CVE-2025-11723 Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.9.5 - Unauthenticated Sensitive Information Exposure

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.5 via the hash function due to use of a hardcoded fall-back salt. This makes it possible for...

CVE-2023-51513 WordPress Geo Controller plugin <= 8.5.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in INTINITUM FORM Geo Controller allows DOM-Based XSS.This issue affects Geo Controller: from n/a through 8.5.2...

CVE-2025-68014 WordPress AweBooking plugin <= 3.2.26 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in awethemes AweBooking awebooking allows Retrieve Embedded Sensitive Data.This issue affects AweBooking: from n/a through = 3.2.26...

WordPress Owl Carousel WP plugin <= 2.2.2 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by NumeX in WordPress Plugin Owl Carousel WP versions = 2.2.2...

CVE-2025-23707 WordPress En Masse plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Matamko En Masse en-masse-wp allows Reflected XSS.This issue affects En Masse: from n/a through = 1.0...

WordPress Behance Portfolio Manager plugin <= 1.7.5 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nguyen Tran Tuan Dung domiee13 in WordPress Plugin Behance Portfolio Manager versions = 1.7.5...

CVE-2025-62088 WordPress WordPress & WooCommerce Scraper plugin, Import Data from Any Site plugin <= 1.0.7 - Server Side Request Forgery (SSRF) vulnerability

Server-Side Request Forgery SSRF vulnerability in extendons WordPress & WooCommerce Scraper Plugin, Import Data from Any Site allows Server Side Request Forgery.This issue affects WordPress & WooCommerce Scraper Plugin, Import Data from Any Site: from n/a through 1.0.7...

CVE-2025-62874 WordPress AnyComment plugin <= 0.3.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in Alexander AnyComment allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AnyComment: from n/a through 0.3.6...

CVE-2025-62143 WordPress Post Video Players plugin <= 1.163 - Sensitive Data Exposure vulnerability

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in nicashmu Post Video Players video-playlist-and-gallery-plugin allows Retrieve Embedded Sensitive Data.This issue affects Post Video Players: from n/a through = 1.163...

CVE-2025-62116

CVE-2025-62116 is described in the initial document as a Missing Authorization vulnerability in the QuadLayers AI Copilot (WordPress plugin), affecting versions from unknown up to and including 1.4.7. The connected Wordfence document substantively corroborates that AI Copilot is affected by a Mis...

CVE-2025-62116 WordPress AI Copilot plugin <= 1.5.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in quadlayers AI Copilot ai-copilot allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Copilot: from n/a through = 1.5.2...

CVE-2025-62126 WordPress Varnish/Nginx Proxy Caching plugin <= 1.8.3 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in Razvan Stanga Varnish/Nginx Proxy Caching vcaching allows Retrieve Embedded Sensitive Data.This issue affects Varnish/Nginx Proxy Caching: from n/a through = 1.8.3...

CVE-2025-62747

CVE-2025-62747: Missing Authorization in Featured Image Generator (WordPress plugin) enables access control bypass in versions up to 1.3.3. CVSS 3.1/5.3 (base). Exploitation status and specific fix are not provided in the documents; monitor for official patch/media advisories for remediation guid...

CVE-2025-63001

CVE-2025-63001 corresponds to a Missing Authorization issue in the Hotel Booking plugin (nicdark). Public details in the Wordfence vulnerability feed describe an unauthenticated access control weakness for Hotel Booking

CVE-2025-62098 WordPress Portfolio Gallery plugin <= 1.4.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in totalsoft Portfolio Gallery gallery-portfolio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Portfolio Gallery: from n/a through = 1.4.8...

WordPress Add Custom Codes plugin <= 4.80 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Certus Cybersecurity in WordPress Plugin Add Custom Codes versions = 4.80...

CVE-2025-62742 WordPress Curator.io plugin <= 1.9.5 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Curator.io Curator.io curatorio allows Stored XSS.This issue affects Curator.io: from n/a through = 1.9.5...

CVE-2025-62118

CVE-2025-62118 affects the WordPress AdWords Conversion Tracking Code plugin (versions up to 1.0). The issue is a stored XSS caused by improper input neutralization during web page generation, exploitable when data is stored and later rendered. The Wordfence vulnerability report lists this entry ...

CVE-2025-49358 WordPress Content Fetcher plugin <= 1.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Ruhul Amin Content Fetcher content-fetcher allows DOM-Based XSS.This issue affects Content Fetcher: from n/a through = 1.1...

CVE-2025-62752 WordPress Calendar.online / Kalender.digital plugin <= 1.0.11 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in kalender.Digital Calendar.Online / Kalender.Digital allows DOM-Based XSS.This issue affects Calendar.Online / Kalender.Digital: from n/a through 1.0.11...