6.9
CVE-2025-62663 - Stored XSS through a system message in UploadWizard
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - UploadWizard Extension allows Stored XSS.This issue affects Mediawiki - UploadWizard Extension: from master before 1.39.
6.9
CVE-2025-62664 - Stored XSS through a system message in ImageRating
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - ImageRating Extension allows Stored XSS.This issue affects Mediawiki - ImageRating Extension: from master before 1.39.
6.9
CVE-2025-62665 - Stored XSS through system messages in Skin:BlueSky
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - Skin:BlueSky allows Stored XSS.This issue affects Mediawiki - Skin:BlueSky: from master before 1.39.
9.8
CVE-2017-20208 - RegistrationMagic - Custom Registration Forms <= 3.7.9.2 - PHP Object Injection
The RegistrationMagic β Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to PHP Object Injection in all versions up to 3.7.9.3 (exclusive) via deserialization of untrusted input from the is_expired_by_date() function. This makes it possible foβ¦
9.8
CVE-2017-20207 - Flickr Gallery <= 1.5.2 - Unauthenticated PHP Object Injection
The Flickr Gallery plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.5.2 via deserialization of untrusted input from the `pager ` parameter. This allows unauthenticated attackers to inject a PHP Object. Attackers were actively exploiting this vulnerabiliβ¦
6.4
CVE-2020-36854 - Async JavaScript <= 2.19.07.14 - Authenticated (Subscriber+) Stored Cross-Site Scripting
The Async JavaScript plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.19.07.14. This is due to missing authorization checks on the aj_steps AJAX aciton along with a lack on sanitization on the settings saved via the function. This makes it possiβ¦
9.8
CVE-2017-20206 - Appointments <= 2.2.1 - Unauthenticated PHP Object Injection
The Appointments plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.2.1 via deserialization of untrusted input from the `wpmudev_appointments` cookie. This allows unauthenticated attackers to inject a PHP Object. Attackers were actively exploiting this vuβ¦
7.2
CVE-2020-36853 - 10WebMapBuilder <= 1.0.63 - Unauthenticated Stored Cross-Site Scripting via Plugin Settings Change
The 10WebMapBuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Plugin Settings Change in versions up to, and including, 1.0.63 due to insufficient input sanitization and output escaping and a lack of capability checks. This makes it possible for unauthenticated attackers β¦
5.4
CVE-2025-11378 - ShortPixel Image Optimizer <= 6.3.4 - Authenticated (Contributor+) Settings Import/Export
The ShortPixel Image Optimizer β Optimize Images, Convert WebP & AVIF plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'shortpixel_ajaxRequest' AJAX action in all versions up to, and including, 6.3.4. This makes it possible for authentβ¦
4.4
CVE-2025-40001 - scsi: mvsas: Fix use-after-free bugs in mvs_work_queue
In the Linux kernel, the following vulnerability has been resolved: scsi: mvsas: Fix use-after-free bugs in mvs_work_queue During the detaching of Marvell's SAS/SATA controller, the original code calls cancel_delayed_work() in mvs_free() to cancel the delayed work item mwq->work_q. However, if mwβ¦