WordPress Category Icon plugin <= 1.0.3 - XML External Entity (XXE) vulnerability

XML External Entity XXE vulnerability discovered by mcdruid in WordPress Plugin Category Icon versions = 1.0.3...

WordPress WC MyParcel Belgium plugin <= 4.5.5-beta - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Ryan Novotny in WordPress Plugin WC MyParcel Belgium versions = 4.5.5-beta...

WordPress Arlo Theme <= 6.0.3 is vulnerable to Local File Inclusion

Software Arlo Type Theme Vulnerable versions = 6.0.3 Fixed in N/A OWASP Top 10 A3: Injection Classification Local File Inclusion CVE CVE-2025-39475 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID eaea2827ac9d Credits Bonds Required privilege Unauthenticated Published 3...

WordPress FlatNews Theme <= 5.8 is vulnerable to Cross Site Scripting (XSS)

Software FlatNews Type Theme Vulnerable versions = 5.8 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2025-32305 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID ff5e3bb37606 Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber...

WordPress Minterio Theme <= 1.4.0 is vulnerable to Local File Inclusion

Software Minterio Type Theme Vulnerable versions = 1.4.0 Fixed in 1.4.1 OWASP Top 10 A3: Injection Classification Local File Inclusion CVE CVE-2025-48290 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID 004a498a9b2a Credits Bonds Required privilege Unauthenticated Publish...

WordPress Lesya Theme <= 1.7.2 is vulnerable to Local File Inclusion

Software Lesya Type Theme Vulnerable versions = 1.7.2 Fixed in 1.7.3 OWASP Top 10 A3: Injection Classification Local File Inclusion CVE CVE-2025-48290 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID b9712c5f2cb9 Credits Bonds Required privilege Unauthenticated Published ...

WordPress Mr. Murphy Theme < 1.2.12.1 is vulnerable to PHP Object Injection

Software Mr. Murphy Type Theme Vulnerable versions 1.2.12.1 Fixed in 1.2.12.1 OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2025-49072 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 743adbe763dd Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber...

WordPress Borderless – Elementor Addons and Templates plugin <= 1.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Robert DeVore in WordPress Plugin Borderless versions = 1.7.1...

WordPress PowerPress Podcasting plugin <= 11.9.17 - Authenticated (Author+) Stored Cross-Site Scripting vulnerability

Authenticated Author+ Stored Cross-Site Scripting vulnerability discovered by Krugov Artyom in WordPress Plugin PowerPress Podcasting versions = 11.9.17...

WordPress Real Time Validation for Gravity Forms plugin <= 1.7.0 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Nguyen Xuan Chien Patchstack Alliance in WordPress Plugin Real Time Validation for Gravity Forms versions = 1.7.0...

WordPress History Log by click5 plugin <= 1.0.13 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by SashaRyba in WordPress Plugin History Log by click5 versions = 1.0.13...

WordPress LA-Studio Element Kit for Elementor plugin <= 1.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Compare and Google Maps Widgets vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Image Compare and Google Maps Widgets vulnerability discovered by Robert DeVore in WordPress Plugin LA-Studio Element Kit for Elementor versions = 1.5.2...

WordPress LA-Studio Element Kit for Elementor plugin <= 1.5.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via data-lakit-element-link Parameter vulnerability

Authenticated Contributor+ DOM-Based Stored Cross-Site Scripting via data-lakit-element-link Parameter vulnerability discovered by Webbernaut in WordPress Plugin LA-Studio Element Kit for Elementor versions = 1.5.2...

WordPress WP Pipes plugin <= 1.4.2 - Arbitrary File Deletion Vulnerability

Arbitrary File Deletion Vulnerability discovered by timomangcut in WordPress Plugin WP Pipes versions = 1.4.2...

WordPress Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light plugin <= 2.4.37 - Arbitrary File Download Vulnerability

Arbitrary File Download Vulnerability discovered by ch4r0n in WordPress Plugin Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light versions = 2.4.37...

WordPress Solar Energy Theme <= 3.5 is vulnerable to PHP Object Injection

Software Solar Energy Type Theme Vulnerable versions = 3.5 Fixed in N/A OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2025-32283 Patch priority High CVSS severity High 8.8 Developer Claim ownership PSID 835d026bbefc Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity...

WordPress Featured Image Plus plugin <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Featured Image Update vulnerability

Missing Authorization to Authenticated Subscriber+ Featured Image Update vulnerability discovered by Kishan Vyas in WordPress Plugin Featured Image Plus versions = 1.6.4...

WordPress Verge3D plugin <= 4.9.3 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Hiro Code016Hiro in WordPress Plugin Verge3D versions = 4.9.3...

WordPress Infility Global plugin <= 2.14.51 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Martino Spagnuolo r3verii in WordPress Plugin Infility Global versions = 2.14.51...

SUSE-SU-2025:01537-1 Security update for tomcat10

This update for tomcat10 fixes the following issues: Update to Tomcat 10.1.40 - CVE-2025-31650: invalid priority field values should be ignored bsc1242008 - CVE-2025-31651: Better handling of URLs with literal ';' and '?' bsc1242009 Full changelog:...