5.9
CVE-2025-64264 - WordPress Popup addon for Ninja Forms plugin <= 3.5.1 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aman Popup addon for Ninja Forms popup-addon-for-ninja-forms allows Stored XSS.This issue affects Popup addon for Ninja Forms: from n/a through <= 3.5.1.
5.4
CVE-2025-64263 - WordPress WP Content Pilot plugin <= 2.1.7 - Broken Access Control vulnerability
Missing Authorization vulnerability in PluginEver WP Content Pilot wp-content-pilot allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Content Pilot: from n/a through <= 2.1.7.
6.5
CVE-2025-64262 - WordPress Auto Prune Posts plugin <= 3.0.0 - Cross Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery (CSRF) vulnerability in ramon fincken Auto Prune Posts auto-prune-posts allows Cross Site Request Forgery.This issue affects Auto Prune Posts: from n/a through <= 3.0.0.
5.4
CVE-2025-64261 - WordPress Appointment Booking Calendar plugin <= 1.3.95 - Broken Access Control vulnerability
Missing Authorization vulnerability in codepeople Appointment Booking Calendar appointment-booking-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Appointment Booking Calendar: from n/a through <= 1.3.95.
5.3
CVE-2025-64259 - WordPress Theater for WordPress plugin <= 0.18.8 - Broken Access Control vulnerability
Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress theatre allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Theater for WordPress: from n/a through <= 0.18.8.
5.4
CVE-2025-7704 - Supermicro BMC SMASH services has a Stack-based buffer overflow vulnerability
Supermicro BMC Insyde SMASH shell program has a stacked-based overflow vulnerability
6.4
CVE-2025-11769 - WordPress Content Flipper <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
The WordPress Content Flipper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bgcolor' shortcode attribute of the 'flipper_front' shortcode in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping. This makes it possiblβ¦
5.3
CVE-2025-11260 - WP Headless CMS Framework <= 1.15 - Unauthenticated Protection Mechanism Bypass
The WP Headless CMS Framework plugin for WordPress is vulnerable to protection mechanism bypass in all versions up to, and including, 1.15. This is due to the plugin only checking for the existence of the Authorization header in a request when determining if the nonce protection should be bypassed.β¦
6.4
CVE-2025-10295 - Angel β Fashion Model Agency WordPress CMS Theme <= 3.2.3 - Authenticated (Subscriber+) Stored Crosβ¦
The Angel β Fashion Model Agency WordPress CMS Theme theme for WordPress is vulnerable to Stored Cross-Site Scripting the profile media uploader in all versions up to, and including, 3.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackersβ¦
6.4
CVE-2025-8397 - Save as PDF Button <= 1.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via restpackβ¦
The Save as PDF Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's restpackpdfbutton shortcode in all versions up to, and including, 1.9.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenβ¦