PT-2025-39960

Name of the Vulnerable Software and Affected Versions SmartCrawl SEO plugin for WordPress versions prior to 3.14.4 Description The SmartCrawl SEO plugin for WordPress has an issue where data can be modified without authorization. This is due to a missing capability check within the update submodu...

WordPress plugin Postie 安全漏洞

WordPress Postie Plugin is a plugin that is mainly used for publishing posts via email. WordPress Postie Plugin suffers from a cross-site scripting vulnerability that stems from the application's lack of effective filtering and escaping of user-supplied data, which can be exploited by an attacker...

mkdocs-include-markdown-plugin 输入验证错误漏洞

mkdocs-include-markdown-plugin is a Markdown file processor by the individual developer Álvaro Mondéjar Rubio. An input validation error vulnerability exists in mkdocs-include-markdown-plugin version 7.1.7 and earlier, which stems from unvalidated input that may conflict with substitution...

WordPress WordPress Image shrinker plugin <= 1.1.0 - Server Side Request Forgery (SSRF) vulnerability

Server Side Request Forgery SSRF vulnerability discovered by theviper17 in WordPress Plugin WordPress Image shrinker versions = 1.1.0...

CVE-2025-9894 Sync Feedly <= 1.0.1 - Cross-Site Request Forgery to Sync Trigger

The Sync Feedly plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the crsfcronjobfunc function. This makes it possible for unauthenticated attackers to trigger content synchronizati...

CVE-2025-9816 WP Statistics <= 14.5.4 - Unauthenticated Stored Cross-Site Scripting via User-Agent Header

The WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent Header in all versions up to, and including, 14.5.4 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2025-10173

The ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized access due to an incorrect capability check on the postsave function in all versions up to, and including, 4.8.3. This makes it possible for authenticated...

WordPress Everest Forms plugin <= 3.4.1 - Arbitrary Shortcode Execution vulnerability

Arbitrary Shortcode Execution vulnerability discovered by Najib Sinjari in WordPress Plugin Everest Forms versions = 3.4.1...

WordPress GST for WooCommerce Plugin <= 2.0 - Cross Site Request Forgery (CSRF) Vulnerability

Cross Site Request Forgery CSRF Vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin GST for WooCommerce versions = 2.0...

WordPress Job Board Manager Plugin <= 2.1.61 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by muhammad yudha in WordPress Plugin Job Board Manager versions = 2.1.61...

WordPress Smart Related Products plugin <= 2.0.7 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nabil Irawan in WordPress Plugin Smart Related Products versions = 2.0.7...

WordPress WP Gravity Forms HubSpot Plugin <= 1.2.5 - Open Redirection Vulnerability

Open Redirection Vulnerability discovered by Bonds in WordPress Plugin WP Gravity Forms HubSpot versions = 1.2.5...

WordPress WEDOS Global Plugin <= 1.2.2 - Broken Access Control Vulnerability

Broken Access Control Vulnerability discovered by Nabil Irawan in WordPress Plugin WEDOS Global versions = 1.2.2...

CVE-2025-60185 WordPress kontur Admin Style Plugin <= 1.0.4 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in kontur.us kontur Admin Style kontur-admin-style allows Stored XSS.This issue affects kontur Admin Style: from n/a through = 1.0.4...

CVE-2025-60185

CVE-2025-60185 is a stored XSS in the kontur Admin Style WordPress plugin (vulnerable up to and including 1.0.4). The root cause is improper neutralization of input during web page generation, enabling an attacker with network access and high privileges to trigger XSS upon user interaction. The i...

CVE-2025-60184

CVE-2025-60184 is a stored XSS in the SEO Search Permalink WordPress plugin (SEO Search Permalink). The issue arises from improper input neutralization during web page generation (XSS). Affected product: SEO Search Permalink; vulnerable in versions up to 1.0.3 (n/a through 1.0.3). MITRE or exploi...

CVE-2025-60172 WordPress Flytedesk Digital Plugin <= 20181101 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery CSRF vulnerability in flytedesk Flytedesk Digital flytedesk-digital allows Stored XSS.This issue affects Flytedesk Digital: from n/a through = 20181101...

CVE-2025-60172 WordPress Flytedesk Digital Plugin <= 20181101 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery CSRF vulnerability in flytedesk Flytedesk Digital flytedesk-digital allows Stored XSS.This issue affects Flytedesk Digital: from n/a through = 20181101...

CVE-2025-60163 WordPress bbp topic count plugin <= 3.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Robin W bbp topic count bbp-topic-count allows DOM-Based XSS.This issue affects bbp topic count: from n/a through = 3.2...

CVE-2025-60161

CVE-2025-60161: ZoloBlocks (ZoloBlocks plugin)