WordPress WP Post Hide plugin <= 1.0.9 - Cross Site Request Forgery (CSRF) Vulnerability

Cross Site Request Forgery CSRF Vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin WP Post Hide versions = 1.0.9...

CVE-2025-30973 WordPress CoSchool LMS plugin <= 1.4.3 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in Codexpert, Inc CoSchool LMS coschool allows Object Injection.This issue affects CoSchool LMS: from n/a through = 1.4.3...

CVE-2025-47645 WordPress ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes plugin <= 1.4.9 - Subscriber+ SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in ELEXtensions ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes allows SQL Injection. This issue affects ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes: from n/a...

CVE-2025-54037

CVE-2025-54037 describes a Missing Authorization vulnerability in the Blazethemes News Kit Elementor Addons WordPress plugin. Affected software: News Kit Elementor Addons (versions up to 1.3.4). Root cause: improperly configured access control security levels that permit unauthorized actions. Imp...

CVE-2025-53990 WordPress JetFormBuilder plugin <= 3.5.1.2 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in jetmonsters JetFormBuilder jetformbuilder allows Object Injection.This issue affects JetFormBuilder: from n/a through = 3.5.1.2...

CVE-2025-6747

The Avada Fusion Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fusionmap' shortcode in all versions up to, and including, 3.12.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-7442

The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to SQL Injection via several parameters in the MJgmgtdeleteclasslimitformember, MJgmgtgetyearlyincomeexpense, MJgmgtgetmonthlyincomeexpense, MJgmgtaddclasslimit, MJgmgtviewmeetingdetail, and MJgmgtcreatemeeting functio...

CVE-2025-6236

The Hostel WordPress plugin before 1.1.5.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

WordPress RSFirewall! plugin <= 1.1.42 - Authenticated (Admin+) Arbitrary File Read vulnerability

Authenticated Admin+ Arbitrary File Read vulnerability discovered by WordFence in WordPress Plugin RSFirewall! versions = 1.1.42...

CVE-2025-7442

The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to SQL Injection via several parameters in the MJgmgtdeleteclasslimitformember, MJgmgtgetyearlyincomeexpense, MJgmgtgetmonthlyincomeexpense, MJgmgtaddclasslimit, MJgmgtviewmeetingdetail, and MJgmgtcreatemeeting functio...

CVE-2025-7387

The Lana Downloads Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the endpoint parameters in versions up to, and including, 1.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

WordPress SureForms plugin <= 1.7.3 - Unauthenticated PHP Object Injection (PHAR) vulnerability

Unauthenticated PHP Object Injection PHAR vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin SureForms versions = 1.7.3...

WordPress iFrame Images Gallery plugin <= 9.0 - SQL Injection Vulnerability

SQL Injection Vulnerability discovered by Peter Thaleikis in WordPress Plugin iFrame Images Gallery versions = 9.0...

WordPress fluXtore plugin <= 1.6.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Martino Spagnuolo r3verii in WordPress Plugin fluXtore versions = 1.6.0...

WordPress Magic Buttons for Elementor plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via magic-button Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via magic-button Shortcode vulnerability discovered by muhammad yudha in WordPress Plugin Magic Buttons for Elementor versions = 1.0...

WordPress Everest Forms Plugin <= 3.2.2 is vulnerable to PHP Object Injection

Software Everest Forms Type Plugin Vulnerable versions = 3.2.2 Fixed in 3.2.3 OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2025-52709 Patch priority High CVSS severity High 9.8 Developer Everest Forms PSID ed6f018dd59f Credits Phat RiO - BlueRock Required privilege...

WordPress Ultra Addons for Contact Form 7 plugin <= 3.5.21 - Authenticated (Contributor+) Stored Cross-Site Scripting via UACF7_CUSTOM_FIELDS Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via UACF7CUSTOMFIELDS Shortcode vulnerability discovered by muhammad yudha in WordPress Plugin Ultimate Addons for Contact Form 7 versions = 3.5.21...

WordPress Opal Estate Pro plugin <= 1.7.5 - Unauthenticated Privilege Escalation via 'on_regiser_user' vulnerability

Unauthenticated Privilege Escalation via 'onregiseruser' vulnerability discovered by Alyudin Nafiie in WordPress Plugin Opal Estate Pro versions = 1.7.5...

WordPress Email Address Security by WebEmailProtector plugin <= 3.3.6 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by chuck in WordPress Plugin Email Address Security by WebEmailProtector versions = 3.3.6...

CVE-2025-6755 Game Users Share Buttons <= 1.3.0 - Authenticated (Subscriber+) Arbitrary File Deletion via themeNameId Parameter

The Game Users Share Buttons plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajaxDeleteTheme function in all versions up to, and including, 1.3.0. This makes it possible for Subscriber-level attackers to add arbitrary file paths such a...