Skip to main content
CVE-2025-13848 MEDIUM This Month

The STM Gallery 1.9 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'composicion' parameter in all versions up to, and including, 0.9 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13847 MEDIUM This Month

The PhotoFade plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'time' parameter in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13667 MEDIUM This Month

The WP Recipe Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Skill Level' input field in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user-supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-0980 MEDIUM This Month

Nokia SR Linux is vulnerable to an authentication vulnerability allowing unauthorized access to the JSON-RPC service. When exploited, an invalid validation allows JSON RPC access without providing valid authentication credentials. [CVSS 6.4 MEDIUM]

Linux
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14131 MEDIUM This Month

The WP Widget Changer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-14130 MEDIUM This Month

The Post Like Dislike plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-14875 MEDIUM This Month

HBLPAY Payment Gateway for WooCommerce (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.1).

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-14842 MEDIUM This Month

The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to limited upload of files with a dangerous type in all versions up to, and including, 1.3.9.2. This is due to the plugin not blocking .phar and .svg files. This makes it possible for unauthenticated attackers to upload arbitrary .phar or .svg files containing malicious PHP or JavaScript code. Malicious PHP code can be used to achieve remote code execution on the server via direct file access, if the se...

WordPress PHP RCE XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-13369 MEDIUM This Month

Premmerce WooCommerce Customers Manager (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.1).

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-0618 MEDIUM This Month

PowerShell Universal versions before 4.5.6 and 5.6.13 contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the network interface, affecting confidentiality and integrity of user sessions. An attacker can exploit this with user interaction to steal sensitive information or perform actions on behalf of affected users. No patch is currently available for this vulnerability.

XSS Powershell Universal
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-14128 MEDIUM This Month

The Stumble! for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-14127 MEDIUM This Month

The Testimonial Master plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-14118 MEDIUM This Month

The Starred Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the PHP_SELF variable in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-13519 MEDIUM This Month

The SVG Map Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on multiple AJAX actions including 'save_data', 'delete_data', and 'add_popup'. [CVSS 6.1 MEDIUM]

WordPress CSRF PHP
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-47331 MEDIUM PATCH This Month

Information disclosure while processing a firmware event. [CVSS 6.1 MEDIUM]

Information Disclosure Ipq9048 Firmware Wsa8840 Firmware Qcm8550 Firmware Qca9888 Firmware +278
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-0642 LOW POC Monitor

House Rental And Property Listing Project versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 2.4).

PHP XSS
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-66560 MEDIUM PATCH This Month

Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. Prior to versions 3.31.0, 3.27.2, and 3.20.5, a vulnerability exists in the HTTP layer of Quarkus REST related to response handling. When a response is being written, the framework waits for previously written response chunks to be fully transmitted before proceeding. If the client connection is dropped during this waiting period, the associated worker thread is never released and becomes permanently b...

Linux Java Quarkus Red Hat
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-20026 MEDIUM This Month

processing of DCE/RPC requests contains a vulnerability that allows attackers to unexpectedly restart the Snort 3 Detection Engine, which could cause a denial of (CVSS 5.8).

Cisco Use After Free Denial Of Service
NVD
CVSS 3.1
5.8
EPSS
0.1%
CVE-2025-62224 MEDIUM This Month

User interface (ui) misrepresentation of critical information in Microsoft Edge for Android allows an authorized attacker to perform spoofing over a network. [CVSS 5.5 MEDIUM]

Microsoft Android Edge
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-21495 MEDIUM PATCH This Month

iccDEV versions prior to 2.3.1.2 are susceptible to a division by zero error in the TIFF Image Reader component, which can be triggered by a local user with minimal privileges through interaction with a malicious TIFF file. Successful exploitation results in denial of service by crashing the application. A patch is available in version 2.3.1.2 and later.

Code Injection Iccdev
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-47330 MEDIUM PATCH This Month

Transient DOS while parsing video packets received from the video firmware. [CVSS 5.5 MEDIUM]

Denial Of Service Fastconnect 6700 Firmware Qca6574a Firmware Qca9377 Firmware Snapdragon X72 5g Modem Rf System Firmware +202
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-47369 MEDIUM PATCH This Month

Information disclosure when a weak hashed value is returned to userland code in response to a IOCTL call to obtain a session ID. [CVSS 5.5 MEDIUM]

Information Disclosure Snapdragon 660 Mobile Platform Firmware Snapdragon Xr2 5g Platform Firmware Sa6145p Firmware Snapdragon X55 5g Modem Rf System Firmware +154
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-61782 MEDIUM PATCH This Month

Opencti versions up to 6.8.3 is affected by url redirection to untrusted site (open redirect) (CVSS 5.4).

Open Redirect Opencti
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-15479 MEDIUM This Month

Stored cross-site scripting (XSS, CWE-79) in the survey content and administration functionality in Data Illusion Zumbrunn NGSurvey Enterprise Edition 3.6.4 on all supported platforms ( on Windows and Linux servers ) allows authenticated remote users with survey creation or edit privileges to execute arbitrary JavaScript in other users’ browsers, steal session information and perform unauthorized actions on their behalf via crafted survey content that is rendered without proper output encoding. [CVSS 5.4 MEDIUM]

Linux Windows XSS Ngsurvey
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-12776 MEDIUM This Month

The Report Builder component of the application stores user input directly in a web page and displays it to other users, which raised concerns about a possible Cross-Site Scripting (XSS) attack. Proper management of this functionality helps ensure a secure and seamless user experience. [CVSS 5.4 MEDIUM]

XSS Commvault
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-14802 MEDIUM This Month

The LearnPress - WordPress LMS Plugin for WordPress is vulnerable to unauthorized file deletion in versions up to, and including, 4.3.2.2 via the /wp-json/lp/v1/material/{file_id} REST API endpoint. This is due to a parameter mismatch between the DELETE operation and authorization check, where the endpoint uses file_id from the URL path but the permission callback validates item_id from the request body. This makes it possible for authenticated attackers, with teacher-level access, to delete ...

WordPress PHP
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-12449 MEDIUM This Month

The aBlocks - WordPress Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data and disclosure of sensitive information due to missing capability checks on multiple AJAX actions in all versions up to, and including, 2.4.0. [CVSS 5.4 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-13529 MEDIUM This Month

The Unify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'init' action in all versions up to, and including, 3.4.9. [CVSS 5.3 MEDIUM]

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-13419 MEDIUM This Month

The Guest posting / Frontend Posting / Front Editor - WP Front User Submit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bfe/v1/revert' REST API endpoint in all versions up to, and including, 5.0.0. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-12648 MEDIUM This Month

The WP-Members Membership Plugin for WordPress is vulnerable to unauthorized file access in versions up to, and including, 3.5.4.4. This is due to storing user-uploaded files in predictable directories (wp-content/uploads/wpmembers/user_files/<user_id>/) without implementing proper access controls beyond basic directory listing protection (.htaccess with Options -Indexes). This makes it possible for unauthenticated attackers to directly access and download sensitive documents uploaded by site...

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-20027 MEDIUM This Month

Snort 3 Detection Engine contains a buffer out-of-bounds read vulnerability in DCE/RPC request processing that allows unauthenticated remote attackers to leak sensitive information or trigger service restarts over an established connection. An attacker can exploit this by sending specially crafted DCE/RPC requests to extract data from the inspection stream or interrupt packet analysis operations. No patch is currently available for affected Cisco products.

Cisco
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-13722 MEDIUM This Month

The Fluent Forms - Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.7. This is due to missing capability checks on the `fluentform_ai_create_form` AJAX action. [CVSS 5.3 MEDIUM]

WordPress AI / ML PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-13496 MEDIUM This Month

Moosend Landing Pages (WordPress plugin) versions up to 1.1.6. is affected by missing authorization (CVSS 5.3).

