4.4
CVE-2025-12185 - StaffList <= 3.2.6 - Authenticated (Admin+) Stored Cross-Site Scripting
The StaffList plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and aboβ¦
8.7
CVE-2025-12758 -
Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length β¦
9.8
CVE-2025-13539 - FindAll Membership <= 1.0.4 - Authentication Bypass via Social Login
The FindAll Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.4. This is due to the plugin not properly logging in a user with the data that was previously verified through the 'findall_membership_check_facebook_user' and the 'findall_mβ¦
9.8
CVE-2025-13540 - Tiare Membership <= 1.2 - Unauthenticated Privilege Escalation
The Tiare Membership plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2. This is due to the 'tiare_membership_init_rest_api_register' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attacβ¦
8.8
CVE-2025-13680 - Tiger <= 101.2.1 - Authenticated (Subscriber+) Privilege Escalation
The Tiger theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 101.2.1. This is due to the plugin allowing a user to update the user role through the $user->set_role() function. This makes it possible for authenticated attackers, with Subscriber-level acceβ¦
6.4
CVE-2025-12151 - Simple Folio <= 1.1.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting
The Simple Folio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'portfolio_name' parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level accβ¦
9.8
CVE-2025-13675 - Tiger <= 101.2.1 - Unauthenticated Privilege Escalation
The Tiger theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 101.2.1. This is due to the 'paypal-submit.php' file not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator'β¦
7.5
CVE-2025-7820 - SKT PayPal for WooCommerce <= 1.4 - Unauthenticated Payment Bypass
The SKT PayPal for WooCommerce plugin for WordPress is vulnerable to Payment Bypass in all versions up to, and including, 1.4. This is due to the plugin only enforcing client side controls instead of server-side controls when processing payments. This makes it possible for unauthenticated attackersβ¦
9.8
CVE-2025-13538 - FindAll Listing <= 1.0.5 - Unauthenticated Privilege Escalation
The FindAll Listing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.5. This is due to the 'findall_listing_user_registration_additional_params' function not restricting what user roles a user can register with. This makes it possible for unauthenβ¦
5.5
CVE-2025-3784 - Information Disclosure Vulnerability in GX Works2
Cleartext Storage of Sensitive Information Vulnerability in GX Works2 all versions allows an attacker to disclose credential information stored in plaintext from project files. As a result, the attacker may be able to open project files protected by user authentication using disclosed credential inβ¦