CVE-2025-64235 WordPress Tuturn plugin < 3.6 - Arbitrary File Download vulnerability

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in AmentoTech Tuturn allows Path Traversal.This issue affects Tuturn: from n/a before 3.6...

CVE-2025-64236 WordPress Tuturn plugin < 3.6 - Broken Authentication vulnerability

Authentication Bypass Using an Alternate Path or Channel vulnerability in AmentoTech Tuturn allows Authentication Abuse.This issue affects Tuturn: from n/a before 3.6...

CVE-2025-13110 HUSKY – Products Filter Professional for WooCommerce <= 1.3.7.3 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'woof_add_subscr'

The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.3 via the "woofaddsubscr" function due to missing validation on a user controlled key. This makes it possible for authenticat...

EUVD-2025-204090

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in 8theme XStore Core et-core-plugin allows Reflected XSS.This issue affects XStore Core: from n/a through 5.6...

CVE-2025-66116 WordPress Ultimate Member Widgets for Elementor plugin <= 2.3 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in UserElements Ultimate Member Widgets for Elementor ultimate-member-widgets-for-elementor allows Retrieve Embedded Sensitive Data.This issue affects Ultimate Member Widgets for Elementor: from n/a through = 2.3...

CVE-2025-66078 WordPress Hotel Booking Lite plugin <= 5.2.3 - Remote Code Execution (RCE) vulnerability

Improper Control of Generation of Code 'Code Injection' vulnerability in jetmonsters Hotel Booking Lite motopress-hotel-booking-lite allows Remote Code Inclusion.This issue affects Hotel Booking Lite: from n/a through = 5.2.3...

CVE-2025-66074 WordPress WP Webhooks plugin <= 3.3.8 - Arbitrary File Upload vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in Cozmoslabs WP Webhooks wp-webhooks allows Path Traversal.This issue affects WP Webhooks: from n/a through = 3.3.8...

CVE-2025-66054

CVE-2025-66054 describes a missing authorization vulnerability in the WordPress LearnPress plugin (LearnPress

CVE-2025-64266

The CVE pertains to WordPress Plugin Booking and Rental Manager for WooCommerce (versions up to 2.5.4). The issue is a Deserialization of Untrusted Data vulnerability that enables Object Injection via the plugin’s handling of data, as described across CVE records from NVD/Red Hat/ENISA and third-...

CVE-2025-64218

CVE-2025-64218 affects the WordPress plugin Passster (Passster content-protector) version up to 4.2.19. The issue is described as an Insertion of Sensitive Information Into Sent Data vulnerability that allows Retrieve Embedded Sensitive Data. Root cause and impact are documented similarly across ...

CVE-2025-64189

CVE-2025-64189 affects the WordPress XStore Core et-core-plugin. It is a Cross-Site Scripting (Reflected XSS) vulnerability caused by improper input neutralization during web page generation. The issue affects XStore Core versions from n/a up to and including

CVE-2025-60180 WordPress WP Gravity Forms Salesforce plugin <= 1.5.1 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Salesforce gf-salesforce-crmperks allows Object Injection.This issue affects WP Gravity Forms Salesforce: from n/a through = 1.5.1...

CVE-2025-6324 WordPress Easy Invoice plugin <= 2.0.9 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in MatrixAddons Easy Invoice easy-invoice allows DOM-Based XSS.This issue affects Easy Invoice: from n/a through = 2.0.9...

CVE-2025-60174

CVE-2025-60174 affects the WordPress plugin WP Gravity Forms Constant Contact Plugin gf-constant-contact (versions from unspecified n/a up to and including 1.1.2). The vulnerability is described as a Deserialization of Untrusted Data issue that allows Object Injection. Core details provided acros...

CVE-2025-60174 WordPress WP Gravity Forms Constant Contact plugin plugin <= 1.1.2 - Deserialization of untrusted data vulnerability

Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Constant Contact Plugin gf-constant-contact allows Object Injection.This issue affects WP Gravity Forms Constant Contact Plugin: from n/a through = 1.1.2...

CVE-2025-60174 WordPress WP Gravity Forms Constant Contact plugin plugin <= 1.1.2 - Deserialization of untrusted data vulnerability

Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Constant Contact Plugin gf-constant-contact allows Object Injection.This issue affects WP Gravity Forms Constant Contact Plugin: from n/a through = 1.1.2...

CVE-2025-60078

The CVE-2025-60078 issue affects the WordPress Task Manager plugin for WordPress (versions

CVE-2025-60068 WordPress Javo Core plugin <= 3.0.0.266 - Arbitrary Code Execution vulnerability

Improper Control of Generation of Code 'Code Injection' vulnerability in javothemes Javo Core javo-core allows Code Injection.This issue affects Javo Core: from n/a through = 3.0.0.266...

CVE-2025-58710

CVE-2025-58710 affects the WordPress e-plugins Hotel Listing plugin (hotel-listing component) up to version 1.4.0. Root cause: incorrect privilege assignment that allows privilege escalation. CVSS 3.1 base score 8.6 (HIGH), with confidentiality impact HIGH and other partial impacts. Remediation: ...

CVE-2025-54743

CVE-2025-54743 describes a Missing Authorization vulnerability in the WordPress plugin Download After Email (versions 2.1.5–2.1.6). Exploitation would allow bypassing access controls to download content due to misconfigured authorization. Affected product: Download After Email – Subscribe & Downl...