7.3
CVE-2025-11446 -
Insertion of Sensitive Information into Log File vulnerability in upKeeper Solutions upKeeper Manager allows Use of Known Domain Credentials.This issue affects upKeeper Manager: from 5.2.0 before 5.2.12.
8
CVE-2025-13035 - Code Snippets <= 3.9.1 - Authenticated (Contributor+) PHP Code Injection via extract() and PHP Filtโฆ
The Code Snippets plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 3.9.1. This is due to the plugin's use of extract() on attacker-controlled shortcode attributes within the `evaluate_shortcode_from_flat_file` method, which can be used to overwrite the โฆ
7.2
CVE-2025-13206 - GiveWP - Donation Plugin and Fundraising Platform <= 4.13.0 - Unauthenticated Stored Cross-Site Scrโฆ
The GiveWP โ Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the โnameโ parameter in all versions up to, and including, 4.13.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackโฆ
7.2
CVE-2025-12484 - Giveaways and Contests by RafflePress โ Get More Website Traffic, Email Subscribers, and Social Folโฆ
The Giveaways and Contests by RafflePress โ Get More Website Traffic, Email Subscribers, and Social Followers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple social media username parameters in all versions up to, and including, 1.12.19 due to insufficient input sanitโฆ
8.3
CVE-2025-11243 - Allocation of Resources Without Limits or Throttling in Shelly Pro 4PM
Allocation of Resources Without Limits or Throttling vulnerability in Shelly Pro 4PM (before v1.6) allows Excessive Allocation via network.
8.3
CVE-2025-12056 - Out-of-bounds Read in Shelly Pro 3EM
Out-of-bounds Read in Shelly Pro 3EMย (before v1.4.4) allows Overread Buffers.
5.3
CVE-2025-12535 - SureForms <= 1.13.1 - Cross-Site Request Forgery Protection Bypass via Improper Nonce Distribution
The SureForms plugin for WordPress is vulnerable to Cross-Site Request Forgery Bypass in all versions up to, and including, 1.13.1. This is due to the plugin distributing generic WordPress REST API nonces (wp_rest) to unauthenticated users via the 'wp_ajax_nopriv_rest-nonce' action. While the plugiโฆ
4.3
CVE-2025-13085 - SiteSEO โ SEO Simplified <= 1.3.2 - Insecure Direct Object Reference to Sensitive Post Meta Disclosโฆ
The SiteSEO โ SEO Simplified plugin for WordPress is vulnerable to Improper Authorization leading to Sensitive Post Meta Disclosure in versions up to and including 1.3.2. This is due to missing object-level authorization checks in the resolve_variables() AJAX handler. This makes it possible for autโฆ
9.8
CVE-2025-12057 - WavePlayer < 3.8.0 - Unauthenticated Arbitrary File Upload
The WavePlayer WordPress plugin before 3.8.0 does not have authorization in an AJAX action as well as does not validate the file to be copied locally, allowing unauthenticated users to upload arbitrary file on the server and lead to RCE
5.3
CVE-2025-12814 - SiteSEO โ SEO Simplified <= 1.3.2 - Improper Authorization to Authenticated Settings Reset
The SiteSEO โ SEO Simplified plugin for WordPress is vulnerable to unauthorized modification of data due to n incorrect capability check on the siteseo_reset_settings function in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, who have been granted acceโฆ