7.5
CVE-2025-10862 - Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers …
The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 2.1.3. This is due to insufficient escaping on the 'id' parameter and lack of sufficient preparation on th…
9.8
CVE-2025-11522 - Search & Go - Directory WordPress Theme <= 2.7 - Authentication Bypass to Privilege Escalation via …
The Search & Go - Directory WordPress Theme theme for WordPress is vulnerable to Authentication Bypass via account takeover in all versions up to, and including, 2.7. This is due to insufficient user validation in the search_and_go_elated_check_facebook_user() function This makes it possible for un…
9.9
CVE-2025-11539 - Arbitrary Code Execution in Grafana Image Renderer Plugin
Grafana Image Renderer is vulnerable to remote code execution due to an arbitrary file write vulnerability. This is due to the fact that the /render/csv endpoint lacked validation of the filePath parameter that allowed an attacker to save a shared object to an arbitrary location that is then loaded…
9.8
CVE-2025-7634 - WP Travel Engine – Tour Booking Plugin – Tour Operator Software <= 6.6.7 - Unauthenticated Local Fi…
The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6.6.7 via the mode parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the …
9.8
CVE-2025-7526 - WP Travel Engine – Tour Booking Plugin – Tour Operator Software <= 6.6.7 - Authenticated (Subscribe…
The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to arbitrary file deletion (via renaming) due to insufficient file path validation in the set_user_profile_image function in all versions up to, and including, 6.6.7. This makes it possible for un…
5.3
CVE-2025-11530 - code-projects Online Complaint Site state.php sql injection
A weakness has been identified in code-projects Online Complaint Site 1.0. Affected is an unknown function of the file /cms/admin/state.php. This manipulation of the argument state causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the pu…
8.8
CVE-2025-6038 - Lisfinity Core - Lisfinity Core plugin used for pebas® Lisfinity WordPress theme <= 1.4.0 - Authent…
The Lisfinity Core - Lisfinity Core plugin used for pebas® Lisfinity WordPress theme plugin for WordPress is vulnerable to privilege escalation via password update in all versions up to, and including, 1.4.0. This is due to the plugin not properly validating a user's identity prior to updating thei…
7.8
CVE-2025-47355 - Out-of-bounds Write in DSP Service
Memory corruption while invoking remote procedure IOCTL calls.
7.8
CVE-2025-47354 - Use After Free in DSP Service
Memory corruption while allocating buffers in DSP service.
7.8
CVE-2025-47351 - Integer Overflow or Wraparound in DSP Service
Memory corruption while processing user buffers.