Skip to main content
CVE-2025-13974 MEDIUM This Month

Email Customizer for WooCommerce (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-14057 MEDIUM This Month

The Multi-column Tag Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 17.0.39 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-14370 MEDIUM This Month

Quote Comments (WordPress plugin) versions up to 3.0.0. is affected by missing authorization (CVSS 5.3).

WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-69344 MEDIUM This Month

Missing Authorization vulnerability in ThemeHunk Oneline Lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Oneline Lite: from n/a through 6.6. [CVSS 4.3 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-69333 MEDIUM This Month

Missing Authorization vulnerability in Crocoblock JetEngine allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetEngine: from n/a through 3.8.1.1. [CVSS 4.3 MEDIUM]

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14468 MEDIUM This Month

The AMP for WP - Accelerated Mobile Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-12030 MEDIUM This Month

The ACF to REST API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.4. This is due to insufficient capability checks in the update_item_permissions_check() method, which only verifies that the current user has the edit_posts capability without checking object-specific permissions (e.g., edit_post($id), edit_user($id), manage_options). This makes it possible for authenticated attackers, with Contributor-level access and above, to...

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13990 MEDIUM This Month

The Mamurjor Employee Info plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on multiple administrative functions. This makes it possible for unauthenticated attackers to create, update, or delete employee records, departments, designations, salary grades, education records, and salary payments via a forged request granted they can trick a site administrator into performing an action such as cl...

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14845 MEDIUM This Month

NS IE Compatibility Fixer (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14999 MEDIUM This Month

The Latest Tabs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the settings update handler in admin-page.php. [CVSS 4.3 MEDIUM]

WordPress PHP CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14904 MEDIUM This Month

Newsletter Email Subscribe (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14465 MEDIUM This Month

Sticky Action Buttons (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14077 MEDIUM This Month

The Simcast plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the settingsPage function. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13657 MEDIUM This Month

HelpDesk contact form (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13527 MEDIUM This Month

The xShare plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'xshare_plugin_reset()' function. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13521 MEDIUM This Month

The WP Status Notifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings update functionality. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13520 MEDIUM This Month

The MTCaptcha WordPress Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.2. This is due to missing or incorrect nonce validation on the settings update functionality. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-11235 LOW Monitor

Unverified Password Change vulnerability in Progress MOVEit Transfer on Windows (REST API modules).This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.3, from 2023.0.0 before 2023.0.8, from 2022.1.0 before 2022.1.11, from 2022.0.0 before 2022.0.10. [CVSS 3.7 LOW]

Windows
NVD VulDB
CVSS 3.1
3.7
EPSS
0.0%
CVE-2025-31963 LOW Monitor

Bigfix Insights For Vulnerability Remediation versions up to 4.2 is affected by missing authentication for critical function (CVSS 2.9).

CSRF Bigfix Insights For Vulnerability Remediation
NVD
CVSS 3.1
2.9
EPSS
0.0%
CVE-2025-12958 LOW Monitor

Rankology SEO and Analytics Tool (WordPress plugin) is affected by improper authorization (CVSS 2.7).

WordPress Authentication Bypass
NVD
CVSS 3.1
2.7
EPSS
0.0%
CVE-2025-31964 LOW Monitor

Bigfix Insights For Vulnerability Remediation versions up to 4.2 is affected by information exposure (CVSS 2.2).

Information Disclosure Bigfix Insights For Vulnerability Remediation
NVD
CVSS 3.1
2.2
EPSS
0.0%
CVE-2026-0649 LOW Monitor

Server-side request forgery in InvoiceNinja up to version 5.12.38 allows remote attackers with high privileges to manipulate the company_logo parameter during migration imports, enabling them to make arbitrary outbound requests from the affected server. Public exploit code is available and the vendor has not provided a patch or response to this disclosure. The vulnerability affects PHP and Golang environments with a CVSS score of 4.7.

PHP SSRF
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-31962 LOW Monitor

Bigfix Insights For Vulnerability Remediation versions up to 4.2 is affected by insufficient session expiration (CVSS 2.0).

Authentication Bypass Bigfix Insights For Vulnerability Remediation
NVD
CVSS 3.1
2.0
EPSS
0.0%
CVE-2025-6225 This Week

Kieback&Peter Neutrino-GLT product is used for building management. It's web component "SM70 PHWEB" is vulnerable to shell command injection via login form.

Command Injection
NVD
EPSS
1.5%
CVE-2026-22541 Monitor

The massive sending of ICMP requests causes a denial of service on one of the boards from the EVCharger that allows control the EV interfaces. Since the board must be operating correctly for the charger to also function correctly.

Denial Of Service
NVD
EPSS
0.1%
CVE-2026-22540 Monitor

The massive sending of ARP requests causes a denial of service on one board of the charger that allows control of the EV interfaces. Since the board must be operating correctly for the charger to also function correctly.

Denial Of Service
NVD
EPSS
0.1%
CVE-2026-22535 Monitor

An attacker with the ability to interact through the network and with access credentials, could, thanks to the unsecured (unencrypted) MQTT communications protocol, write on the server topics of the board that controls the MQTT communications

Industrial
NVD
EPSS
0.0%
CVE-2025-15474 Monitor

AuntyFey Smart Combination Lock firmware versions as of 2025-12-24 contain a vulnerability that allows an unauthenticated attacker within Bluetooth Low Energy (BLE) range to cause a denial of service by repeatedly initiating BLE connections.

Denial Of Service
NVD GitHub
EPSS
0.0%
CVE-2026-22539 Monitor

As the service interaction is performed without authentication, an attacker with some knowledge of the protocol could obtain information about the charger via OCPP v1.6.

Information Disclosure
NVD
EPSS
0.0%
CVE-2026-22544 Monitor

An attacker with a network connection could detect credentials in clear text.

Information Disclosure
NVD
EPSS
0.0%
CVE-2026-22185 This Week

OpenLDAP Lightning Memory-Mapped Database (LMDB) versions up to and including 0.9.14, prior to commit 8e1fda8, contain a heap buffer underflow in the readline() function of mdb_load.

LDAP Denial Of Service
NVD
EPSS
0.0%
CVE-2026-22536 This Week

The absence of permissions control for the user XXX allows the current configuration in the sudoers file to escalate privileges without any restrictions

Privilege Escalation
NVD
EPSS
0.0%
CVE-2026-22542 Monitor

An attacker with access to the system's internal network can cause a denial of service on the system by making two concurrent connections through the Telnet service.

Denial Of Service
NVD
EPSS
0.0%
CVE-2026-22537 Monitor

The lack of hardening of the system allows the user used to manage and maintain the charger to consult different files containing clear-text credentials or valuable information for an attacker.

Information Disclosure
NVD
EPSS
0.0%
CVE-2026-22543 Monitor

The credentials required to access the device's web server are sent in base64 within the HTTP headers. Since base64 is not considered a strong cipher, an attacker could intercept the web request handling the login and obtain the credentials

Information Disclosure
NVD
EPSS
0.0%
Prev Page 5 of 5

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy