Skip to main content
CVE-2025-67811 MEDIUM This Month

Area9 Rhapsode 1.47.3 allows SQL Injection via multiple API endpoints accessible to authenticated users. Insufficient input validation allows remote attackers to inject arbitrary SQL commands, resulting in unauthorized database access and potential compromise of sensitive data. [CVSS 6.5 MEDIUM]

SQLi Rhapsode
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-14172 MEDIUM This Month

WP Page Permalink Extension (WordPress plugin) versions up to 1.5.4. is affected by missing authorization (CVSS 6.5).

WordPress PHP
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-10569 MEDIUM This Month

Gitlab versions up to 18.5.5 is affected by allocation of resources without limits or throttling (CVSS 6.5).

Gitlab Denial Of Service
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-67810 MEDIUM This Month

In Area9 Rhapsode 1.47.3, an authenticated attacker can exploit the operation, url, and filename parameters via POST request to read arbitrary files from the server filesystem. Fixed in 1.47.4 (#7254) and further versions. [CVSS 6.5 MEDIUM]

Buffer Overflow Information Disclosure Rhapsode
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-67278 MEDIUM This Month

An issue in TIM Solution GmbH TIM BPM Suite & TIM FLOW before v.9.1.2 allows a remote attacker to escalate privileges via a crafted HTTP request [CVSS 6.5 MEDIUM]

Privilege Escalation Tim Flow
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-14980 MEDIUM This Month

The BetterDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the scripts() function. [CVSS 6.5 MEDIUM]

WordPress Information Disclosure AI / ML PHP
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-51626 MEDIUM This Month

SQL injection vulnerability in pss.sale.com 1.0 via the id parameter to the userfiles/php/cancel_order.php endpoint. [CVSS 6.5 MEDIUM]

PHP SQLi Pss.Sale.Com
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-13781 MEDIUM This Month

GitLab has remediated an issue in GitLab EE affecting all versions from 18.5 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to modify instance-wide AI feature provider settings by exploiting missing authorization checks in GraphQL mutations. [CVSS 6.5 MEDIUM]

Gitlab AI / ML
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-13967 MEDIUM This Month

The Woodpecker for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_name' parameter of the [woodpecker-connector] shortcode in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13729 MEDIUM This Month

The Entry Views plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'entry-views' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0627 MEDIUM This Month

Stored XSS in the AMP for WP WordPress plugin (versions up to 1.1.10) allows authenticated users with Author privileges or higher to execute arbitrary JavaScript by uploading malicious SVG files with event handlers and animation attributes that bypass incomplete script tag filtering. The injected payload executes in the browsers of any user viewing the uploaded file, enabling session hijacking, credential theft, or malware distribution. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13852 MEDIUM This Month

The Debt.com Business in a Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'configuration' parameter of the lead_form shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13900 MEDIUM This Month

The WP Popup Magic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter of the [wppum_end] shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13853 MEDIUM This Month

The Nearby Now Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data_tech' parameter of the nn-tech shortcode in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13704 MEDIUM This Month

The Autogen Headers Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'head_class' parameter of the 'autogen_menu' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13908 MEDIUM This Month

The The Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'the_tooltip' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13903 MEDIUM This Month

The PullQuote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pullquote' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13897 MEDIUM This Month

The Client Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aft_testimonial_meta_name' custom field in the Client Information metabox in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user-supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13862 MEDIUM This Month

The Menu Card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `category` parameter in all versions up to, and including, 0.8.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13854 MEDIUM This Month

The Curved Text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'radius' parameter of the arctext shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-11453 MEDIUM This Month

The Header and Footer Scripts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _inpost_head_script parameter in all versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0563 MEDIUM This Month

Stored cross-site scripting in the WP Google Street View & Google Maps plugin for WordPress versions up to 1.1.8 allows authenticated contributors and higher-privileged users to inject malicious scripts via the 'wpgsv_map' shortcode due to inadequate input sanitization, enabling arbitrary code execution when visitors access affected pages. The vulnerability requires authenticated access and has no available patch as of this report.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-15019 MEDIUM This Month

The BIALTY - Bulk Image Alt Text (Alt tag, Alt Attribute) with Yoast SEO + WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bialty_cs_alt' post meta in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14893 MEDIUM This Month

The IndieWeb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Telephone' parameter in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0732 LOW POC Monitor

Command injection in D-Link DI-8200G firmware version 17.12.20A1 via the /upgrade_filter.asp path parameter allows authenticated remote attackers to execute arbitrary commands. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires network access and valid credentials but no user interaction.

D-Link Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2025-13893 MEDIUM This Month

The Lesson Plan Book plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-13895 MEDIUM This Month

The Top Position Google Finance plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 0.1.0 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-22198 MEDIUM This Month

GestSup before version 3.2.60 contains a pre-authentication stored XSS vulnerability in API error logging that allows unauthenticated attackers to inject malicious scripts into log files via crafted API requests. When administrators view these logs in the web interface, the injected scripts execute in their browser with administrative privileges due to insufficient output encoding. This impacts both GestSup and PHP-based installations, enabling attackers to compromise administrator accounts without prior authentication.

