CVE-2025-53662

Jenkins IFTTT Build Notifier Plugin 1.2 and earlier stores IFTTT Maker Channel Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...

CVE-2025-53655

CVE-2025-53655 affects Jenkins Statistics Gatherer Plugin versions 2.0.3 and earlier. The root issue is that the AWS Secret Key is stored unencrypted in the global configuration file org.jenkins.plugins.statistics.gatherer.StatisticsConfiguration.xml on the Jenkins controller and is not masked in...

PT-2025-28839 · WordPress · Simple Featured Image

Name of the Vulnerable Software and Affected Versions: Simple Featured Image plugin for WordPress versions up to, and including, 1.3.1 Description: The issue is related to Stored Cross-Site Scripting via the slideshow parameter due to insufficient input sanitization and output escaping. This allo...

WordPress SureForms plugin <= 1.7.3 - Unauthenticated PHP Object Injection (PHAR) vulnerability

Unauthenticated PHP Object Injection PHAR vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin SureForms versions = 1.7.3...

WordPress iFrame Images Gallery plugin <= 9.0 - SQL Injection Vulnerability

SQL Injection Vulnerability discovered by Peter Thaleikis in WordPress Plugin iFrame Images Gallery versions = 9.0...

WordPress fluXtore plugin <= 1.6.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Martino Spagnuolo r3verii in WordPress Plugin fluXtore versions = 1.6.0...

WordPress Chatra Live Chat + ChatBot + Cart Saver plugin <= 1.0.11 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by haudayroi - BlueRock in WordPress Plugin Chatra Live Chat + ChatBot + Cart Saver versions = 1.0.11...

CVE-2025-6786

The DocCheck Login plugin for WordPress is vulnerable to unauthorized post access in all versions up to, and including, 1.1.5. This is due to plugin redirecting a user to login on a password protected post after the page has loaded. This makes it possible for unauthenticated attackers to read pos...

CVE-2025-3702

CVE-2025-3702 describes a Missing Authorization (broken access control) vulnerability in the WordPress Melapress File Monitor plugin, affecting versions prior to 2.2.0. Multiple sources consolidate the same issue. The root cause is improperly configured access control levels that can be exploited...

CVE-2024-11405 WP Front-end login and register <= 2.1.0 - Reflected Cross-Site Scripting

The WP Front-end login and register plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the email and wpmpresetpasswordtoken parameters in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for...

WordPress Magic Buttons for Elementor plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via magic-button Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via magic-button Shortcode vulnerability discovered by muhammad yudha in WordPress Plugin Magic Buttons for Elementor versions = 1.0...

WordPress Everest Forms Plugin <= 3.2.2 is vulnerable to PHP Object Injection

Software Everest Forms Type Plugin Vulnerable versions = 3.2.2 Fixed in 3.2.3 OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2025-52709 Patch priority High CVSS severity High 9.8 Developer Everest Forms PSID ed6f018dd59f Credits Phat RiO - BlueRock Required privilege...

WordPress Ultra Addons for Contact Form 7 plugin <= 3.5.21 - Authenticated (Contributor+) Stored Cross-Site Scripting via UACF7_CUSTOM_FIELDS Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via UACF7CUSTOMFIELDS Shortcode vulnerability discovered by muhammad yudha in WordPress Plugin Ultimate Addons for Contact Form 7 versions = 3.5.21...

WordPress Opal Estate Pro plugin <= 1.7.5 - Unauthenticated Privilege Escalation via 'on_regiser_user' vulnerability

Unauthenticated Privilege Escalation via 'onregiseruser' vulnerability discovered by Alyudin Nafiie in WordPress Plugin Opal Estate Pro versions = 1.7.5...

WordPress Email Address Security by WebEmailProtector plugin <= 3.3.6 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by chuck in WordPress Plugin Email Address Security by WebEmailProtector versions = 3.3.6...

CVE-2025-5304

The PT Project Notebooks plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization in the wpnbptonewusersadd function in versions 1.0.0 through 1.1.3. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator...

CVE-2025-6755 Game Users Share Buttons <= 1.3.0 - Authenticated (Subscriber+) Arbitrary File Deletion via themeNameId Parameter

The Game Users Share Buttons plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajaxDeleteTheme function in all versions up to, and including, 1.3.0. This makes it possible for Subscriber-level attackers to add arbitrary file paths such a...

CVE-2025-3863

The Post Carousel Slider for Elementor plugin for WordPress is vulnerable to improper authorization due to a missing capability check on the processwbelpspromoform function in all versions up to, and including, 1.6.0. This makes it possible for authenticated attackers, with Subscriber-level acces...

CVE-2025-6538

The Post Rating and Review plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class’ parameter in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level...

WordPress PT Project Notebooks plugin 1.0.0-1.1.3 - Missing Authorization to Unauthenticated Privilege Escalation vulnerability

Missing Authorization to Unauthenticated Privilege Escalation vulnerability discovered by kr0d in WordPress Plugin PT Project Notebooks versions 1.0.0-1.1.3...