EUVD-2025-203523

The JetFormBuilder — Dynamic Blocks Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the runcallback function in all versions up to, and including, 3.5.3. This makes it possible for unauthenticated attackers to generate form...

SUSE CVE-2025-65105

Apptainer is an open source container platform. In Apptainer versions less than 1.4.5, a container can disable two of the forms of the little used --security option, in particular the forms --security=apparmor: and --security=selinux: which otherwise put restrictions on operations that containers...

WordPress RegistrationMagic plugin <= 6.0.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'RM_Forms' Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'RMForms' Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin RegistrationMagic versions = 6.0.6.7...

CVE-2025-13610

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'RMForms' shortcode in all versions up to, and including, 6.0.6.7 due to insufficient input sanitization and output...

CVE-2025-13610 RegistrationMagic <= 6.0.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'RM_Forms' Shortcode

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'RMForms' shortcode in all versions up to, and including, 6.0.6.7 due to insufficient input sanitization and output...

CVE-2025-13610

CVE-2025-13610 affects the RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login WordPress plugin. The vulnerability is a stored Cross-Site Scripting via the RM_Forms shortcode due to insufficient input sanitization and output escaping of the theme attribute, e...

CVE-2025-13610 RegistrationMagic <= 6.0.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'RM_Forms' Shortcode

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'RMForms' shortcode in all versions up to, and including, 6.0.6.7 due to insufficient input sanitization and output...

EUVD-2025-203367

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'RMForms' shortcode in all versions up to, and including, 6.0.6.7 due to insufficient input sanitization and output...

PT-2025-51225

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'RM Forms' shortcode in all versions up to, and including, 6.0.6.7 due to insufficient input sanitization and output...

CVE-2025-67730

Frappe Learning Management System LMS is a learning system that helps users structure their content. Versions prior to 2.42.0 allow authenticated users to add malicious HTML and JavaScript through description fields in the Job, Course and Batch forms. This issue is fixed in version 2.42.0...

Stored Cross-Site Scripting

Liferay Portal and Liferay DXP are vulnerable to Stored Cross-Site Scripting XSS. The vulnerability is due to insufficient sanitization of user-controlled input, where the name of a fieldset in Kaleo Forms Admin is stored without proper escaping, allowing an authenticated attacker to persistently...

CVE-2025-14344

The Multi Uploader for Gravity Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'pluploadajaxdeletefile' function in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to delete arbitrar...

CVE-2025-13993

The MailerLite – Signup forms official plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'formdescription' and 'successmessage' parameters in versions up to, and including, 1.7.16 due to insufficient input sanitization and output escaping. This makes it possible for...

Following the digital trail: what happens to data stolen in a phishing attack

Introduction A typical phishing attack involves a user clicking a fraudulent link and entering their credentials on a scam website. However, the attack is far from over at that point. The moment the confidential information falls into the hands of cybercriminals, it immediately transforms into a...

CVE-2025-13993 MailerLite – Signup forms (official) <= 1.7.16 - Authenticated (Administrator+) Stored Cross-Site Scripting

The MailerLite – Signup forms official plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'formdescription' and 'successmessage' parameters in versions up to, and including, 1.7.16 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2025-13993

CVE-2025-13993 - MailerLite – Signup forms (official) plugin for WordPress is affected up to version 1.7.16. The vulnerability is a Stored Cross-Site Scripting (Stored XSS) in the parameters form_description and success_message caused by insufficient input sanitization and output escaping. Exploi...

CVE-2025-67730 Frappe authenticated users can execute XSS through form description fields

Frappe Learning Management System LMS is a learning system that helps users structure their content. Versions prior to 2.42.0 allow authenticated users to add malicious HTML and JavaScript through description fields in the Job, Course and Batch forms. This issue is fixed in version 2.42.0...

CVE-2025-67730

CVE-2025-67730 affects Frappe Learning Management System (LMS). Details across sources show that versions prior to 2.42.0 allow authenticated users to inject malicious HTML and JavaScript via description fields in the Job, Course, and Batch forms, leading to cross-site scripting (XSS). The issue ...

WordPress Multi Uploader for Gravity Forms plugin <= 1.1.7 - Unauthenticated Arbitrary File Deletion vulnerability

Unauthenticated Arbitrary File Deletion vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Multi Uploader for Gravity Forms versions = 1.1.7...

EUVD-2025-203003

The Multi Uploader for Gravity Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'pluploadajaxdeletefile' function in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to delete arbitrar...