8.6
CVE-2025-65074 - OS Command Injection via Path Traversal in WaveStore Server
WaveView client allows users to execute restricted set of predefined commands and scripts on the connected WaveStore Server.ย A malicious attacker with high-privileges is able to execute arbitrary OS commands on the server using path traversal in theย showerr script. This issue was fixed in version โฆ
7.5
CVE-2025-13474 - IDOR in Menulux Software's Mobile App
Authorization Bypass Through User-Controlled Key vulnerability in Menulux Software Inc. Mobile App allows Exploitation of Trusted Identifiers.This issue affects Mobile App: before 9.5.8.
4.3
CVE-2025-13741 - Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Catโฆ
The Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getAuthors function in all versions up to, and including, 4.9.2. This makes it poโฆ
6.4
CVE-2025-11220 - Elementor <= 3.33.3 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Text โฆ
The Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Text Path widget in all versions up to, and including, 3.33.3 due to insufficient neutralization of user-supplied input used to build SVG markup inside the widget. This makes it possible for authenticaโฆ
5.3
CVE-2025-0836 - XProtect MIP API Missing Authorization
Missing Authorization vulnerability in Milestone Systems XProtect VMS allows users with read-only access to Management Server to have full read/write access to MIP Webhooks API.
8.1
CVE-2025-14002 - WPCOM Member <= 1.7.16 - Authentication Bypass via Weak OTP
The WPCOM Member plugin for WordPress is vulnerable to authentication bypass via brute force in all versions up to, and including, 1.7.16. This is due to weak OTP (One-Time Password) generation using only 6 numeric digits combined with a 10-minute validity window and no rate limiting on verificatioโฆ
6.5
CVE-2025-13231 - Fancy Product Designer | WooCommerce WordPress <= 6.4.8 - Unauthenticated Server-Side Request Forgeโฆ
The Fancy Product Designer plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.4.8. This is due to a time-of-check/time-of-use (TOCTOU) race condition in the 'url' parameter of the fpd_custom_uplod_file AJAX action. The plugin validates the URL โฆ
5.4
CVE-2025-68088 - WordPress Huger for Elementor plugin <= 1.1.5 - Broken Access Control vulnerability
Missing Authorization vulnerability in merkulove Huger for Elementor huger-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Huger for Elementor: from n/a through <= 1.1.5.
5.4
CVE-2025-68087 - WordPress Modalier for Elementor plugin <= 1.0.6 - Broken Access Control vulnerability
Missing Authorization vulnerability in merkulove Modalier for Elementor modalier-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Modalier for Elementor: from n/a through <= 1.0.6.
5.4
CVE-2025-68086 - WordPress Reformer for Elementor plugin <= 1.0.6 - Broken Access Control vulnerability
Missing Authorization vulnerability in merkulove Reformer for Elementor reformer-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Reformer for Elementor: from n/a through <= 1.0.6.