CVE-2025-62747

CVE-2025-62747: Missing Authorization in Featured Image Generator (WordPress plugin) enables access control bypass in versions up to 1.3.3. CVSS 3.1/5.3 (base). Exploitation status and specific fix are not provided in the documents; monitor for official patch/media advisories for remediation guid...

CVE-2025-63001

CVE-2025-63001 corresponds to a Missing Authorization issue in the Hotel Booking plugin (nicdark). Public details in the Wordfence vulnerability feed describe an unauthenticated access control weakness for Hotel Booking

CVE-2025-62098 WordPress Portfolio Gallery plugin <= 1.4.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in totalsoft Portfolio Gallery gallery-portfolio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Portfolio Gallery: from n/a through = 1.4.8...

WordPress Add Custom Codes plugin <= 4.80 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Certus Cybersecurity in WordPress Plugin Add Custom Codes versions = 4.80...

CVE-2025-62742 WordPress Curator.io plugin <= 1.9.5 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Curator.io Curator.io curatorio allows Stored XSS.This issue affects Curator.io: from n/a through = 1.9.5...

CVE-2025-62118

CVE-2025-62118 affects the WordPress AdWords Conversion Tracking Code plugin (versions up to 1.0). The issue is a stored XSS caused by improper input neutralization during web page generation, exploitable when data is stored and later rendered. The Wordfence vulnerability report lists this entry ...

CVE-2025-49358 WordPress Content Fetcher plugin <= 1.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Ruhul Amin Content Fetcher content-fetcher allows DOM-Based XSS.This issue affects Content Fetcher: from n/a through = 1.1...

CVE-2025-62752 WordPress Calendar.online / Kalender.digital plugin <= 1.0.11 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in kalender.Digital Calendar.Online / Kalender.Digital allows DOM-Based XSS.This issue affects Calendar.Online / Kalender.Digital: from n/a through 1.0.11...

CVE-2025-63005 WordPress WordPress Tooltips plugin <= 10.7.9 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Tomas WordPress Tooltips allows Stored XSS.This issue affects WordPress Tooltips: from n/a through 10.7.9...

WordPress Lexicata plugin <= 1.0.16 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by 0xd4rk5id3 - EnvoraSec in WordPress Plugin Lexicata versions = 1.0.16...

WordPress ELEX WordPress HelpDesk & Customer Ticketing System plugin <= 3.3.4 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin ELEX WordPress HelpDesk & Customer Ticketing System versions = 3.3.4...

WordPress Pagelayer plugin < 1.8.8 - Admin+ Stored XSS vulnerability

Admin+ Stored XSS vulnerability discovered by Jeewan Kumar Bhatta in WordPress Plugin PageLayer versions 1.8.8...

WordPress Solidres plugin <= 0.9.4 - Reflected XSS vulnerability

Reflected XSS vulnerability discovered by Hassan Khan Yusufzai - Splint3r7 in WordPress Plugin Solidres – Hotel booking plugin versions = 0.9.4...

WordPress Widget4call plugin <= 1.0.7 - Reflected XSS vulnerability

Reflected XSS vulnerability discovered by Hassan Khan Yusufzai - Splint3r7 in WordPress Plugin Widget4Call versions = 1.0.7...

WordPress WP Job Portal plugin <= 2.2.6 - Insecure Direct Object Reference to Authenticated (Employer+) Arbitrary Job Deletion vulnerability

Insecure Direct Object Reference to Authenticated Employer+ Arbitrary Job Deletion vulnerability discovered by thevietronin - GalaxyOne in WordPress Plugin WP Job Portal versions = 2.2.6...

WordPress plugin Locatoraid Store Locator 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin.... A cross-site...

CVE-2025-62128

Technical details for CVE-2025-62128 are not provided in the supplied documents. No confirmed affected versions, impact, or mitigations are stated here. Monitor for updates from SiteLock, WordPress security advisories, or CVE databases for precise remediation guidance.

CVE-2025-69089

CVE-2025-69089 is a Stored XSS vulnerability affecting the WordPress plugin Auto Listings (Car Listings & Car Dealership Plugin). The Wordfence entry confirms authenticated attackers can exploit improper input handling in web page generation to trigger Stored Cross-Site Scripting, impacting Auto ...

CVE-2025-68998 WordPress Heateor Social Login plugin <= 1.1.39 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability in Heateor Support Heateor Social Login heateor-social-login allows Cross Site Request Forgery.This issue affects Heateor Social Login: from n/a through = 1.1.39...

CVE-2025-68998 WordPress Heateor Social Login plugin <= 1.1.39 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability in Heateor Support Heateor Social Login heateor-social-login allows Cross Site Request Forgery.This issue affects Heateor Social Login: from n/a through = 1.1.39...