7.5
CVE-2025-11877 - User Activity Log <= 2.2 - Unauthenticated Limited Options Update via Failed Login
The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2.2. The failed-login handler 'ual_shook_wp_login_failed' lacks a capability check and writes failed usernames directly into update_option() calls. This makes it possible for unauthenticated attβ¦
6.4
CVE-2025-0980 - JSON RPC authentication bypass in Nokia SR Linux
Nokia SR Linux is vulnerable to an authentication vulnerability allowing unauthorized access to the JSON-RPC service. When exploited, an invalid validation allows JSON RPC access without providing valid authentication credentials.
2.2
CVE-2025-31964 - HCL BigFix IVR is impacted by an improper service binding configuration
Improper service binding configuration in internal service components in HCL BigFix IVR version 4.2 allows a privileged attacker to impact service availability via exposure of administrative services bound to external network interfaces instead of the local authentication interface.
4.4
CVE-2025-14792 - Key Figures <= 1.1 - Authenticated (Admin+) Stored Cross-Site Scripting via kf_field_figure_defaultβ¦
The Key Figures plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the kf_field_figure_default_color_render function in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with admiβ¦
5.4
CVE-2025-12449 - aBlocks β WordPress Gutenberg Blocks <= 2.4.0 - Missing Authorization to Authenticated (Subscriber+β¦
The aBlocks β WordPress Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data and disclosure of sensitive information due to missing capability checks on multiple AJAX actions in all versions up to, and including, 2.4.0. This makes it possible for authenticated atβ¦
6.1
CVE-2025-13369 - Premmerce WooCommerce Customers Manager <= 1.1.14 - Reflected Cross-Site Scripting
The Premmerce WooCommerce Customers Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'money_spent_from', 'money_spent_to', 'registered_from', and 'registered_to' parameters in all versions up to, and including, 1.1.14 due to insufficient input sanitization and ouβ¦
5.4
CVE-2025-14802 - LearnPress β WordPress LMS Plugin <= 4.3.2.2 - Insecure Direct Object Reference to Authenticated (Iβ¦
The LearnPress β WordPress LMS Plugin for WordPress is vulnerable to unauthorized file deletion in versions up to, and including, 4.3.2.2 via the /wp-json/lp/v1/material/{file_id} REST API endpoint. This is due to a parameter mismatch between the DELETE operation and authorization check, where the β¦
2.9
CVE-2025-31963 - HCL BigFix IVR is impacted by improper authentication and missing CSRF protection
Improper authentication and missing CSRF protection in the local setup interface component in HCL BigFix IVR version 4.2 allows a local attacker to perform unauthorized configuration changes via unauthenticated administrative configuration requests.
2
CVE-2025-31962 - HCL BigFix IVR is impacted by an insufficient session expiration vulnerability
Insufficient session expiration in the Web UI authentication component in HCL BigFix IVR version 4.2 allows an authenticated attacker to gain prolonged unauthorized access to protected API endpoints due to excessive expiration periods.
6.5
CVE-2025-14867 - Flashcard Plugin for WordPress <= 0.9 - Authenticated (Contributor+) Arbitrary File Read via Path Tβ¦
The Flashcard plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 0.9 via the 'source' attribute of the 'flashcard' shortcode. This makes it possible for authenticated attackers, with contributor level access and above, to read the contents of arbitrary files β¦