CVE-2025-12161

The Smart Auto Upload Images plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the auto-image creation functionality in all versions up to, and including, 1.2.0. This makes it possible for authenticated attackers, with Contributor-level access and...

CVE-2025-12161

The CVE concerns the WordPress plugin Smart Auto Upload Images. Affected versions:

WordPress plugin Groups 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security vulnerabili...

CVE-2025-11835

The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability and validation check on the PMSAJAXCheckoutHandler::processpayment function in all versions up t...

CVE-2025-12682

The Easy Upload Files During Checkout plugin for WordPress is vulnerable to arbitrary JavaScript file uploads due to missing file type validation in the 'fileduringcheckout' function in all versions up to, and including, 2.9.8. This makes it possible for unauthenticated attackers to upload...

CVE-2025-12674 KiotViet Sync <= 1.8.5 - Unauthenticated Arbitrary File Upload

The KiotViet Sync plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the createmedia function in all versions up to, and including, 1.8.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server...

CVE-2025-11835

CVE-2025-11835 affects the WordPress plugin “Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction.” The issue arises from a missing capability check and validation in PMS_AJAX_Checkout_Handler::process_payment(), leading to unauthorized data modificatio...

CVE-2025-11724

The EM Beer Manager plugin for WordPress is vulnerable to arbitrary file upload leading to remote code execution in all versions up to, and including, 3.2.3. This is due to missing file type validation in the EMBMAdminUntappdImportimage function and missing authorization checks on the...

CVE-2025-56230

Tencent Docs Desktop 3.9.20 and earlier suffers from Missing SSL Certificate Validation in the update component...

CVE-2025-56230

Tencent Docs Desktop 3.9.20 and earlier suffers from Missing SSL Certificate Validation in the update component...

CVE-2025-11499 Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent <= 1.1.32 - Unauthenticated Arbitrary File Upload

The Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the setfeaturedimagefromexternalurl function in all versions up to, and including, 1.1.32. This makes it possible f...

CVE-2025-11499

The CVE-2025-11499 entry concerns the Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent WordPress plugin. Affected component: set_featured_image_from_external_url(), with missing file type validation across all versions up to and including 1.1.32. Consequence: unauthen...

Online Event Judging System edit_contestant.php File SQL Injection Vulnerability

Online Event Judging System is an online event judging system. Online Event Judging System suffers from a SQL injection vulnerability that originates from the lack of validation of externally entered SQL statements in the parameter contestantid in the file /editcontestant.php. An attacker can...

PT-2025-44458

Name of the Vulnerable Software and Affected Versions librechat version 0.7.9 Description The software has an insecure API design in the 2-Factor Authentication 2FA flow. The system permits users to disable 2FA without a valid One-Time Password OTP or backup code, circumventing the verification...

CVE-2025-6440

The WooCommerce Designer Pro plugin for WordPress, used by the Pricom - Printing Company & Design Services WordPress theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'wcdpsavecanvasdesignajax' function in all versions up to, and including, 1.9.26. This mak...

PrestaShop Checkout allows customer account takeover via email

Impact Missing validation on Express Checkout feature allows silent log-in Affected versions The issue was introduced in PrestaShop Checkout 1.3.0 . All versions above 1.3.0 are vulnerable except of course the patch versions published on 16/10/2025: 7.4.4.1, 8.4.4.1, 7.5.0.5, 8.5.0.5, 9.5.0.5...

CVE-2025-61922 PrestaShop Checkout allows customer account takeover via email

PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. Starting in version 1.3.0 and prior to versions 4.4.1 and 5.0.5, missing validation on the Express Checkout feature allows silent login, enabling account takeover via email. The vulnerability is fixed in...

CVE-2025-61922 PrestaShop Checkout allows customer account takeover via email

PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. Starting in version 1.3.0 and prior to versions 4.4.1 and 5.0.5, missing validation on the Express Checkout feature allows silent login, enabling account takeover via email. The vulnerability is fixed in...

CVE-2025-61922 PrestaShop Checkout allows customer account takeover via email

PrestaShop Checkout is the PrestaShop official payment module in partnership with PayPal. Starting in version 1.3.0 and prior to versions 4.4.1 and 5.0.5, missing validation on the Express Checkout feature allows silent login, enabling account takeover via email. The vulnerability is fixed in...

CVE-2025-10051

The Demo Import Kit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.1.0 via the import functionality. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload...