0.0
CVE-2025-66536 -
Not used
0.0
CVE-2025-66538 -
Not used
4.8
CVE-2025-12826 - Custom Post Type UI <= 1.18.0 - Missing Authorization to Unauthenticated (Previously Administrator+β¦
The Custom Post Type UI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.18.0. This is due to the plugin not verifying that a user has the required capability to perform actions in the "cptui_process_post_type" function. This makes it possible for aβ¦
4.3
CVE-2025-12782 - Beaver Builder β WordPress Page Builder <= 2.9.4 - Missing Authorization to Authenticated (Contribuβ¦
The Beaver Builder β WordPress Page Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.9.4. This is due to the plugin not properly verifying a user's authorization in the disable() function. This makes it possible for authenticated attackers, β¦
6.1
CVE-2025-13513 - Clik stats <= 0.8 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']
The Clik stats plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitraryβ¦
7.2
CVE-2025-11727 - Omnichannel for WooCommerce: Google, Amazon, eBay & Walmart Integration - Powered by Codisto <= 1.3β¦
The Omnichannel for WooCommerce: Google, Amazon, eBay & Walmart Integration β Powered by Codisto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sync() function in all versions up to, and including, 1.3.65 due to insufficient input sanitization and output escaping. This maβ¦
5.3
CVE-2025-11379 - WebP Express <= 0.25.9 - Unauthenticated Information Exposure
The WebP Express plugin for WordPress is vulnerable to information exposure via config files in all versions up to, and including, 0.25.9. This is due to the plugin not properly randomizing the name of the config file to prevent direct access on NGINX. This makes it possible for unauthenticated attβ¦
5.5
CVE-2025-40251 - devlink: rate: Unset parent pointer in devl_rate_nodes_destroy
In the Linux kernel, the following vulnerability has been resolved: devlink: rate: Unset parent pointer in devl_rate_nodes_destroy The function devl_rate_nodes_destroy is documented to "Unset parent for all rate objects". However, it was only calling the driver-specific `rate_leaf_parent_set` or β¦
5.5
CVE-2025-40255 - net: core: prevent NULL deref in generic_hwtstamp_ioctl_lower()
In the Linux kernel, the following vulnerability has been resolved: net: core: prevent NULL deref in generic_hwtstamp_ioctl_lower() The ethtool tsconfig Netlink path can trigger a null pointer dereference. A call chain such as: tsconfig_prepare_data() -> dev_get_hwtstamp_phylib() -> vlan_hβ¦
8.8
CVE-2025-66287 - Webkitgtk: processing maliciously crafted web content may lead to an unexpected process crash
A flaw was found in WebKitGTK. Processing malicious web content can cause an unexpected process crash due to improper memory handling.