CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CVE•added 2025/10/18 6:42 a.m.•16 views

CVE-2025-9562

The CVE-2025-9562 entry covers the WordPress plugin Redirection for Contact Form 7 (wpcf7-redirect) with a Stored Cross-Site Scripting vulnerability in the qs_date shortcode. Affected versions: all up to and including 3.2.6. Root cause: insufficient input sanitization and output escaping on user-...

6.4CVSS4.7AI score0.00285EPSS

Vulnrichment•added 2025/10/18 6:42 a.m.•2 views

CVE-2025-9562 Redirection for Contact Form 7 <= 3.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via qs_date Shortcode

6.4CVSS4.7AI score0.00285EPSS

EUVD•added 2025/10/18 6:30 a.m.•2 views

EUVD-2025-34966

The XX2WP Integration Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mxpfb2wpdisplayembed' shortcode in all versions up to, and including, 1.9.9. This is due to the plugin not properly sanitizing user input and output of the 'postid' parameter. This makes it...

6.4CVSS4.7AI score0.00275EPSS

NVD•added 2025/10/18 6:15 a.m.•3 views

CVE-2025-11857

6.4CVSS0.00275EPSS

CVE•added 2025/10/18 5:41 a.m.•15 views

CVE-2025-11857

The CVE-2025-11857 entry pertains to the XX2WP Integration Tools WordPress plugin. Affected versions are all up to and including 1.9.9, with a Stored Cross-Site Scripting (Stored XSS) flaw in the mxp_fb2wp_display_embed shortcode caused by improper sanitization of the post_id parameter. This allo...

6.4CVSS4.8AI score0.00275EPSS

RedhatCVE•added 2025/10/16 8:33 a.m.•3 views

CVE-2025-10140

The Quick Social Login plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'quick-login' shortcode in all versions up to, and including, 1.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.4CVSS5AI score0.00265EPSS

RedhatCVE•added 2025/10/16 8:33 a.m.•3 views

CVE-2025-10682

The TARIFFUXX plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.4. This is due to insufficient neutralization of user-supplied input used directly in SQL queries. This makes it possible for authenticated attackers, with Contributor-level access and above, to...

6.5CVSS6.5AI score0.0028EPSS

6.4CVSS5AI score0.00214EPSS

CVE-2025-10135

The WP ViewSTL plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'viewstl' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...

6.4CVSS5AI score0.00214EPSS

CVE-2025-10132

The Dhivehi Text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dhivehi' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

6.5CVSS6.6AI score0.00252EPSS

CVE-2025-10730

The Wp tabber widget plugin for WordPress is vulnerable to SQL Injection via the 'wp-tabber-widget' shortcode in all versions up to, and including, 4.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible...

6.4CVSS6.1AI score0.00274EPSS

CVE-2025-10141

The Digiseller plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ds' shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, wi...

6.4CVSS5AI score0.00265EPSS

CVE-2025-10194

The Shortcode Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button' shortcode in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

NVD•added 2025/10/16 7:15 a.m.•4 views

CVE-2025-10742

The Truelysell Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.8.6. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for...

9.8CVSS0.00492EPSS

CVE•added 2025/10/16 6:47 a.m.•19 views

CVE-2025-10742

CVE-2025-10742 affects Truelysell Core (WordPress) up to version 1.8.6. The vulnerability allows unauthenticated attackers to change user passwords due to user-controlled access to objects, potentially taking over administrator accounts. Exploitation is possible without authentication only if the...

9.8CVSS5.7AI score0.00492EPSS

Cvelist•added 2025/10/16 6:47 a.m.•7 views

CVE-2025-10742 Truelysell Core <= 1.8.6 - Unauthenticated Arbitrary User Password Change

9.8CVSS0.00492EPSS

EUVD•added 2025/10/16 6:47 a.m.•5 views

EUVD-2025-34722

9.8CVSS5.7AI score0.00492EPSS

RedhatCVE•added 2025/10/16 6:33 a.m.•8 views

CVE-2025-10406

The BlindMatrix e-Commerce WordPress plugin before 3.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users, such as contributors, to perform LFI attacks...

5.5CVSS6.6AI score0.0024EPSS

NVD•added 2025/10/15 9:15 a.m.•5 views

CVE-2025-11722

The Woocommerce Category and Products Accordion Panel plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0 via the 'categoryaccordionpanel' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to...

7.5CVSS0.00584EPSS

NVD•added 2025/10/15 9:15 a.m.•2 views

CVE-2025-11365

The WP Google Map Plugin plugin for WordPress is vulnerable to blind SQL Injection via the 'id' parameter of the 'googlemap' shortcode in all versions up to, and including, 1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query...

6.5CVSS0.00252EPSS