5.4
CVE-2025-12191 - PDF Catalog for WooCommerce <= 1.1.18 - Authenticated (Subscriber+) Stored Cross-Site Scripting
The PDF Catalog for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pdfcatalog' AJAX action in all versions up to, and including, 1.1.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscrβ¦
4.3
CVE-2025-12189 - Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents <=β¦
The Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.11.1374. This is due to missing or incorrect nonce validation on the uploadImage() function. β¦
4.3
CVE-2025-12128 - Hide Categories Or Products On Shop Page <= 1.0.7 - Cross-Site Request Forgery to Settings Update
The Hide Categories Or Products On Shop Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.7. This is due to missing or incorrect nonce validation on the save_data_hcps() function. This makes it possible for unauthenticated attackers to uβ¦
4.3
CVE-2025-12133 - EPROLO Dropshipping <= 2.3.1 - Missing Authorization to Authenticated (Subscriber+) Tracking Data Mβ¦
The EPROLO Dropshipping plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wp_ajax_eprolo_delete_tracking and wp_ajax_eprolo_save_tracking_data AJAX endpoints in all versions up to, and including, 2.3.1. This makes it possible for authenβ¦
4.3
CVE-2025-12370 - Takeads <= 1.0.13 - Missing Authorization to Plugin Settings Deletion
The Takeads plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.13. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and β¦
8.8
CVE-2025-12153 - Featured Image via URL <= 0.1 - Authenticated (Contributor+) Arbitrary FIle Upload
The Featured Image via URL plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation function in all versions up to, and including, 0.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on tβ¦
6.1
CVE-2025-13623 - Twitscription <= 0.1.1 - Reflected Cross-Site Scripting via admin.php PATH_INFO
The Twitscription plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the admin.php PATH_INFO in all versions up to, and including, 0.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scrβ¦
6.1
CVE-2025-13622 - Jabbernotification <= 0.99-RC2 - Reflected Cross-Site Scripting via admin.php PATH_INFO
The Jabbernotification plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the admin.php PATH_INFO in all versions up to, and including, 0.99-RC2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitraryβ¦
4.3
CVE-2025-10055 - Time Sheets <= 2.1.3 - Cross-Site Request Forgery
The Time Sheets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.3. This is due to missing or incorrect nonce validation on several endpoints. This makes it possible for unauthenticated attackers to perform a variety of actions via a forged β¦
8.8
CVE-2025-12181 - ContentStudio <= 1.3.7 - Authenticated (Author+) Arbitrary File Upload
The ContentStudio plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the cstu_update_post() function in all versions up to, and including, 1.3.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrβ¦