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-14460 MEDIUM This Month

The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized order status modification in all versions up to, and including, 3.1.4. This is due to missing authorization checks on the payment callback endpoint handler when processing the 'fail' callback from the payment gateway. This makes it possible for unauthenticated attackers to change any order's status to 'failed' via the publicly accessible WooCommerce API endpoint by providing only the order ID (Merc...

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-31051 MEDIUM This Month

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in EngoTheme Plant - Gardening & Houseplants WordPress Theme allows Retrieve Embedded Sensitive Data.This issue affects Plant - Gardening & Houseplants WordPress Theme: from n/a through 1.0.0. [CVSS 5.3 MEDIUM]

WordPress Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-14352 MEDIUM This Month

The Awesome Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to incorrect authorization in the room-single.php shortcode handler in all versions up to, and including, 1.0. [CVSS 5.3 MEDIUM]

WordPress PHP Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-13694 MEDIUM This Month

AA Block Country (WordPress plugin) versions up to 1.0.1. contains a security vulnerability (CVSS 5.3).

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2023-7333 MEDIUM PATCH This Month

A weakness has been identified in bluelabsio records-mover versions up to 1.5.4. contains a security vulnerability (CVSS 5.3).

SQLi
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2024-14020 MEDIUM PATCH This Month

A weakness has been identified in carboneio carbone up to fbcd349077ad0e8748be73eab2a82ea92b6f8a7e. This impacts an unknown function of the file lib/input.js of the component Formatter Handler. [CVSS 5.0 MEDIUM]

Node.js
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-20029 MEDIUM This Month

Cisco ISE and ISE-PIC suffer from improper XML parsing in their web management interfaces that enables authenticated administrators to extract arbitrary files from the underlying operating system, potentially exposing sensitive data beyond normal access controls. An attacker must have valid administrative credentials and upload a malicious file to exploit this XML External Entity (XXE) vulnerability. No patch is currently available.

Cisco
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-62327 MEDIUM This Month

Hcl Devops Deploy versions up to 8.1.2.3 is affected by insufficiently protected credentials (CVSS 4.9).

Authentication Bypass AI / ML Hcl Devops Deploy
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-14719 MEDIUM This Month

The Relevanssi WordPress plugin before 4.26.0, Relevanssi Premium WordPress plugin before 2.29.0 do not sanitize and escape a parameter before using it in a SQL statement, allowing contributor and above roles to perform SQL injection attacks [CVSS 4.9 MEDIUM]

WordPress SQLi PHP
NVD WPScan
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-49335 MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in minnur External Media allows Server Side Request Forgery.This issue affects External Media: from n/a through 1.0.36. [CVSS 4.9 MEDIUM]

SSRF
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-12540 MEDIUM This Month

The ShareThis Dashboard for Google Analytics plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.4. This is due to the Google Analytics client_ID and client_secret being stored in plaintext in the publicly visible plugin source. This can allow unauthenticated attackers to craft a link to the sharethis.com server, which will share an authorization token for Google Analytics with a malicious website, if the attacker can trick an adminis...

WordPress Industrial Information Disclosure PHP
NVD
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-22184 MEDIUM PATCH This Month

Local privilege escalation in zlib 1.3.1.2 and earlier allows authenticated users to achieve arbitrary code execution through a buffer overflow in the contrib/untgz utility when processing command-line arguments with excessively long archive names. The vulnerability affects only the standalone untgz demonstration tool and does not impact the core zlib library. No patch is currently available.

Buffer Overflow Memory Corruption Zlib
NVD GitHub VulDB
CVSS 4.0
4.6
EPSS
0.0%
CVE-2025-15000 MEDIUM This Month

The Page Keys plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘page_key’ parameter in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-14888 MEDIUM This Month

The Simple User Meta Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user meta value field in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-14887 MEDIUM This Month

The twinklesmtp - Email Service Provider For WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's sender settings in all versions up to, and including, 1.03 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-14028 MEDIUM This Month

The Contact Us Simple Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 4.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-14792 MEDIUM This Month

The Key Figures plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the kf_field_figure_default_color_render function in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
4.4
EPSS
0.0%
Prev Page 4 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy