5.3
CVE-2025-12877 - IDonate β Blood Donation, Request And Donor Management System <= 2.1.15 - Missing Authorization to β¦
The IDonate β Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to unauthorized modification od data due to a missing capability check on the panding_blood_request_action() function in all versions up to, and including, 2.1.15. This makes it possible for unautheβ¦
5.3
CVE-2025-12752 - Subscriptions & Memberships for PayPal <= 1.1.7 - Unauthenticated Fake Payment Creation
The Subscriptions & Memberships for PayPal plugin for WordPress is vulnerable to fake payment creation in all versions up to, and including, 1.1.7. This is due to the plugin not properly verifying the authenticity of an IPN request. This makes it possible for unauthenticated attackers to create fakβ¦
7.5
CVE-2025-13384 - CP Contact Form with PayPal <= 1.3.56 - Missing Authorization to Unauthenticated Arbitrary Payment β¦
The CP Contact Form with PayPal plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.56. This is due to the plugin exposing an unauthenticated IPN-like endpoint (via the 'cp_contactformpp_ipncheck' query parameter) that processes payment confirmationβ¦
5.3
CVE-2025-13317 - Appointment Booking Calendar <= 1.3.96 - Missing Authorization to Arbitrary Booking Confirmation viβ¦
The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.96. This is due to the plugin exposing an unauthenticated booking processing endpoint (cpabc_appointments_check_IPN_verification) that trusts attacker-supplied paymβ¦
0.0
CVE-2025-13541 -
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.
6.4
CVE-2025-11186 - Cookie Notice & Compliance for GDPR / CCPA <= 2.5.8 - Authenticated (Contributor+) Stored Cross-Sitβ¦
The Cookie Notice & Compliance for GDPR / CCPA plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cookies_accepted shortcode in all versions up to, and including, 2.5.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makesβ¦
2.3
CVE-2025-12889 - TLS 1.2 Client Can Downgrade Digest Used
With TLS 1.2 connections a client can use any digest, specifically a weaker digest that is supported, rather than those in the CertificateRequest.
2.3
CVE-2025-11932 - Timing Side-Channel in PSK Binder Verification
The server previously verified the TLS 1.3 PSK binder using a non-constant time method which could potentially leak information about the PSK binder
2.1
CVE-2025-11931 - Integer Underflow Leads to Out-of-Bounds Access in XChaCha20-Poly1305 Decrypt
Integer Underflow Leads to Out-of-Bounds Access in XChaCha20-Poly1305 Decrypt. This issue is hit specifically with a call to the function wc_XChaCha20Poly1305_Decrypt() which is not used with TLS connections, only from direct calls from an application.
1
CVE-2025-12888 - Constant Time Issue with Xtensa-based ESP32 and X22519
Vulnerability in X25519 constant-time cryptographic implementations due to timing side channels introduced by compiler optimizations and CPU architecture limitations, specifically with the Xtensa-based ESP32 chips. If targeting Xtensa it is recommended to use the low memory implementations of X2551β¦