7.5
CVE-2025-11517 - Event Tickets and Registration <= 5.26.5 - Unauthenticated Ticket Payment Bypass
The Event Tickets and Registration plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 5.26.5. This is due to the /wp-json/tribe/tickets/v1/commerce/free/order endpoint not verifying that a ticket type should be free allowing the user to bypass the payment. Thβ¦
4.3
CVE-2025-11742 - WPC Smart Wishlist for WooCommerce <= 5.0.4 - Missing Authorization to Authenticated (Subscriber+) β¦
The WPC Smart Wishlist for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wishlist_quickview' AJAX action in all versions up to, and including, 5.0.4. This makes it possible for authenticated attackers, with Subscriber-level aβ¦
6.4
CVE-2025-11857 - XX2WP Integration Tools <= 1.9.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
The XX2WP Integration Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mxp_fb2wp_display_embed' shortcode in all versions up to, and including, 1.9.9. This is due to the plugin not properly sanitizing user input and output of the 'post_id' parameter. This makes it poβ¦
5.3
CVE-2025-11738 - Media Library Assistant <= 3.29 - Unauthenticated Limited File Read
The Media Library Assistant plugin for WordPress is vulnerable to limited file reading in all versions up to, and including, 3.29 via the mla-stream-image.php file. This makes it possible for unauthenticated attackers to read the contents of arbitrary ai/eps/pdf/ps files on the server, which can coβ¦
6.9
CVE-2025-11937 - Stored XSS through a system message in SecurePoll
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - SecurePoll Extension allows Stored XSS.This issue affects Mediawiki - SecurePoll Extension: master.
6.9
CVE-2025-62666 - DoS vector through the cirrusbuilddoc query API
Allocation of Resources Without Limits or Throttling vulnerability in The Wikimedia Foundation Mediawiki - CirrusSearch Extension allows HTTP DoS.This issue affects Mediawiki - CirrusSearch Extension: from master before 1.43.
6.9
CVE-2025-62667 - Stored XSS through article extracts in GrowthExperiments
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Stored XSS.This issue affects Mediawiki - GrowthExperiments Extension: from master before 1.39.
6.9
CVE-2025-62668 - Insufficient permission checks in action=growthsetmentor
Incorrect Default Permissions vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments Extension allows Resource Leak Exposure.This issue affects Mediawiki - GrowthExperiments Extension: from master before 1.39.
6.9
CVE-2025-62669 - UserInfoCard: activeLocalBlocksAllWikis does not do permissions checks
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure.This issue affects Mediawiki - CentralAuth Extension: from master before 1.39.
6.9
CVE-2025-62670 - Stored XSS through a system message in FlexDiagrams
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - FlexDiagrams Extension allows Stored XSS.This issue affects Mediawiki - FlexDiagrams Extension: master.