6.5
CVE-2025-39555 - WordPress Church Admin plugin <= 5.0.23 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in andy_moyle Church Admin allows Stored XSS. This issue affects Church Admin: from n/a through 5.0.23.
5.3
CVE-2025-39556 - WordPress Mediavine Control Panel plugin <= 2.10.6 - Sensitive Data Exposure vulnerability
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in mediavine Mediavine Control Panel allows Retrieve Embedded Sensitive Data. This issue affects Mediavine Control Panel: from n/a through 2.10.6.
9.1
CVE-2025-39557 - WordPress Kadence WooCommerce Email Designer plugin <= 1.5.14 - Arbitrary File Upload vulnerability
Unrestricted Upload of File with Dangerous Type vulnerability in Ben Ritner - Kadence WP Kadence WooCommerce Email Designer allows Upload a Web Shell to a Web Server. This issue affects Kadence WooCommerce Email Designer: from n/a through 1.5.14.
5.4
CVE-2025-39560 - WordPress Live Forms plugin <= 4.8.4 - Broken Access Control vulnerability
Missing Authorization vulnerability in Shahjada Live Forms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Live Forms: from n/a through 4.8.4.
6.5
CVE-2025-39563 - WordPress Conditional Payments for WooCommerce <= 3.3.0 - Cross Site Request Forgery (CSRF) Vulneraβ¦
Cross-Site Request Forgery (CSRF) vulnerability in WP Trio Conditional Payments for WooCommerce allows Cross Site Request Forgery. This issue affects Conditional Payments for WooCommerce: from n/a through 3.3.0.
6.5
CVE-2025-39564 - WordPress Conditional Shipping for WooCommerce <= 3.4.0 - Cross Site Request Forgery (CSRF) Vulneraβ¦
Cross-Site Request Forgery (CSRF) vulnerability in WP Trio Conditional Shipping for WooCommerce allows Cross Site Request Forgery. This issue affects Conditional Shipping for WooCommerce: from n/a through 3.4.0.
6.6
CVE-2025-39565 - WordPress MelaPress Login Security <= 2.1.0 - PHP Object Injection Vulnerability
Deserialization of Untrusted Data vulnerability in Melapress MelaPress Login Security allows Object Injection. This issue affects MelaPress Login Security: from n/a through 2.1.0.
7.6
CVE-2025-39566 - WordPress Hostel <= 1.1.5.6 - SQL Injection Vulnerability
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Bob Hostel allows Blind SQL Injection. This issue affects Hostel: from n/a through 1.1.5.6.
8.8
CVE-2025-39570 - WordPress WPCOM Member <= 1.7.7 - Local File Inclusion Vulnerability
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Lomu WPCOM Member allows PHP Local File Inclusion. This issue affects WPCOM Member: from n/a through 1.7.7.
4.3
CVE-2025-39571 - WordPress WowStore <= 4.2.4 - Broken Access Control Vulnerability
Missing Authorization vulnerability in WPXPO WowStore allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WowStore: from n/a through 4.2.4.