CVE-2025-32202

Unrestricted Upload of File with Dangerous Type vulnerability in Brian Batt - elearningfreak.com Insert or Embed Articulate Content into WordPress insert-or-embed-articulate-content-into-wordpress allows Upload a Web Shell to a Web Server.This issue affects Insert or Embed Articulate Content into...

CVE-2025-32236 WordPress Woocommerce Products Reorder Drag Drop Multiple Sort plugin <= 1.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in Vagonic Woocommerce Products Reorder Drag Drop Multiple Sort – Sortable, Rearrange Products Vagonic. This issue affects Woocommerce Products Reorder Drag Drop Multiple Sort – Sortable, Rearrange Products Vagonic: from n/a through 1.9...

WordPress plugin Simple WP Events 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

CVE-2025-31431 WordPress WP Bookmarks plugin <= 1.1 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in conlabz GmbH WP Bookmarks wp-bookmarks allows Reflected XSS.This issue affects WP Bookmarks: from n/a through = 1.1...

CVE-2025-30520 WordPress Breezing Forms plugin <= 1.2.8.11 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in crosstec Breezing Forms allows Reflected XSS. This issue affects Breezing Forms: from n/a through 1.2.8.11...

CVE-2025-31572 WordPress Multi Days Events and Multi Events in One Day Calendar plugin <= 1.1.3 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability in v20202020 Multi Days Events and Multi Events in One Day Calendar dragon-calendar-free-version allows Cross Site Request Forgery.This issue affects Multi Days Events and Multi Events in One Day Calendar: from n/a through = 1.1.3...

CVE-2025-30920 WordPress WP Posts Carousel plugin <= 1.3.7 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in teastudio.pl WP Posts Carousel wp-posts-carousel allows Stored XSS.This issue affects WP Posts Carousel: from n/a through = 1.3.7...

CVE-2025-1440 Advanced iFrame <= 2024.5 - Unauthenticated Settings Update

The Advanced iFrame plugin for WordPress is vulnerable to unauthorized excessive creation of options on the aipmapurlcallback function in all versions up to, and including, 2024.5 due to insufficient restrictions. This makes it possible for unauthenticated attackers to update the...

CVE-2025-1770 Event Manager, Events Calendar, Tickets, Registrations – Eventin <= 4.0.24 - Authenticated (Contributor+) Local File Inclusion

The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.24 via the 'style' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to...

CVE-2025-1668 School Management System – WPSchoolPress <= 2.2.16 - Missing Authorization to Arbitrary User Deletion

The School Management System – WPSchoolPress plugin for WordPress is vulnerable to arbitrary user deletion due to a missing capability check on the wpspDeleteUser function in all versions up to, and including, 2.2.16. This makes it possible for authenticated attackers, with teacher-level access a...

ALPINE-CVE-2025-29768

Vim, a text editor, is vulnerable to potential data loss with zip.vim and special crafted zip files in versions prior to 9.1.1198. The impact is medium because a user must be made to view such an archive with Vim and then press 'x' on such a strange filename. The issue has been fixed as of Vim...

CVE-2025-1527 ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) <= 3.1.0 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Flash Sale Countdown Module

The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution formerly WooLentor plugin for WordPress is vulnerable to a Stored DOM-Based Cross-Site Scripting via the plugin's Flash Sale Countdown module in all versions up to, and including, 3.1.0 due to...

CVE-2024-12119

CVE-2024-12119 affects FooGallery – Responsive Photo Gallery (WordPress) up to version 2.4.29. It is a stored Cross‑Site Scripting vulnerability caused by insufficient input sanitization and output escaping for the gallery title/album title size parameter. Exploitation requires an authenticated a...

CVE-2024-13692

The Return Refund and Exchange For WooCommerce – Return Management System, RMA Exchange, Wallet And Cancel Order Features plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.4.5 via several functions due to missing validation on a user...

CVE-2024-13554

The The Ultimate WordPress Toolkit – WP Extended plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reorderroute function in all versions up to, and including, 3.0.13. This makes it possible for unauthenticated attackers to reorder pos...

CVE-2024-13539 AForms Eats <= 1.3.1 - Unauthenticated Full Path Disclosure

The AForms Eats plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.3.1. This is due the /vendor/aura/payload-interface/phpunit.php file being publicly accessible and displaying error messages. This makes it possible for unauthenticated attackers to...

CVE-2024-7146

The JetTabs for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.3 via the 'switcherpreset' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files ...

CVE-2024-50427

Unrestricted Upload of File with Dangerous Type vulnerability in devsoftbaltic SurveyJS surveyjs.This issue affects SurveyJS: from n/a through = 1.9.136...

CVE-2024-1308

The WooCommerce Cloak Affiliate Links plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'permalinksettingssave' function in all versions up to, and including, 1.0.33. This makes it possible for unauthenticated attackers to modify the...

CVE-2024-53994

Discourse is an open source platform for community discussion. In affected versions users who disable chat in preferences could still be reachable in some cases. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should disable...