CVE-2025-14395 Popover Windows <= 1.2 - Missing Authorization to Authenticated (Subscriber+) Popover Configuration Update via AJAX Actions

The Popover Windows plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple ajax actions e.g., popsubmit, popthemesubmit in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with subscriber-lev...

WordPress Ultimate Auction plugin <= 4.3.2 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by daroo in WordPress Plugin Ultimate Auction versions = 4.3.2...

CVE-2025-13993

CVE-2025-13993 - MailerLite – Signup forms (official) plugin for WordPress is affected up to version 1.7.16. The vulnerability is a Stored Cross-Site Scripting (Stored XSS) in the parameters form_description and success_message caused by insufficient input sanitization and output escaping. Exploi...

CVE-2025-67640

Jenkins Git client Plugin vulnerability CVE-2025-67640 affects versions 6.4.0 and earlier. The issue arises from improper escaping of the workspace directory path in a temporary shell script generated by the plugin, enabling an attacker who controls the workspace name to inject and execute arbitr...

CVE-2025-14390 Video Merchant <= 5.0.4 - Cross-Site Request Forgery to Arbitrary File Upload

The Video Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in version = 5.0.4. This is due to missing or incorrect nonce validation on the videomerchantaddvideofile function. This makes it possible for unauthenticated attackers to upload arbitrary files that make remote...

Fedora 44 : containernetworking-plugins (2025-c67591d0a2)

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-c67591d0a2 advisory. Automatic update for containernetworking-plugins-1.9.0-1.fc44. Changelog Tue Dec 9 2025 Bradley G Smith - 1.9.0-1 - Update to release v1.9.0 -...

CVE-2025-63070

CVE-2025-63070 corresponds to a WordPress Download Manager plugin vulnerability (versions up to 3.3.32) that causes information disclosure by exposing embedded sensitive data due to inadequate protection of sensitive information. The issue is described across multiple sources as an information di...

CVE-2025-63071

The CVE-2025-63071 entry describes an information-disclosure vulnerability in the WordPress plugin Shortcodes and extra features for Phlox theme (auxin-elements). The issue is an insertion of sensitive information into data sent by the plugin, allowing retrieval of embedded sensitive data. Affect...

CVE-2025-63052 WordPress SimpLy Gallery plugin <= 3.3.2.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in GalleryCreator SimpLy Gallery simply-gallery-block allows Stored XSS.This issue affects SimpLy Gallery: from n/a through = 3.3.2.1...

CVE-2025-63056 WordPress Contact Form by BestWebSoft plugin <= 4.3.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in bestwebsoft Contact Form by BestWebSoft contact-form-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form by BestWebSoft: from n/a through = 4.3.6...

CVE-2025-63033 WordPress Make Section & Column Clickable For Elementor plugin <= 2.4 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Riyadh Ahmed Make Section & Column Clickable For Elementor make-section-column-clickable-elementor allows Stored XSS.This issue affects Make Section & Column Clickable For Elementor: from n/a throu...

CVE-2025-62869 WordPress Gravitec.net – Web Push Notifications plugin <= 2.9.17 - Broken Access Control vulnerability

Missing Authorization vulnerability in Gravitec.net - Web Push Notifications Gravitec.net – Web Push Notifications gravitec-net-web-push-notifications allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gravitec.net – Web Push Notifications: from n/a through...

CVE-2025-62085 WordPress BERTHA AI plugin <= 1.13 - Broken Access Control vulnerability

Missing Authorization vulnerability in Bertha AI – Andrew Palmer BERTHA AI bertha-ai-free allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BERTHA AI: from n/a through = 1.13...

CVE-2025-67596 WordPress Business Directory plugin <= 6.4.19 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability in Strategy11 Team Business Directory business-directory-plugin allows Cross Site Request Forgery.This issue affects Business Directory: from n/a through = 6.4.19...

CVE-2025-67582

CVE-2025-67582 affects Wbcom Designs – Private Community for BuddyPress (Wbcom Designs) and is caused by Missing Authorization in lock-my-bp. The Wordfence vulnerability listing confirms the affected range up to version 2.1.1 and notes a Patched status, indicating a fix has been released. The CVS...

CVE-2025-67579 WordPress User Extra Fields plugin <= 16.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Extra Fields: from n/a through = 16.8...

CVE-2025-67556

CVE-2025-67556 refers to a stored cross-site scripting (XSS) vulnerability in the WordPress plugin Advanced FAQ Manager (ThemeHigh) affecting versions

WordPress plugin WPFunnels 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security...

CVE-2025-12715 Canadian Nutrition Facts Label <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Nutrition Label Custom Post Type

The Canadian Nutrition Facts Label plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'percentage' field in the Nutrition Label custom post type in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping. This makes it possible for...

📄 WordPress AI Buddy 1.8.5 Shell Upload

WordPress AI Buddy plugin versions 1.8.5 and below remote shell upload exploit that leverages the REST API attachment functionality. ============================================================================================================================================= | Title : AI Buddy...