4.3
CVE-2025-11726 - Beaver Builder – WordPress Page Builder <= 2.9.4 - Missing Authorization to Authenticated (Contribu…
The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.9.4. This is due to insufficient capability checks in the REST API endpoints under the 'fl-controls/v1' namespace that control site-wide Global Presets. Th…
5.3
CVE-2025-13696 - Zigaform <= 7.6.5 - Unauthenticated Form Submission Data Disclosure in rocket_front_payment_seesumm…
The Zigaform plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.6.5. This is due to the plugin exposing a public AJAX endpoint that retrieves form submission data without performing authorization checks to verify ownership or access rights. This…
9
CVE-2025-12548 - Github.com/che-incubator/che-code: eclipse che — unauthenticated rce and secret exfiltration via tc…
A flaw was found in Eclipse Che che-machine-exec. This vulnerability allows unauthenticated remote arbitrary command execution and secret exfiltration (SSH keys, tokens, etc.) from other users' Developer Workspace containers, via an unauthenticated JSON-RPC / websocket API exposed on TCP port 3333.
6.5
CVE-2025-12483 - Visualizer: Tables and Charts Manager for WordPress <= 3.11.12 - Authenticated (Contributor+) SQL I…
The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'query' parameter in all versions up to, and including, 3.11.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL quer…
4.3
CVE-2025-13140 - SurveyJS: Drag & Drop WordPress Form Builder <= 1.12.20 - Cross-Site Request Forgery to Survey Dele…
The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce validation on the SurveyJS_DeleteSurvey AJAX action. This makes it possible for unauthenticated attackers to …
4.3
CVE-2025-13685 - Photo Gallery by Ays <= 6.4.8 - Cross-Site Request Forgery to Bulk Actions
The Photo Gallery by Ays plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.4.8. This is due to missing nonce verification on the bulk action functionality in the 'process_bulk_action()' function. This makes it possible for unauthenticated attac…
6.1
CVE-2025-13007 - WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed,…
The WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping on externally-sourced content. This makes it possible fo…
4.1
CVE-2025-13001 - Donation <= 1.0 - Admin+ SQLi
The donation WordPress plugin through 1.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing high privilege users, such as admin to perform SQL injection attacks
7.7
CVE-2025-13000 - DB Access <= 0.8.7 - Subscriber+ SQLi
The db-access WordPress plugin through 0.8.7 does not have authorization in an AJAX action, allowing any authenticated users, such as subscriber to perform SQLI attacks
6.5
CVE-2025-13606 - Export All Posts, Products, Orders, Refunds & Users <= 2.19 - Cross-Site Request Forgery to Sensiti…
The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.19. This is due to missing or incorrect nonce validation on the `parseData` function. This makes it possible for unauthenticated attackers…