4.3
CVE-2025-13756 - Fluent Booking β The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution <= β¦
The Fluent Booking plugin for WordPress is vulnerable to unauthorized calendar import and management due to a missing capability check on the "importCalendar" function in all versions up to, and including, 1.9.11. This makes it possible for authenticated attackers, with subscriber level access and β¦
6.4
CVE-2025-13401 - Autoptimize <= 3.1.13 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the LCP Image to preload metabox in all versions up to, and including, 3.1.13 due to insufficient input sanitization and output escaping on user-supplied image attributes in the "create_img_preload_tag" function. β¦
10
CVE-2025-13390 - WP Directory Kit <= 1.4.4 - Authentication Bypass to Privilege Escalation via Account Takeover
The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the "wdk_generate_auto_login_link" function. This is due to the feature using a cryptographically weak tokeβ¦
4.3
CVE-2025-13354 - Tag, Category, and Taxonomy Manager β AI Autotagger with OpenAI <= 3.40.1 - Missing Authorization tβ¦
The Tag, Category, and Taxonomy Manager β AI Autotagger with OpenAI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.40.1. This is due to the plugin not properly verifying that a user is authorized to perform an action in the "taxopress_merge_terms_β¦
4.3
CVE-2025-13109 - HUSKY β Products Filter Professional for WooCommerce <= 1.3.7.2 - Authenticated (Subscriber+) Insecβ¦
The HUSKY β Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.2 via the "woof_add_query" and "woof_remove_query" functions due to missing validation on a user controlled key. This makes it β¦
4.3
CVE-2025-12358 - ShopEngine <= 4.8.5 - Cross-Site Request Forgery to Wishlist Manipulation
The ShopEngine Elementor WooCommerce Builder Addon plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.5. This is due to missing nonce validation on the "post_add_to_list" function as well as an incorrect permissions callback in the "Api/init" β¦
9.8
CVE-2025-13342 - Frontend Admin by DynamiApps <= 3.28.20 - Unauthenticated Arbitrary Options Update
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthorized modification of arbitrary WordPress options in all versions up to, and including, 3.28.20. This is due to insufficient capability checks and input validation in the ActionOptions::run() save handler. This makes it pβ¦
5.4
CVE-2025-12887 - Post SMTP β Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App <= 3.6.1 - Missing Aβ¦
The Post SMTP plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.1. This is due to the plugin not properly verifying that a user is authorized to update OAuth tokens on the 'handle_gmail_oauth_redirect' function. This makes it possible for authenticβ¦
6.5
CVE-2025-64527 - Envoy crashes when JWT authentication is configured with the remote JWKS fetching
Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy crashes when JWT authentication is configured with the remote JWKS fetching, allow_missing_or_failed is enabled, multiple JWT tokens are present in the request headers and the JWKS fetch fβ¦
6.9
CVE-2025-39665 - Livestatus Injection in dynmaps
User enumeration in Nagvis' Checkmk MultisiteAuth before version 1.9.48 allows an unauthenticated attacker to enumerate Checkmk usernames.