6.4
CVE-2025-12163 - Omnipress <= 1.6.5 - Authenticated (Author+) Stored Cross-Site Scripting
The Omnipress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to injโฆ
6.1
CVE-2025-13512 - CoSign Single Signon <= 0.3.1 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']
The CoSign Single Signon plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 0.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to injeโฆ
4.4
CVE-2025-12124 - FitVids for WordPress <= 4.0.1 - Authenticated (Admin+) Stored Cross-Site Scripting
The FitVids for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissโฆ
4.3
CVE-2025-13144 - ContentStudio <= 1.3.7 - Cross-Site Request Forgery to Settings Update
The ContentStudio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.7. This is due to missing or insufficient nonce validation on the add_cstu_settings function. This makes it possible for unauthenticated attackers to modify plugin settings vโฆ
5.3
CVE-2025-13312 - CRM Memberships <= 2.5 - Missing Authorization to Unauthenticated 'ntzcrm_add_new_tag' AJAX Action
The CRM Memberships plugin for WordPress is vulnerable to unauthorized membership tag creation due to a missing capability check on the 'ntzcrm_add_new_tag' function in all versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to create arbitrary membership tags aโฆ
5.3
CVE-2025-13006 - SurveyFunnel โ Survey Plugin for WordPress <= 1.1.5 - Unauthenticated Information Exposure
The SurveyFunnel โ Survey Plugin for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.5 via several unprotected /wp-json/surveyfunnel/v2/ REST API endpoints. This makes it possible for unauthenticated attackers to extract sensiโฆ
9.8
CVE-2025-13313 - CRM Memberships <= 2.6 - Missing Authorization to Privilege Escalation via Unauthenticated Passwordโฆ
The CRM Memberships plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 2.6. This is due to missing authorization and authentication checks on the `ntzcrm_changepassword` AJAX action. This makes it possible for unauthenticated attackerโฆ
4.3
CVE-2025-13362 - Norby AI <= 1.0.3 - Cross-Site Request Forgery to Settings Update
The Norby AI plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings and inject maโฆ
5.3
CVE-2025-13494 - SSP Debug <= 1.0.0 - Unauthenticated Sensitive Information Exposure
The SSP Debug plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.0. This is due to the plugin storing PHP error logs in a predictable, web-accessible location (wp-content/uploads/ssp-debug/ssp-debug.log) without any access controls. This mโฆ
6.4
CVE-2025-12417 - SurveyFunnel โ Survey Plugin for WordPress <= 1.1.5 - Authenticated (Contributor+) Stored Cross-Sitโฆ
The SurveyFunnel โ Survey Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'surveyfunnel_lite_survey' shortcode in all versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makeโฆ