CVE-2025-9378 Vayu Blocks <= 1.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Block Attributes

The Vayu Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple attributes in the Lottie block in all versions up to, and including, 1.3.9 due to insufficient input sanitization and output escaping. This makes it possible for...

PT-2025-35696

Name of the Vulnerable Software and Affected Versions: Vayu Blocks – Website Builder for the Block Editor plugin for WordPress versions up to and including 1.3.9 Description: The Vayu Blocks – Website Builder for the Block Editor plugin for WordPress is susceptible to Stored Cross-Site Scripting...

CVE-2025-58218

Deserialization of Untrusted Data vulnerability in enituretechnology Small Package Quotes – USPS Edition small-package-quotes-usps-edition allows Object Injection.This issue affects Small Package Quotes – USPS Edition: from n/a through = 1.3.9...

WordPress Small Package Quotes – USPS Edition Plugin <= 1.3.9 - PHP Object Injection Vulnerability

PHP Object Injection Vulnerability discovered by Drew / mcdruid in WordPress Plugin Small Package Quotes – USPS Edition versions = 1.3.9...

CVE-2025-58218

Deserialization of Untrusted Data vulnerability in enituretechnology Small Package Quotes – USPS Edition small-package-quotes-usps-edition allows Object Injection.This issue affects Small Package Quotes – USPS Edition: from n/a through = 1.3.9...

CVE-2025-58218

CVE-2025-58218 describes a Deserialization of Untrusted Data vulnerability in the WordPress plugin Small Package Quotes – USPS Edition (enituretechnology) affecting versions n/a through 1.3.9. The issue is described as PHP Object Injection via untrusted data deserialization, leading to potential ...

CVE-2025-58218 WordPress Small Package Quotes – USPS Edition Plugin <= 1.3.9 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in enituretechnology Small Package Quotes – USPS Edition small-package-quotes-usps-edition allows Object Injection.This issue affects Small Package Quotes – USPS Edition: from n/a through = 1.3.9...

PT-2025-34927 · Enituretechnology · The Small Package Quotes – Ups Edition

Name of the Vulnerable Software and Affected Versions: enituretechnology Small Package Quotes – USPS Edition versions n/a through 1.3.9 Description: The software contains a deserialization of untrusted data flaw that allows object injection. Recommendations: Update to a version later than 1.3.9...

CVE-2025-54130 Cursor Agent is vulnerable prompt injection via Editor Special Files

Cursor is a code editor built for programming with AI. Cursor allows writing in-workspace files with no user approval in versions less than 1.3.9. If the file is a dotfile, editing it requires approval but creating a new one doesn't. Hence, if sensitive editor files, such as the...

CVE-2025-54130

CVE-2025-54130 (Cursor) affects Cursor, a code editor with AI features. In versions

CVE-2025-54135 Cursor Agent is vulnerable to prompt injection via MCP Special Files

Cursor is a code editor built for programming with AI. Cursor allows writing in-workspace files with no user approval in versions below 1.3.9, If the file is a dotfile, editing it requires approval but creating a new one doesn't. Hence, if sensitive MCP files, such as the .cursor/mcp.json file...

CVE-2025-54135 Cursor Agent is vulnerable to prompt injection via MCP Special Files

Cursor is a code editor built for programming with AI. Cursor allows writing in-workspace files with no user approval in versions below 1.3.9, If the file is a dotfile, editing it requires approval but creating a new one doesn't. Hence, if sensitive MCP files, such as the .cursor/mcp.json file...

CVE-2025-54135 Cursor Agent is vulnerable to prompt injection via MCP Special Files

Cursor is a code editor built for programming with AI. Cursor allows writing in-workspace files with no user approval in versions below 1.3.9, If the file is a dotfile, editing it requires approval but creating a new one doesn't. Hence, if sensitive MCP files, such as the .cursor/mcp.json file...

CVE-2025-54135

Cursor before v1.3.9 allows prompt-injection via MCP MCP server data to auto-run and write to ~/.cursor/mcp.json, enabling RCE when processing external content. Affected: Cursor AI code editor (Cursor) in-workspace file writes without user approval; dotfiles require approval but new dotfiles do n...

CVE-2025-7078

A vulnerability classified as problematic was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.3.9. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used...

CVE-2025-52729

CVE-2025-52729 is a Local File Inclusion vulnerability in the Diza WordPress theme (thembay) via improper control of filenames for PHP include/require. Affected versions are Diza

WordPress plugin Diza 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

CVE-2025-49260

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in thembay Aora aora allows PHP Local File Inclusion.This issue affects Aora: from n/a through = 1.3.9...

WordPress Aora theme <= 1.3.9 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by Phat RiO - BlueRock in WordPress Theme Aora versions = 1.3.9...

CVE-2024-34754

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in A WP Life Contact Form Widget.This issue affects Contact Form Widget: from n/a through 1.3.9...