3.5
CVE-2025-10636 - NS Maintenance Mode for WP <= 1.3.1 - Admin+ Stored XSS
The NS Maintenance Mode for WP WordPress plugin through 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setupβ¦
5.3
CVE-2025-10008 - Translate WordPress and go Multilingual β Weglot <= 5.1 - Missing Authorization to Unauthenticated β¦
The Translate WordPress and go Multilingual β Weglot plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'clean_options' function in all versions up to, and including, 5.1. This makes it possible for unauthenticated attackers to delete limited trβ¦
6.5
CVE-2025-11627 - Site Checkup AI Troubleshooting with Wizard and Tips for Each Issue <= 1.47 - Unauthenticated Log Fβ¦
The Site Checkup Debug AI Troubleshooting with Wizard and Tips for Each Issue plugin for WordPress is vulnerable to log file poisoning in all versions up to, and including, 1.47. This makes it possible for unauthenticated attackers to insert arbitrary content into log files, and potentially cause dβ¦
6.4
CVE-2025-12475 - Blocksy Companion <= 2.1.14 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'blocksy_newsletter_subscribe' shortcode in all versions up to, and including, 2.1.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibβ¦
6.1
CVE-2025-52180 -
Cross-site scripting (XSS) vulnerability in Zucchetti Ad Hoc Infinity 4.2 and earlier allows remote unauthenticated attackers to inject arbitrary JavaScript via the pHtmlSource parameter of the /ahi/jsp/gsfr_feditorHTML.jsp?pHtmlSource endpoint.
5.5
CVE-2025-40093 - usb: gadget: f_ecm: Refactor bind path to use __free()
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_ecm: Refactor bind path to use __free() After an bind/unbind cycle, the ecm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL poinβ¦
5.5
CVE-2025-40088 - hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp()
In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hfsplus_strcasecmp() The hfsplus_strcasecmp() logic can trigger the issue: [ 117.317703][ T9855] ================================================================== [ 117.318353][ T9855] β¦
8.2
CVE-2025-63298 -
A path traversal vulnerability was identified in SourceCodester Pet Grooming Management System 1.0, affecting the admin/manage_website.php component. An authenticated user with administrative privileges can leverage this flaw by submitting a specially crafted POST request, enabling the deletion of β¦
7.5
CVE-2025-61116 -
AdForest - Classified Android App version 4.0.12 (package name scriptsbundle.adforest), developed by Muhammad Jawad Arshad, contains an improper access control vulnerability in its authentication mechanism. The app uses a Base64-encoded email address as the authorization credential, which can be maβ¦
7.5
CVE-2025-61118 -
mCarFix Motorists App version 2.3 (package name com.skytop.mcarfix), developed by Paniel Mwaura, contains improper access control vulnerabilities. Attackers may bypass verification to arbitrarily register accounts, and by tampering with sequential numeric IDs, gain unauthorized access to user data β¦