8.6
CVE-2025-13371 - Money Space <= 2.13.9 - Unauthenticated Sensitive Information Exposure
The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. This is due to the plugin storing full payment card details (PAN, card holder name, expiry month/year, and CVV) in WordPress post_meta using base64_encode(), and then emβ¦
4.3
CVE-2025-14845 - NS IE Compatibility Fixer <= 2.1.5 - Cross-Site Request Forgery to Plugin Settings Update
The NS IE Compatibility Fixer plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to, and including, 2.1.5. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify the plugin'β¦
4.4
CVE-2025-14888 - Simple User Meta Editor <= 1.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Uβ¦
The Simple User Meta Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user meta value field in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-β¦
4.3
CVE-2025-13657 - HelpDesk contact form plugin <= 1.1.5 - Cross-Site Request Forgery to Settings Update via handle_quβ¦
The HelpDesk contact form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing or incorrect nonce validation on the handle_query_args() function. This makes it possible for unauthenticated attackers to update the pluginβ¦
4.4
CVE-2025-14887 - twinklesmtp β Email Service Provider For WordPress <= 1.03 - Authenticated (Administrator+) Stored β¦
The twinklesmtp β Email Service Provider For WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's sender settings in all versions up to, and including, 1.03 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attacβ¦
4.3
CVE-2025-14370 - Quote Comments <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Setβ¦
The Quote Comments plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.0.0. This is due to missing authorization checks in the quotecomments_add_admin function. This makes it possible for authenticated attackers, with Subscriber-level access and aboveβ¦
6.1
CVE-2025-14875 - HBLPAY Payment Gateway for WooCommerce <= 5.0.0 - Reflected Cross-Site Scripting via 'cusdata' Paraβ¦
The HBLPAY Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the βcusdataβ parameter in all versions up to, and including, 5.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers toβ¦
6.5
CVE-2025-14901 - Bit Form β Contact Form Plugin <= 2.21.6 - Missing Authorization to Unauthenticated Workflow Replay
The Bit Form β Contact Form Plugin plugin for WordPress is vulnerable to unauthorized workflow execution due to missing authorization in the triggerWorkFlow function in all versions up to, and including, 2.21.6. This is due to a logic flaw in the nonce verification where the security check only bloβ¦
4.3
CVE-2025-14904 - Newsletter Email Subscribe <= 2.4 - Cross-Site Request Forgery to Plugin Settings Update
The Newsletter Email Subscribe plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4. This is due to incorrect nonce validation on the nels_settings_page function. This makes it possible for unauthenticated attackers to update plugin settings via a fβ¦
7.7
CVE-2025-14804 - Frontend File Manager < 23.5 - Subscriber+ Arbitrary File Deletion
The Frontend File Manager Plugin WordPress plugin before 23.5 did not validate a path parameter and ownership of the file, allowing any authenticated users, such as subscribers to delete arbitrary files on the server