6.4
CVE-2025-14053 - Travel Bucket List <= 0.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcod…
The Wish To Go plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Cont…
6.4
CVE-2025-13847 - PhotoFade <= 0.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attribu…
The PhotoFade plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'time' parameter in all versions up to, and including, 0.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and abov…
9.8
CVE-2025-15018 - Optional Email <= 1.3.11 - Unauthenticated Privilege Escalation to Account Takeover
The Optional Email plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in all versions up to, and including, 1.3.11. This is due to the plugin not restricting its 'random_password' filter to registration contexts, allowing the filter to affect password reset key generati…
4.3
CVE-2025-13521 - WP Status Notifier <= 1.0 - Cross-Site Request Forgery to Settings Update
The WP Status Notifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin set…
8.8
CVE-2025-15158 - WP Enable WebP <= 1.0 - Authenticated (Author+) Arbitrary File Upload
The WP Enable WebP plugin for WordPress is vulnerable to arbitrary file uploads due to improper file type validation in the 'wpse_file_and_ext_webp' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload …
6.4
CVE-2025-13497 - Recras WordPress plugin <= 6.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 're…
The Recras WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'recrasname' shortcode attribute in all versions up to, and including, 6.4.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with C…
5.3
CVE-2025-13496 - Moosend Landing Pages <= 1.1.6 - Missing Authorization to Authenticated (Subscriber+) Option Deleti…
The Moosend Landing Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the moosend_landings_auth_get function in all versions up to, and including, 1.1.6. This makes it possible for authenticated attackers, with Subscriber-level access…
4.3
CVE-2025-13520 - MTCaptcha WordPress Plugin <= 2.7.2 - Cross-Site Request Forgery to Settings Update
The MTCaptcha WordPress Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.2. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin …
7.5
CVE-2025-13493 - Latest Registered Users <= 1.4 - Missing Authorization to Unauthenticated Sensitive Information Exp…
The Latest Registered Users plugin for WordPress is vulnerable to unauthorized user data export in all versions up to, and including, 1.4. This is due to missing authorization and nonce validation in the rnd_handle_form_submit function hooked to both admin_post_my_simple_form and admin_post_nopriv_…
4.3
CVE-2025-13527 - xShare <= 1.0.1 - Cross-Site Request Forgery to 'rs_plugin_reset' Parameter
The xShare plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'xshare_plugin_reset()' function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged …