7.2
CVE-2025-12135 - WPBookit <= 1.0.6 - Unauthenticated Stored Cross-Site Scripting
The WPBookit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'css_code' parameter in all versions up to, and including, 1.0.6 due to a missing capability check on the save_custome_code() function. This makes it possible for unauthenticated attackers to inject arbitrary webโฆ
6.1
CVE-2025-11885 - EchBay Admin Security <= 1.3.0 - Reflected Cross-Site Scripting
The EchBay Admin Security plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the '_ebnonce' parameter in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrarโฆ
4.3
CVE-2025-13142 - Custom Post Type <= 1.0 - Cross-Site Request Forgery to Custom Post Type Deletion
The Custom Post Type plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the custom post type deletion functionality. This makes it possible for unauthenticated attackers to delete custom post types vโฆ
6.4
CVE-2025-11768 - Islamic Phrases <= 2.12.2015 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Islamic Phrases plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'phrases' shortcode attribute in all versions up to, and including, 2.12.2015. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with cโฆ
6.4
CVE-2025-11770 - BrightTALK WordPress Shortcode <= 2.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
The BrightTALK WordPress Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'format' shortcode attribute in the brighttalk-time shortcode in all versions up to, and including, 2.4.0. This is due to insufficient input sanitization and output escaping. This makes it pโฆ
6.4
CVE-2025-11767 - Tips Shortcode <= 0.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Tips Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tip' shortcode in all versions up to, and including, 0.2.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level acโฆ
5.3
CVE-2025-12894 - Import WP โ Export and Import CSV and XML files to WordPress <= 2.14.17 - Unauthenticated Informatiโฆ
The Import WP โ Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.14.17 via the import/export functionality and a lack of .htaccess protection. This makes it possible for unauthenticated attaโฆ
6.4
CVE-2025-11801 - AudioTube <= 0.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
The AudioTube plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'caption' shortcode attribute of the 'audiotube' shortcode in all versions up to, and including, 0.0.3. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticateโฆ
8.8
CVE-2025-12138 - URL Image Importer <= 1.0.6 - Authenticated (Author+) Arbitrary File Upload
The URL Image Importer plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1.0.6. This is due to the plugin relying on a user-controlled Content-Type HTTP header to validate file uploads in the 'uimptr_import_imโฆ
6.4
CVE-2025-11765 - Stock Tools <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Stock Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'image_height' and 'image_width' shortcode attributes in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attโฆ