4.3
CVE-2023-25068 - WordPress Magazine Edge theme <= 1.13 - Authenticated Arbitrary Plugin Activation
Missing Authorization vulnerability in Mapro Collins Magazine Edge magazine-edge allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Magazine Edge: from n/a through <= 1.13.
6.9
CVE-2025-14989 - Campcodes Complete Online Beauty Parlor Management System search-invoices.php sql injection
A vulnerability was identified in Campcodes Complete Online Beauty Parlor Management System 1.0. This issue affects some unknown processing of the file /admin/search-invoices.php. Such manipulation leads to sql injection. The attack can be launched remotely. The exploit is publicly available and mi…
8.5
CVE-2025-34290 - Versa SASE Client for Windows < 7.9.5 Arbitrary Folder Deletion Leading to Local Privilege Escalati…
Versa SASE Client for Windows versions released between 7.8.7 and 7.9.4 contain a local privilege escalation vulnerability in the audit log export functionality. The client communicates user-controlled file paths to a privileged service, which performs file system operations without impersonating t…
7.6
CVE-2025-7782 - WP JobHunt <= 7.7 - Missing Authorization to Authenticated (Candidate+) Stored Cross-Site Scripting…
The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to unauthorized modification of data due to a missing capability check on the 'cs_update_application_status_callback' function in all versions up to, and including, 7.7. This makes it possible for authenticated attacker…
4.3
CVE-2025-7733 - WP JobHunt <= 7.7 - Authenticated (Candidate+) Insecure Direct Object Reference
The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.7 via the 'cs_update_application_status_callback' due to missing validation on a user controlled key. This makes it possible for authenticated …
5.4
CVE-2025-14298 - FiboSearch – Ajax Search for WooCommerce <= 1.32.0 - Authenticated (Contributor+) Stored Cross-Site…
The FiboSearch – Ajax Search for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `thegem_te_search` shortcode in all versions up to, and including, 1.32.0 due to insufficient input sanitization and output escaping on user supplied attributes. This make…
5.3
CVE-2025-12492 - Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Member…
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11.0 via the ajax_get_members function. This is due to the use of a predict…
9.8
CVE-2025-13619 - Flex Store Users <= 1.1.0 - Unauthenticated Privilege Escalation
The Flex Store Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.0. This is due to the 'fsUserHandle::signup' and the 'fsSellerRole::add_role_seller' functions not restricting what user roles a user can register with. This makes it possible f…
5.3
CVE-2025-12820 - Pure WC Variation Swatches <= 1.1.7 - Unauthenticated Settings Update
The Pure WC Variation Swatches WordPress plugin through 1.1.7 does not have an authorization check when updating its settings, which could allow any authenticated users to update them.
6.1
CVE-2025-13365 - WP Hallo Welt <= 1.4. - Cross-Site Request Forgery to Stored Cross-Site Scripting
The WP Hallo Welt plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the 'hallo_welt_seite' function. This makes it possible for unauthenticated attackers to update plugin settings and i…