5.3
CVE-2025-11237 - Make Email Customizer for WooCommerce <= 1.0.6 - Subscriber+ Arbitrary Options Update
The Make Email Customizer for WooCommerce WordPress plugin through 1.0.6 lacks proper authorization checks and option validation in its AJAX actions, allowing any authenticated user, such as a Subscriber, to update arbitrary WordPress options.
6.4
CVE-2025-12667 - GitHub Gist Shortcode Plugin <= 0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
The GitHub Gist Shortcode Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'gist' shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Cβ¦
6.4
CVE-2025-12651 - Live Photos on WordPress <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shorβ¦
The Live Photos on WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'video_src', 'img_src', and 'class' parameters in the livephotos_photo shortcode in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on usβ¦
4.4
CVE-2025-12019 - Featured Image <= 2.1 - Authenticated (Admin+) Stored Cross-Site Scripting
The Featured Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image metadata in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and β¦
8.1
CVE-2025-11521 - Astra Security Suite β Firewall & Malware Scan <= 0.2 - Unauthenticated Arbitrary File Upload
The Astra Security Suite β Firewall & Malware Scan plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient validation of remote URLs for zip downloads and an easily guessable key in all versions up to, and including, 0.2. This makes it possible for unauthenticated attackersβ¦
5.3
CVE-2025-11999 - Add Multiple Marker <= 1.2 - Missing Authorization to Unauthenticated Settings Update
The Add Multiple Marker plugin for WordPress is vulnerable to unauthorized modification of data to due to a missing capability check on the addmultiplemarker_reset_map() and amm_save_map_api() functions in all versions up to, and including, 1.2. This makes it possible for unauthenticated attackers β¦
6.4
CVE-2025-12662 - Coon Google Maps <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The Coon Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'height' parameter in the 'map' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible β¦
6.4
CVE-2025-11129 - Include fussball.de Widgets <= 4.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting viaβ¦
The Include Fussball.de Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'api' and 'type' parameters in all versions up to, and including, 4.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contβ¦
5.3
CVE-2025-11986 - Crypto Tool <= 2.22 - Unauthenticated Information Exposure via Global Authentication State
The Crypto plugin for WordPress is vulnerable to Information exposure in all versions up to, and including, 2.22. This is due to the plugin registering an unauthenticated AJAX action (wp_ajax_nopriv_crypto_connect_ajax_process) that allows calling the register and savenft methods with only a publicβ¦
5.4
CVE-2025-12126 - The Total Book Project <= 1.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Boβ¦
The The Total Book Project plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0 via several functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access andβ¦