4.3
CVE-2025-11887 - Supervisor <= 1.3.2 - Missing Authorization to Authenticated (Subscriber+) Settings Update
The Supervisor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several AJAX functions in all versions up to, and including, 1.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update varioβ¦
6.3
CVE-2025-10740 - URL Shortener Plugin For WordPress <= 3.0.7 - Missing Authorization to Authenticated (Subscriber+) β¦
The URL Shortener Plugin For WordPress plugin for WordPress is vulnerable to unauthorized access to functionality provided by the API due to a missing capability check on the verifyRequest function in all versions up to, and including, 3.0.7. This makes it possible for authenticated attackers, withβ¦
4.3
CVE-2025-12072 - Disable Content Editor For Specific Template <= 2.0 - Cross-Site Request Forgery to Template Configβ¦
The Disable Content Editor For Specific Template plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0. This is due to missing nonce validation on template configuration updates. This makes it possible for unauthenticated attackers to add or deleβ¦
6.1
CVE-2025-11992 - Multi Item Responsive Slider <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
The Multi Item Responsive Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'mioptions.php' page. This makes it possible for unauthenticated attackers to update settings and β¦
4.4
CVE-2025-12016 - qnotsquiz <= 1.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting
The qnotsquiz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'qnotsquiz_custom_start_text' parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administraβ¦
8.1
CVE-2025-62868 - WordPress Edge CPT plugin <= 1.4 - Local File Inclusion vulnerability
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Edge CPT allows PHP Local File Inclusion.This issue affects Edge CPT: from n/a through 1.4.
9.8
CVE-2025-6440 - WooCommerce Designer Pro <= 1.9.26 - Unauthenticated Arbitrary File Upload
The WooCommerce Designer Pro plugin for WordPress, used by the Pricom - Printing Company & Design Services WordPress theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'wcdp_save_canvas_design_ajax' function in all versions up to, and including, 1.9.26. This mβ¦
5.3
CVE-2025-9158 - Stored XSS in Request Tracker
The Request Tracker software is vulnerable to a Stored XSS vulnerability in calendar invitation parsing feature, which displays invitation data without HTML sanitization.Β XSS vulnerability allows an attacker to send a specifically crafted e-mail enabling JavaScript code execution by displaying the β¦
6.8
CVE-2025-9978 - Jeg Elementor Kit < 2.7.0 - Author+ Stored XSS
The Jeg Kit for Elementor WordPress plugin before 2.7.0 does not sanitize SVG file contents when uploaded via xmlrpc.php, leading to a cross site scripting vulnerability.
5.5
CVE-2025-10874 - Orbit Fox < 3.0.2 - Author+ Server-Side Request Forgery
The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More WordPress plugin before 3.0.2 does not limit URLs which may be used for the stock photo import feature, allowing the user to specify arbitrary URLs. This leads to a server-side request forgery as the user mayβ¦