PHP XSS Gestsup
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-13892 MEDIUM This Month

The MG AdvancedOptions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-13701 MEDIUM This Month

The Shabat Keeper plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $_SERVER['PHP_SELF'] parameter in all versions up to, and including, 0.4.4 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-15496 LOW POC Monitor

A vulnerability was determined in guchengwuyue yshopmall up to 1.9.1. Affected is the function getPage of the file /api/jobs. [CVSS 6.3 MEDIUM]

SQLi Yshopmall
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-0733 LOW POC Monitor

SQL injection in PHPGurukul Online Course Registration System through 3.1 allows authenticated attackers to manipulate the id/cid parameters in the manage-students.php admin function, enabling unauthorized database access and potential data modification. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-15494 LOW POC Monitor

A vulnerability has been found in RainyGao DocSys up to 2.02.37. This affects an unknown function of the file com/DocSystem/mapping/UserMapper.xml. [CVSS 6.3 MEDIUM]

SQLi Docsys
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-15493 LOW POC Monitor

Docsys versions up to 2.02.36. contains a vulnerability that allows attackers to sql injection (CVSS 6.3).

SQLi Docsys
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-15492 LOW POC Monitor

A vulnerability was detected in RainyGao DocSys up to 2.02.36. The affected element is an unknown function of the file src/com/DocSystem/mapping/GroupMemberMapper.xml. [CVSS 6.3 MEDIUM]

SQLi Docsys
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-0803 LOW POC Monitor

PHPGurukul Online Course Registration System through version 3.1 contains a SQL injection vulnerability in /enroll.php that allows authenticated attackers to manipulate multiple parameters (studentregno, Pincode, session, department, level, course, sem) to execute arbitrary database queries over the network. Public exploit code exists for this vulnerability, and no patch is currently available, creating risk for deployments handling course enrollment data.

PHP SQLi
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-15495 LOW POC Monitor

A vulnerability was found in BiggiDroid Simple PHP CMS 1.0. This impacts an unknown function of the file /admin/editsite.php. [CVSS 4.7 MEDIUM]

PHP Authentication Bypass File Upload
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-46644 MEDIUM This Month

Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.4.0.0, LTS2025 release version 8.3.1.10, LTS2024 release versions 7.13.1.0 through 7.13.1.40, LTS2023 release versions 7.10.1.0 through 7.10.1.70, contain an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. [CVSS 6.0 MEDIUM]

Command Injection Data Domain Operating System
NVD
CVSS 3.1
6.0
EPSS
0.0%
CVE-2026-21409 MEDIUM This Month

Improper authorization vulnerability exists in RICOH Streamline NX 3.5.1 to 24R3. [CVSS 5.9 MEDIUM]

Authentication Bypass
NVD
CVSS 3.0
5.9
EPSS
0.0%
CVE-2026-20969 MEDIUM This Month

Android versions up to 13.0 contains a vulnerability that allows attackers to access file with system privilege (CVSS 5.5).

Information Disclosure Android
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-46297 MEDIUM This Month

A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.2. [CVSS 5.5 MEDIUM]

Apple macOS
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-20975 MEDIUM This Month

Cloud versions up to 5.6.11 contains a vulnerability that allows attackers to access specific files in arbitrary path (CVSS 5.5).

Samsung Cloud
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-9222 MEDIUM This Month

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to achieve stored cross-site scripting by exploiting GitLab Flavored Markdown. [CVSS 8.7 HIGH]

Gitlab XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-14718 MEDIUM This Month

The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with Contributor-level access and above, to create, update, delete, and publish malicious workflows that may automatically delete any post upon publication or update, including posts created by...

WordPress PHP
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-67280 MEDIUM This Month

In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple Hibernate Query Language injection vulnerabilities exist which allow a low privileged user to extract passwords of other users and access sensitive data of another user. [CVSS 5.4 MEDIUM]

Information Disclosure SQLi Tim Flow
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-67282 MEDIUM This Month

In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple Authorization Bypass vulnerabilities exists which allow a low privileged user to download password hashes of other user, access work items of other user, modify restricted content in workflows, modify the applications logo and manipulate the profile of other user. [CVSS 5.4 MEDIUM]

Golang Tim Flow
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-67281 MEDIUM This Month

In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple SQL injection vulnerabilities exists which allow a low privileged and administrative user to access the database and its content. [CVSS 5.4 MEDIUM]

SQLi Tim Flow
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-11246 MEDIUM This Month

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user with specific permissions to remove all project runners from unrelated projects by manipulating GraphQL runner associations. [CVSS 5.4 MEDIUM]

Gitlab
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-14720 MEDIUM This Month

The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on multiple AJAX actions in all versions up to, and including, 1.2.38. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-14886 MEDIUM This Month

The Japanized for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `order` REST API endpoint in all versions up to, and including, 2.7.17. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
Prev Page 2 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy