4.4
CVE-2025-8783 - Contact Manager <= 8.6.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'title'
The Contact Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title’ parameter in all versions up to, and including, 8.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access…
4.8
CVE-2025-9134 - AfterShip Package Tracker App com.aftership.AfterShip AndroidManifest.xml improper export of androi…
A security vulnerability has been detected in AfterShip Package Tracker App up to 5.24.1 on Android. The affected element is an unknown function of the file AndroidManifest.xml of the component com.aftership.AfterShip. The manipulation leads to improper export of android application components. The…
6.4
CVE-2025-8567 - Nexter Blocks <= 4.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widg…
The Nexter Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 4.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contr…
6.5
CVE-2025-41685 - SMA: Sunny Portal limited disclosure of personal data of registered users to an authenticated user
A low-privileged remote attacker can obtain the username of another registered Sunny Portal user by entering that user's email address.
5.3
CVE-2025-41689 - Wiesemann & Theis: Motherbox 3 allows unauthenticated read-only DB access
An unauthenticated remote attacker can grant access without password protection to the affected device. This enables the unprotected read-only access to the stored measurement data.
6.4
CVE-2025-8622 - Flexible Maps <= 1.18.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Flexible Map…
The Flexible Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Flexible Maps shortcode in all versions up to, and including, 1.18.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated a…
8.8
CVE-2025-7654 - Multiple Plugins By FunnelKit <= (Various Versions) - Authenticated (Contributor+) Sensitive Inform…
Multiple FunnelKit plugins are vulnerable to Sensitive Information Exposure via the wf_get_cookie shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including authentication cookies of other site users, which may make pr…
7.5
CVE-2025-7670 - JS Archive List <= 6.1.5 - Unauthenticated SQL Injection via build_sql_where Function
The JS Archive List plugin for WordPress is vulnerable to time-based SQL Injection via the build_sql_where() function in all versions up to, and including, 6.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it …
9.8
CVE-2025-8723 - Cloudflare Image Resizing <= 1.5.6 - Missing Authentication to Unauthenticated Remote Code Executio…
The Cloudflare Image Resizing plugin for WordPress is vulnerable to Remote Code Execution due to missing authentication and insufficient sanitization within its hook_rest_pre_dispatch() method in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to injec…
9.8
CVE-2025-6758 - Real Spaces - WordPress Properties Directory Theme <= 3.6 - Unauthenticated Privilege Escalation to…
The Real Spaces - WordPress Properties Directory Theme theme for WordPress is vulnerable to privilege escalation via the 'imic_agent_register' function in all versions up to, and including, 3.6. This is due to a lack of restriction in the registration role. This makes it possible for unauthenticate…