2.2
CVE-2025-31964 - HCL BigFix IVR is impacted by an improper service binding configuration
Improper service binding configuration in internal service components in HCL BigFix IVR version 4.2 allows a privileged attacker to impact service availability via exposure of administrative services bound to external network interfaces instead of the local authentication interface.
4.4
CVE-2025-14792 - Key Figures <= 1.1 - Authenticated (Admin+) Stored Cross-Site Scripting via kf_field_figure_defaultβ¦
The Key Figures plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the kf_field_figure_default_color_render function in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with admiβ¦
5.4
CVE-2025-12449 - aBlocks β WordPress Gutenberg Blocks <= 2.4.0 - Missing Authorization to Authenticated (Subscriber+β¦
The aBlocks β WordPress Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data and disclosure of sensitive information due to missing capability checks on multiple AJAX actions in all versions up to, and including, 2.4.0. This makes it possible for authenticated atβ¦
6.1
CVE-2025-13369 - Premmerce WooCommerce Customers Manager <= 1.1.14 - Reflected Cross-Site Scripting
The Premmerce WooCommerce Customers Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'money_spent_from', 'money_spent_to', 'registered_from', and 'registered_to' parameters in all versions up to, and including, 1.1.14 due to insufficient input sanitization and ouβ¦
5.4
CVE-2025-14802 - LearnPress β WordPress LMS Plugin <= 4.3.2.2 - Insecure Direct Object Reference to Authenticated (Iβ¦
The LearnPress β WordPress LMS Plugin for WordPress is vulnerable to unauthorized file deletion in versions up to, and including, 4.3.2.2 via the /wp-json/lp/v1/material/{file_id} REST API endpoint. This is due to a parameter mismatch between the DELETE operation and authorization check, where the β¦
2.9
CVE-2025-31963 - HCL BigFix IVR is impacted by improper authentication and missing CSRF protection
Improper authentication and missing CSRF protection in the local setup interface component in HCL BigFix IVR version 4.2 allows a local attacker to perform unauthorized configuration changes via unauthenticated administrative configuration requests.
2
CVE-2025-31962 - HCL BigFix IVR is impacted by an insufficient session expiration vulnerability
Insufficient session expiration in the Web UI authentication component in HCL BigFix IVR version 4.2 allows an authenticated attacker to gain prolonged unauthorized access to protected API endpoints due to excessive expiration periods.
6.5
CVE-2025-14867 - Flashcard Plugin for WordPress <= 0.9 - Authenticated (Contributor+) Arbitrary File Read via Path Tβ¦
The Flashcard plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 0.9 via the 'source' attribute of the 'flashcard' shortcode. This makes it possible for authenticated attackers, with contributor level access and above, to read the contents of arbitrary files β¦
6.1
CVE-2025-14842 - Drag and Drop Multiple File Upload β Contact Form 7 <= 1.3.9.2 - Unauthenticated Limited Arbitrary β¦
The Drag and Drop Multiple File Upload β Contact Form 7 plugin for WordPress is vulnerable to limited upload of files with a dangerous type in all versions up to, and including, 1.3.9.2. This is due to the plugin not blocking .phar and .svg files. This makes it possible for unauthenticated attackerβ¦
8.2
CVE-2026-0656 - iPaymu Payment Gateway for WooCommerce <= 2.0.2 - Missing Authentication to Unauthenticated Paymentβ¦
The iPaymu Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 2.0.2 via the 'check_ipaymu_response' function. This is due to the plugin not validating webhook request authenticity through signature verification or origiβ¦