5.5
CVE-2025-13993 - MailerLite β Signup forms (official) <= 1.7.16 - Authenticated (Administrator+) Stored Cross-Site Sβ¦
The MailerLite β Signup forms (official) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_description' and 'success_message' parameters in versions up to, and including, 1.7.16 due to insufficient input sanitization and output escaping. This makes it possible for authβ¦
4.3
CVE-2025-14074 - PDF for Contact Form 7 + Drag and Drop Template Builder <= 6.3.3 - Missing Authorization to Authentβ¦
The PDF for Contact Form 7 + Drag and Drop Template Builder plugin for WordPress is vulnerable to unauthorized post duplication due to a missing capability check on the 'rednumber_duplicate' function in all versions up to, and including, 6.3.3. This makes it possible for authenticated attackers, wiβ¦
9.1
CVE-2025-58130 - Apache Fineract: Server Key not masked
Insufficiently Protected Credentials vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.11.0.Β The issue is fixed in version 1.12.1. Users are encouraged to upgrade to version 1.13.0, the latest release.
8.5
CVE-2025-23408 - Apache Fineract: weak password policy
Weak Password Requirements vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.10.1.Β The issue is fixed in version 1.11.0. Users are encouraged to upgrade to version 1.13.0, the latest release.
7.3
CVE-2025-40829 -
A vulnerability has been identified in Simcenter Femap (All versions < V2512). The affected applications contains an uninitialized memory vulnerability while parsing specially crafted SLDPRT files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-27146)
6.5
CVE-2025-12960 - Simple CSV Table <= 1.0.1 - Directory Traversal to Authenticated (Contributor+) Arbitrary File Read
The Simple CSV Table plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.0.1 via the `href` parameter in the `[csv]` shortcode. This is due to insufficient path validation before concatenating user-supplied input to a base directory path. This makes it β¦
8.7
CVE-2025-67731 - Servify Express does not enforce rate limiting when parsing JSON
Servify Express is a Node.js package to start an Express server and log the port it's running on. Prior to 1.2, the Express server used express.json() without a size limit, which could allow attackers to send extremely large request bodies. This can cause excessive memory usage, degraded performancβ¦
5.1
CVE-2025-67730 - Frappe authenticated users can execute XSS through form description fields
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allow authenticated users to add malicious HTML and JavaScript through description fields in the Job, Course and Batch forms. This issue is fixed in version 2.42.0.
7.5
CVE-2025-14169 - FunnelKit β Funnel Builder for WooCommerce Checkout <= 3.13.1.5 - Unauthenticated SQL Injection
The FunnelKit - Funnel Builder for WooCommerce Checkout plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'opid' parameter in all versions up to, and including, 3.13.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the β¦
3.5
CVE-2025-10583 - WP Fastest Cache Premium <= 1.7.4 - Missing Authorization to Authenticated (Subscriber+) Blind Servβ¦
The WP Fastest Cache Premium plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.7.4 via the 'get_server_time_ajax_request' AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requβ¦