluploadajaxdeletefile' function in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to delete arbitrar...

Exploit for CVE-2025-66516

CVE-2025-66516: Critical XXE Vulnerability in Apache Tika...

CVE-2025-14344

The Multi Uploader for Gravity Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'pluploadajaxdeletefile' function in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to delete arbitrar...

CVE-2025-14344

CVE-2025-14344 : WordPress plugin Multi Uploader for Gravity Forms is vulnerable in all versions up to 1.1.7 due to insufficient file path validation in plupload_ajax_delete_file, enabling unauthenticated arbitrary file deletion on the server. Connected sources confirm the issue and note a patch ...

CVE-2025-14344 Multi Uploader for Gravity Forms <= 1.1.7 - Unauthenticated Arbitrary File Deletion

The Multi Uploader for Gravity Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'pluploadajaxdeletefile' function in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to delete arbitrar...