4.3
CVE-2025-12030 - ACF to REST API <= 3.3.4 - Insecure Direct Object Reference to Authenticated (Contributor+) ACF Fie…
The ACF to REST API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.4. This is due to insufficient capability checks in the update_item_permissions_check() method, which only verifies that the current user has the edit_posts capabilit…
6.1
CVE-2025-13519 - SVG Map Plugin <= 1.0.0 - Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scrip…
The SVG Map Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on multiple AJAX actions including 'save_data', 'delete_data', and 'add_popup'. This makes it possible for unauthenti…
6.4
CVE-2025-13531 - Stylish Order Form Builder <= 1.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'pr…
The Stylish Order Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'product_name' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber…
4.4
CVE-2025-15000 - Page Keys <= 1.3.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'page_key' Para…
The Page Keys plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘page_key’ parameter in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, t…
7.5
CVE-2025-11877 - User Activity Log <= 2.2 - Unauthenticated Limited Options Update via Failed Login
The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2.2. The failed-login handler 'ual_shook_wp_login_failed' lacks a capability check and writes failed usernames directly into update_option() calls. This makes it possible for unauthenticated att…
6.4
CVE-2025-0980 - JSON RPC authentication bypass in Nokia SR Linux
Nokia SR Linux is vulnerable to an authentication vulnerability allowing unauthorized access to the JSON-RPC service. When exploited, an invalid validation allows JSON RPC access without providing valid authentication credentials.
2.2
CVE-2025-31964 - HCL BigFix IVR is impacted by an improper service binding configuration
Improper service binding configuration in internal service components in HCL BigFix IVR version 4.2 allows a privileged attacker to impact service availability via exposure of administrative services bound to external network interfaces instead of the local authentication interface.
4.4
CVE-2025-14792 - Key Figures <= 1.1 - Authenticated (Admin+) Stored Cross-Site Scripting via kf_field_figure_default…
The Key Figures plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the kf_field_figure_default_color_render function in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with admi…
5.4
CVE-2025-12449 - aBlocks – WordPress Gutenberg Blocks <= 2.4.0 - Missing Authorization to Authenticated (Subscriber+…
The aBlocks – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data and disclosure of sensitive information due to missing capability checks on multiple AJAX actions in all versions up to, and including, 2.4.0. This makes it possible for authenticated at…
6.1
CVE-2025-13369 - Premmerce WooCommerce Customers Manager <= 1.1.14 - Reflected Cross-Site Scripting
The Premmerce WooCommerce Customers Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'money_spent_from', 'money_spent_to', 'registered_from', and 'registered_to' parameters in all versions up to, and including, 1.1.14 due to insufficient input sanitization and ou…