CVE-2025-63056 WordPress Contact Form by BestWebSoft plugin <= 4.3.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in bestwebsoft Contact Form by BestWebSoft contact-form-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form by BestWebSoft: from n/a through = 4.3.6...

CVE-2025-63052 WordPress SimpLy Gallery plugin <= 3.3.2.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in GalleryCreator SimpLy Gallery simply-gallery-block allows Stored XSS.This issue affects SimpLy Gallery: from n/a through = 3.3.2.1...

CVE-2025-63033 WordPress Make Section & Column Clickable For Elementor plugin <= 2.4 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Riyadh Ahmed Make Section & Column Clickable For Elementor make-section-column-clickable-elementor allows Stored XSS.This issue affects Make Section & Column Clickable For Elementor: from n/a throu...

CVE-2025-62869 WordPress Gravitec.net – Web Push Notifications plugin <= 2.9.17 - Broken Access Control vulnerability

Missing Authorization vulnerability in Gravitec.net - Web Push Notifications Gravitec.net – Web Push Notifications gravitec-net-web-push-notifications allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gravitec.net – Web Push Notifications: from n/a through...

CVE-2025-62085 WordPress BERTHA AI plugin <= 1.13 - Broken Access Control vulnerability

Missing Authorization vulnerability in Bertha AI – Andrew Palmer BERTHA AI bertha-ai-free allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BERTHA AI: from n/a through = 1.13...

CVE-2025-67596 WordPress Business Directory plugin <= 6.4.19 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability in Strategy11 Team Business Directory business-directory-plugin allows Cross Site Request Forgery.This issue affects Business Directory: from n/a through = 6.4.19...

CVE-2025-67582

CVE-2025-67582 affects Wbcom Designs – Private Community for BuddyPress (Wbcom Designs) and is caused by Missing Authorization in lock-my-bp. The Wordfence vulnerability listing confirms the affected range up to version 2.1.1 and notes a Patched status, indicating a fix has been released. The CVS...

CVE-2025-67579 WordPress User Extra Fields plugin <= 16.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Extra Fields: from n/a through = 16.8...

CVE-2025-67556

CVE-2025-67556 refers to a stored cross-site scripting (XSS) vulnerability in the WordPress plugin Advanced FAQ Manager (ThemeHigh) affecting versions

WordPress plugin WPFunnels 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security...

CVE-2025-12715 Canadian Nutrition Facts Label <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Nutrition Label Custom Post Type

The Canadian Nutrition Facts Label plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'percentage' field in the Nutrition Label custom post type in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping. This makes it possible for...

📄 WordPress AI Buddy 1.8.5 Shell Upload

WordPress AI Buddy plugin versions 1.8.5 and below remote shell upload exploit that leverages the REST API attachment functionality. ============================================================================================================================================= | Title : AI Buddy...

WordPress Contact Form Email plugin <= 1.3.60 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by Rooting in WordPress Plugin Contact Form Email versions = 1.3.60...

CVE-2025-12578

The Reuters Direct WordPress plugin (

WordPress WP Webhooks plugin <= 3.3.8 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin WP Webhooks versions = 3.3.8...

CVE-2025-13597 AI Feeds <= 1.0.11 - Unauthenticated Arbitrary File Upload

The AI Feeds plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check in the 'actualizadorgit.php' file in all versions up to, and including, 1.0.11. This makes it possible for unauthenticated attackers to download arbitrary GitHub repositories and overwrite...

WordPress ANAC XML Bandi di Gara plugin <= 7.7 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Skalucy in WordPress Plugin ANAC XML Bandi di Gara versions = 7.7...

WordPress UiPress lite plugin <= 3.5.08 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure vulnerability

Missing Authorization to Authenticated Subscriber+ Sensitive Information Exposure vulnerability discovered by abrahack in WordPress Plugin UiPress lite versions = 3.5.08...

WordPress Accordion Slider plugin <= 1.9.13 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Accordion Slider versions = 1.9.13...

PT-2025-47835

Name of the Vulnerable Software and Affected Versions OneClick Chat to Order plugin for WordPress versions up to and including 1.0.8 Description The OneClick Chat to Order plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. This is due to a lack of validation on a...