4.3
CVE-2025-12133 - EPROLO Dropshipping <= 2.3.1 - Missing Authorization to Authenticated (Subscriber+) Tracking Data M…
The EPROLO Dropshipping plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wp_ajax_eprolo_delete_tracking and wp_ajax_eprolo_save_tracking_data AJAX endpoints in all versions up to, and including, 2.3.1. This makes it possible for authen…
4.3
CVE-2025-12370 - Takeads <= 1.0.13 - Missing Authorization to Plugin Settings Deletion
The Takeads plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.13. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and …
8.8
CVE-2025-12153 - Featured Image via URL <= 0.1 - Authenticated (Contributor+) Arbitrary FIle Upload
The Featured Image via URL plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation function in all versions up to, and including, 0.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on t…
6.1
CVE-2025-13623 - Twitscription <= 0.1.1 - Reflected Cross-Site Scripting via admin.php PATH_INFO
The Twitscription plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the admin.php PATH_INFO in all versions up to, and including, 0.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scr…
6.1
CVE-2025-13622 - Jabbernotification <= 0.99-RC2 - Reflected Cross-Site Scripting via admin.php PATH_INFO
The Jabbernotification plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the admin.php PATH_INFO in all versions up to, and including, 0.99-RC2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary…
4.3
CVE-2025-10055 - Time Sheets <= 2.1.3 - Cross-Site Request Forgery
The Time Sheets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.3. This is due to missing or incorrect nonce validation on several endpoints. This makes it possible for unauthenticated attackers to perform a variety of actions via a forged …
8.8
CVE-2025-12181 - ContentStudio <= 1.3.7 - Authenticated (Author+) Arbitrary File Upload
The ContentStudio plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the cstu_update_post() function in all versions up to, and including, 1.3.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitr…
6.1
CVE-2025-13625 - WP-SOS-Donate Donation Sidebar Plugin <= 0.9.2 - Reflected Cross-Site Scripting via $_SERVER['PHP_S…
The WP-SOS-Donate Donation Sidebar Plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 0.9.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attacke…
4.3
CVE-2025-13360 - Quantic Social Image Hover <= 1.0.8 - Cross-Site Request Forgery to Settings Update
The Quantic Social Image Hover plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's sett…
6.4
CVE-2025-12368 - Sermon Manager <= 2.30.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Sermon Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `sermon-views` shortcode in all versions up to, and including, 2.30.0. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticate…