7.5
CVE-2025-7670 - JS Archive List <= 6.1.5 - Unauthenticated SQL Injection via build_sql_where Function
The JS Archive List plugin for WordPress is vulnerable to time-based SQL Injection via the build_sql_where() function in all versions up to, and including, 6.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it …
9.8
CVE-2025-8723 - Cloudflare Image Resizing <= 1.5.6 - Missing Authentication to Unauthenticated Remote Code Executio…
The Cloudflare Image Resizing plugin for WordPress is vulnerable to Remote Code Execution due to missing authentication and insufficient sanitization within its hook_rest_pre_dispatch() method in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to injec…
9.8
CVE-2025-6758 - Real Spaces - WordPress Properties Directory Theme <= 3.6 - Unauthenticated Privilege Escalation to…
The Real Spaces - WordPress Properties Directory Theme theme for WordPress is vulnerable to privilege escalation via the 'imic_agent_register' function in all versions up to, and including, 3.6. This is due to a lack of restriction in the registration role. This makes it possible for unauthenticate…
8.8
CVE-2025-8218 - Real Spaces - WordPress Properties Directory Theme <= 3.5 - Authenticated (Subscriber+) Privilege E…
The Real Spaces - WordPress Properties Directory Theme theme for WordPress is vulnerable to privilege escalation via the 'change_role_member' parameter in all versions up to, and including, 3.5. This is due to a lack of restriction in the profile update role. This makes it possible for unauthentica…
0.0
CVE-2025-38553 - net/sched: Restrict conditions for adding duplicating netems to qdisc tree
In the Linux kernel, the following vulnerability has been resolved: net/sched: Restrict conditions for adding duplicating netems to qdisc tree netem_enqueue's duplication prevention logic breaks when a netem resides in a qdisc tree with other netems - this can lead to a soft lockup and OOM loop i…
4.3
CVE-2025-8357 - Media Library Assistant <= 3.27 - Authenticated (Author+) Limited File Deletion
The Media Library Assistant plugin for WordPress is vulnerable to arbitrary file deletion in the /wp-content/uploads directory due to insufficient file path validation and user capability checking in the _process_mla_download_file function in all versions up to, and including, 3.27. This makes it p…
6.4
CVE-2025-7496 - WPC Smart Compare for WooCommerce <= 6.4.7 - Authenticated (Contributor+) DOM-Based Stored Cross-Si…
The WPC Smart Compare for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via DOM elements in all versions up to, and including, 6.4.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level…
0.0
CVE-2025-51488 -
A stored cross-site scripting (XSS) vulnerability in the Create Admin function of MoonShine v3.12.3 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter.
0.0
CVE-2025-50891 -
Adform Site Tracking 1.1 allows attackers to inject HTML or execute arbitrary code via cookie hijacking.
0.0
CVE-2025-50938 -
Cross site scripting (XSS) vulnerability in Hustoj 2025-01-31 via the TID parameter to thread.php.