CVE-2025-8487

CVE-2025-8487 affects Kubio AI Page Builder for WordPress up to version 2.6.3. The vulnerability is caused by a missing capability check on the kubio-image-hub-install-plugin AJAX action, enabling authenticated users with Subscriber-level access and above to install the Image Hub plugin. Exploita...

CVE-2025-0763 Ultimate Classified Listings <= 1.6 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update

The Ultimate Classified Listings plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the savecustomfields function in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access a...

CVE-2025-9219 Post SMTP <= 3.4.1 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Option Update

The Post SMTP – WP SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'updatepostsmtpprooptioncallback'...

CVE-2025-0951

Multiple plugins and/or themes for WordPress by LiquidThemes are vulnerable to unauthorized access due to a missing capability check on the liquidresetwordpressbefore AJAX in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to deactivat...

CVE-2025-7827 Ni WooCommerce Customer Product Report <= 1.2.4 - Missing Authorization to Authenticated (Subscriber+) Settings Update

The Ni WooCommerce Customer Product Report plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the niwoocpraction function in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with Subscriber-leve...

CVE-2025-9202

CVE-2025-9202 affects ColorMag for WordPress (versions ≤ 4.0.19). The vulnerability arises from a missing capability check in the welcome_notice_import_handler(), allowing authenticated users with Subscriber-level access and above to install the ThemeGrill Demo Importer plugin and modify data. Th...

CVE-2025-8896

The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gdprcommunicationpreferences' parameter in all versions up to, and including, 3.14.3 due to insufficient input sanitization and...

CVE-2025-8676

The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Sensitive Information Exposure in versions less than, or equal to, 2.0.0 via the getactiveplugins function. This makes it possible for authenticated attackers, with subscriber-level access and above to extract...

CVE-2025-6754 SEO Metrics <= 1.0.15 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation

The SEO Metrics plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization checks in both the seometricshandleconnectbuttonclick AJAX handler and the seometricshandlecustomendpoint function in all versions up to, and including, 1.0.15. Because the AJAX action only...

CVE-2025-6726

The Block Editor Gallery Slider plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the classicgalleryslideroptions function in all versions up to, and including, 1.1.1. This makes it possible for authenticated attackers, with...

CVE-2025-6729 PayMaster for WooCommerce <= 0.4.31 - Authenticated (Subscriber+) Server-Side Request Forgery

The PayMaster for WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 0.4.31 via the 'wpajaxpaymstatus' AJAX action This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to...

CVE-2025-5812

The VG WORT METIS plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the gutenbergsavepost function in all versions up to, and including, 2.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...

CVE-2025-5018

The Hive Support plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the hsupdateaichatsettings and hivelitesupportgetallbinbox functions in all versions up to, and including, 1.2.5. This makes it possible for authenticated...

CVE-2025-3054

The WP User Frontend Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the uploadfiles function in all versions up to, and including, 4.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload...

CVE-2025-4047

The Broken Link Checker plugin for WordPress is vulnerable to unauthorized data access due to a missing capability check on the ajaxfullstatus and ajaxdashboardstatus functions in all versions up to, and including, 2.4.4. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2025-4420

CVE-2025-4420 affects the WordPress plugin “Vayu Blocks – Website Builder for the Block Editor” (Vayu Blocks) up to version 1.3.1. It enables a stored XSS via the containerWidth parameter due to a missing capability check in vayu_blocks_option_panel_callback() and insufficient input sanitization/...

CVE-2025-4047 Broken Link Checker <= 2.4.4 - Missing Autorization to Authenticated (Subscriber+) Plugin Status Dashboard View

The Broken Link Checker plugin for WordPress is vulnerable to unauthorized data access due to a missing capability check on the ajaxfullstatus and ajaxdashboardstatus functions in all versions up to, and including, 2.4.4. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2025-4047

CVE-2025-4047 affects the WordPress Broken Link Checker plugin (versions up to 2.4.4). The root cause is a missing capability check on the ajax_full_status and ajax_dashboard_status functions, allowing authenticated users with Subscriber-level access and above to view the plugin’s status and data...

CVE-2025-4431

The Featured Image Plus – Quick & Bulk Edit with Unsplash plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fipsaveattachfeatured function in all versions up to, and including, 1.6.4. This makes it possible for authenticated attackers...

CVE-2025-4431

CVE-2025-4431 affects the WordPress plugin Featured Image Plus – Quick & Bulk Edit with Unsplash . The root cause is a missing capability check in the function fip_save_attach_featured, enabling unauthorised modification of post featured images by authenticated users with Subscriber-level access ...