WordPress wpForo Forum plugin <= 2.4.5 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Profile Avatar vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting via Profile Avatar vulnerability discovered by Muhan Luo in WordPress Plugin wpForo Forum versions = 2.4.5...

WordPress Support Board plugin <= 3.8.0 - Unauthenticated Authorization Bypass due to Use of Default Secret Key vulnerability

Unauthenticated Authorization Bypass due to Use of Default Secret Key vulnerability discovered by Foxyyy in WordPress Plugin Support Board versions = 3.8.0...

WordPress Invico - WordPress Consulting Business Theme Theme <= 1.9 is vulnerable to Cross Site Scripting (XSS)

Software Invico - WordPress Consulting Business Theme Type Theme Vulnerable versions = 1.9 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2025-31427 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 9e4642f9ea67 Credits Tran...

WordPress All In One Slider Responsive plugin <= 3.7.9 - SQL Injection Vulnerability

SQL Injection Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Plugin All In One Slider Responsive versions = 3.7.9...

WordPress Radio Station plugin <= 2.5.12 - Cross Site Request Forgery (CSRF) Vulnerability

Cross Site Request Forgery CSRF Vulnerability discovered by Nguyen Ngoc Quang Bach maysbachs in WordPress Plugin Radio Station versions = 2.5.12...

WordPress EventON plugin <= 4.9.9 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nguyễn Trung Kiên anhchangmutrang in WordPress Plugin EventON versions = 4.9.9...

WordPress Home Villas Theme <= 2.8 is vulnerable to Arbitrary File Deletion

Software Home Villas Type Theme Vulnerable versions = 2.8 Fixed in N/A OWASP Top 10 A1: Injection Classification Arbitrary File Deletion CVE CVE-2025-5014 Patch priority High CVSS severity High 7.7 Developer Claim ownership PSID cba250cec63a Credits Thái An Required privilege Subscriber Published...

WordPress Post Rating and Review plugin <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via class Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via class Parameter vulnerability discovered by Gilang in WordPress Plugin Post Rating and Review versions = 1.3.4...

WordPress WP SoundSystem plugin <= 3.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpsstm-track Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via wpsstm-track Shortcode vulnerability discovered by Gilang in WordPress Plugin WP SoundSystem versions = 3.4.2...

WordPress Homey Theme <= 2.4.5 is vulnerable to Cross Site Scripting (XSS)

Software Homey Type Theme Vulnerable versions = 2.4.5 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2025-31037 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 23e723348628 Credits Ayoub Nouri Required privilege Unauthenticate...

WordPress Neom Blog Theme <= 0.0.9 is vulnerable to Cross Site Scripting (XSS)

Software Neom Blog Type Theme Vulnerable versions = 0.0.9 Fixed in 0.1.0 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2025-49274 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID da522fea2d13 Credits Le Ngoc Anh Required privilege...

WordPress Litho Theme <= 3.0 is vulnerable to Arbitrary File Deletion

Software Litho Type Theme Vulnerable versions = 3.0 Fixed in 3.1 OWASP Top 10 A3: Injection Classification Arbitrary File Deletion CVE CVE-2025-49879 Patch priority High CVSS severity High 8.6 Developer Claim ownership PSID b5c6a3b3bdf8 Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity...

WordPress Blogvy Theme <= 1.0.7 is vulnerable to Local File Inclusion

Software Blogvy Type Theme Vulnerable versions = 1.0.7 Fixed in 1.0.8 OWASP Top 10 A3: Injection Classification Local File Inclusion CVE CVE-2025-49279 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID 32ad01b31638 Credits Le Ngoc Anh Required privilege Unauthenticated...

WordPress Aiomatic plugin <= 2.5.0 - Authenticated (Subscriber+) Arbitrary File Upload vulnerability

Authenticated Subscriber+ Arbitrary File Upload vulnerability discovered by khanhhnahk1 in WordPress Plugin Aiomatic versions = 2.5.0...

WordPress WP Front User Submit / Front Editor plugin <= 4.9.3 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Nguyen Ngoc Quang Bach maysbachs in WordPress Plugin WP Front User Submit / Front Editor versions = 4.9.3...

WordPress Seven Stars Theme <= 1.4.4 is vulnerable to Cross Site Scripting (XSS)

Software Seven Stars Type Theme Vulnerable versions = 1.4.4 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2025-31067 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 9c2cf87e3798 Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber...

WordPress Amely Theme <= 3.1.4 is vulnerable to SQL Injection

Software Amely Type Theme Vulnerable versions = 3.1.4 Fixed in 3.2.0 OWASP Top 10 A3: Injection Classification SQL Injection CVE CVE-2025-39474 Patch priority High CVSS severity High 9.3 Developer Claim ownership PSID 14a3ee2aee2f Credits Bonds Required privilege Unauthenticated Published 23 June...

WordPress Sofass Theme <= 1.3.4 is vulnerable to Local File Inclusion

Software Sofass Type Theme Vulnerable versions = 1.3.4 Fixed in N/A OWASP Top 10 A3: Injection Classification Local File Inclusion CVE CVE-2025-24760 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID 97dd93e076df Credits Phat RiO - BlueRock Required privilege Unauthenticat...

CVE-2022-50177

In the Linux kernel, the following vulnerability has been resolved: rcutorture: Fix ksoftirqd boosting timing and iteration The RCU priority boosting can fail in two situations: 1 If nrcpus= maxcpus=, which means if the total number of CPUs is higher than those brought online at boot, then...

CVE-2025-38083

In the Linux kernel, the following vulnerability has been resolved: netsched: prio: fix a race in priotune Gerrard Tai reported a race condition in PRIO, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 1: lock root 2: qdisctreeflushbacklog 3: unlock root | ...