Skip to main content
CVE-2026-0678 MEDIUM This Month

Flat Shipping Rate by City for WooCommerce (WordPress plugin) is affected by sql injection (CVSS 4.9).

WordPress SQLi
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-71111 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: hwmon: (w83791d) Convert macros to functions to avoid TOCTOU The macro FAN_FROM_REG evaluates its arguments multiple times.

Linux Information Disclosure Linux Kernel Red Hat Suse
NVD VulDB
CVSS 3.1
4.7
EPSS
0.1%
CVE-2025-68965 MEDIUM This Month

Permission control vulnerability in the Notepad module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. [CVSS 4.7 MEDIUM]

Information Disclosure Harmonyos
NVD
CVSS 3.1
4.7
EPSS
0.0%
CVE-2025-67399 MEDIUM This Month

Smart Home Aqi Monitor Bootloader versions up to 1.005 is affected by information exposure (CVSS 4.6).

Information Disclosure Smart Home Aqi Monitor Bootloader
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
CVE-2025-13627 MEDIUM This Month

The Makesweat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'makesweat_clubid' setting in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-0741 MEDIUM This Month

Electric Studio Download Counter (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-0813 MEDIUM This Month

Stored XSS in the WordPress Short Link plugin through versions 1.0 allows authenticated administrators to inject malicious scripts via the short_link_post_title and short_link_page_title parameters due to insufficient input sanitization. When users access pages containing the injected payload, the arbitrary JavaScript executes in their browsers, potentially compromising their sessions or data. No patch is currently available; mitigation requires disabling or removing the affected plugin.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-0812 MEDIUM This Month

Stored cross-site scripting in the LinkedIn SC WordPress plugin through version 1.1.9 allows authenticated administrators to inject malicious scripts via insufficiently sanitized plugin settings that execute for all users visiting affected pages. The vulnerability requires high privilege administrator access to exploit and currently lacks an available patch. Attack complexity is high and impact is limited to confidentiality and integrity, with no availability impact.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-0734 MEDIUM This Month

Stored XSS in WP Allowed Hosts plugin through 1.0.8 allows authenticated administrators to inject malicious scripts via the 'allowed-hosts' parameter on multi-site WordPress installations or those with disabled unfiltered_html. Affected administrators can execute arbitrary JavaScript that persists and runs for all users accessing injected pages. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-0680 MEDIUM This Month

Stored XSS in Real Post Slider Lite WordPress plugin through version 2.4 allows authenticated administrators to inject malicious scripts into plugin settings that execute for other users viewing affected pages. The vulnerability requires high privileges and only impacts multi-site WordPress installations or those with unfiltered_html disabled. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-15486 MEDIUM This Month

The Kunze Law plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's shortcode in all versions up to, and including, 2.1 due to the plugin fetching HTML content from a remote server and injecting it into pages without any sanitization or escaping. [CVSS 4.4 MEDIUM]

WordPress XSS Path Traversal PHP
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-15021 MEDIUM This Month

The Gotham Block Extra Light plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-14725 MEDIUM This Month

The Internal Link Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-0739 MEDIUM This Month

Stored XSS in WMF Mobile Redirector plugin for WordPress up to version 1.2 allows authenticated administrators to inject malicious scripts into plugin settings that execute for all site visitors. The vulnerability stems from inadequate input sanitization and output escaping, enabling privilege abuse by high-level account holders. A patch is not currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-14379 MEDIUM This Month

The Testimonials Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in version 1.6 due to insufficient input sanitization and output escaping. [CVSS 4.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-14482 MEDIUM This Month

Crush.pics Image Optimizer - Image Compression and Optimization (WordPress plugin) versions up to 1.8.7. is affected by missing authorization (CVSS 4.3).

WordPress Industrial PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-15376 MEDIUM This Month

Stopwords for comments (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14846 MEDIUM This Month

SocialChamp with WordPress (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14389 MEDIUM This Month

The WPBlogSyn plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-0635 MEDIUM This Month

The Responsive Accordion Slider plugin for WordPress up to version 1.2.2 fails to validate user permissions on image metadata modification functions, allowing authenticated contributors and higher-privileged users to alter slider images, titles, descriptions, alt text, and associated links. This capability check bypass affects all installations using the vulnerable plugin versions and requires only valid WordPress login credentials to exploit.

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-15377 MEDIUM This Month

The Sosh Share Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the 'admin_page_content' function. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-68492 MEDIUM PATCH This Month

Chainlit versions up to 2.8.5 is affected by authorization bypass through user-controlled key (CVSS 4.2).

Authentication Bypass AI / ML
NVD GitHub
CVSS 3.0
4.2
EPSS
0.0%
CVE-2025-14058 LOW Monitor

A potential missing authentication vulnerability was reported in some Lenovo Tablets that could allow an unauthorized user with physical access to modify Control Center settings if the device is locked when the "Allow Control Center access when locked" option is disabled. [CVSS 3.2 LOW]

Authentication Bypass
NVD
CVSS 3.1
3.2
EPSS
0.0%
CVE-2026-0601 This Week

A reflected cross-site scripting vulnerability exists in Nexus Repository 3 that allows unauthenticated attackers to execute arbitrary JavaScript in a victim's browser through a specially crafted request requiring user interaction.

XSS
NVD
EPSS
0.2%
CVE-2026-0600 This Week

Server-Side Request Forgery (SSRF) vulnerability in Sonatype Nexus Repository 3 versions 3.0.0 and later allows authenticated administrators to configure proxy repositories with URLs that can access unintended network destinations, potentially including cloud metadata services and internal network resources.

SSRF
NVD
EPSS
0.1%
CVE-2025-13175 Monitor

Y Soft SafeQ 6 renders the Workflow Connector password field in a way that allows an administrator with UI access to reveal the value using browser developer/inspection tools. The affected customers are only those with a password-protected scan workflow connector.

Information Disclosure
NVD
EPSS
0.0%
CVE-2025-14317 Monitor

In Crazy Bubble Tea mobile application authenticated attacker can obtain personal information about other users by enumerating a `loyaltyGuestId` parameter. Server does not verify the permissions required to obtain the data.

Android
NVD
EPSS
0.0%
CVE-2025-71140 PATCH Monitor

In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Use spinlock for context list protection lock Previously a mutex was added to protect the encoder and decoder context lists from unexpected changes originating from the SCP IP block, causing the context pointer to go invalid, resulting in a NULL pointer dereference in the IPI handler.

Linux Golang Null Pointer Dereference Linux Kernel
NVD
EPSS
0.0%
CVE-2025-66005 This Week

Lack of authorization of the InputManager D-Bus interface in InputPlumber versions before v0.63.0 can lead to local Denial-of-Service, information leak or even privilege escalation in the context of the currently active user session.

Privilege Escalation
NVD
EPSS
0.0%
CVE-2025-67859 This Week

A Improper Authentication vulnerability in TLP allows local users to arbitrarily control the power profile in use as well as the daemon’s log settings.This issue affects TLP: from 1.9 before 1.9.1.

Authentication Bypass
NVD
EPSS
0.0%
CVE-2025-14338 Monitor

Polkit authentication dis isabled by default and a race condition in the Polkit authorization check in versions before v0.69.0 can lead to the same issues as in CVE-2025-66005.

Authentication Bypass
NVD
EPSS
0.0%
CVE-2025-12533 Awaiting Data

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.

Information Disclosure
NVD
Prev Page 4 of 4

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy