CVE-2025-31897 WordPress Arrow Custom Feed for Twitter plugin <= 1.5.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Arrow Plugins Arrow Custom Feed for Twitter arrow-twitter-feed allows Stored XSS.This issue affects Arrow Custom Feed for Twitter: from n/a through = 1.5.3...

PT-2025-14205 · Wombat Plugins · Wp Optin Wheel

Name of the Vulnerable Software and Affected Versions: Wombat Plugins WP Optin Wheel versions 1.4.7 and earlier Description: The issue is related to a Server-Side Request Forgery SSRF vulnerability, which allows for Server Side Request Forgery. This means an attacker can potentially force the...

ch.mobi.mobitor.plugins:mobitor-plugin-bitbucket (>=3.1.305 <=3.1.313), ch.mobi.mobitor.plugins:mobitor-plugin-dwh (>=3.1.305 <=3.1.313) +71 more potentially affected by CVE-2025-29908 via io.netty.incubator:netty-incubator-codec-quic (=0.0.20.Final)

io.netty.incubator:netty-incubator-codec-quic MAVEN version =0.0.20.Final is affected by a known vulnerability. The following packages have a transitive dependency on io.netty.incubator:netty-incubator-codec-quic and may be impacted: - ch.mobi.mobitor.plugins:mobitor-plugin-bitbucket =3.1.305,...

Hackers Exploit WordPress mu-Plugins to Inject Spam and Hijack Site Images

Threat actors are using the "mu-plugins" directory in WordPress sites to conceal malicious code with the goal of maintaining persistent remote access and redirecting site visitors to bogus sites. mu-plugins, short for must-use plugins, refers to plugins in a special directory...

CVE-2025-30820

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in HT Plugins WishSuite wishsuite allows PHP Local File Inclusion.This issue affects WishSuite: from n/a through = 1.4.4...

CVE-2025-30820

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in HT Plugins WishSuite wishsuite allows PHP Local File Inclusion.This issue affects WishSuite: from n/a through = 1.4.4...

WordPress Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms plugin <= 1.0.9 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms versions = 1.0.9...

CVE-2025-30863 WordPress Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms plugin <= 1.0.9 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability in CRM Perks Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms integration-for-contact-form-7-and-google-sheets allows Cross Site Request Forgery.This issue affects Integration for Google Sheets and Contact Form 7,...

CVE-2025-30820 WordPress WishSuite plugin <= 1.4.4 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in HT Plugins WishSuite wishsuite allows PHP Local File Inclusion.This issue affects WishSuite: from n/a through = 1.4.4...

CVE-2025-30820

CVE-2025-30820 (WishSuite) : WordPress WishSuite vulnerability exists due to Improper Control of Filename for Include/Require in PHP (PHP Local File Inclusion). The Wordfence Vulnerability details show this affects WishSuite versions up to 1.4.4 and requires authentication with at least Contribut...

PT-2025-13095 · Ht Plugins · Ht Plugins Wishsuite

Name of the Vulnerable Software and Affected Versions: HT Plugins WishSuite versions 1.4.4 and earlier Description: The issue is related to an Improper Control of Filename for Include/Require Statement in PHP Program, also known as 'PHP Remote File Inclusion', which allows PHP Local File Inclusio...

CVE-2025-28858

Arrow Maps (WordPress plugin Arrow Maps) is affected by CVE-2025-28858: Reflected XSS due to improper neutralization of input during web page generation. Affected versions are described as 'n/a through &lt;= 1.0.9'. The CVSS 3.1 base score is 7.1 (High) with network attack vector, low to low for ...

CVE-2025-2228

The Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.8 the 'registeruser' function. This makes it possible for authenticated attackers, with...

Improper Preservation of Consistency Between Independent Representations of Shared State

Overview Affected versions of this package are vulnerable to Improper Preservation of Consistency Between Independent Representations of Shared State which can result in two different OpenFlowNodeIds being assigned to the same SFF by different plugins. An attacker can trigger such a name conflict...

GHSA-V63M-X9R9-8GQP AWS CDK CLI prints AWS credentials retrieved by custom credential plugins

Summary The AWS Cloud Development Kit AWS CDK 1 is an open-source software development framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation. The AWS CDK CLI 2 is a command line tool for interacting with CDK applications. Customers can use the CDK CLI ...

AWS CDK CLI prints AWS credentials retrieved by custom credential plugins

Summary The AWS Cloud Development Kit AWS CDK 1 is an open-source software development framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation. The AWS CDK CLI 2 is a command line tool for interacting with CDK applications. Customers can use the CDK CLI ...

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to servePluginRequest failing to enforce multifactor authentication for plugins, even when MFA is meant to be enabled. Remediation Upgrade...

Missing Authentication for Critical Function

Overview github.com/mattermost/mattermost/server/channels/app is a private-cloud Slack alternative Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to servePluginRequest failing to enforce multifactor authentication for plugins, even when MFA is...

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to servePluginRequest failing to enforce multifactor authentication for plugins, even when MFA is meant to be enabled. Remediation Upgrade...

CVE-2024-13410

The CozyStay and TinySalt plugins for WordPress are vulnerable to PHP Object Injection in all versions up to, and including, 1.7.0, and in all versions up to, and including 3.9.0, respectively, via deserialization of untrusted input in the 'ajaxhandler' function. This makes it possible for...