10
CVE-2025-64090 - Authenticated Remote Code Execution in device hostname
This vulnerability allows authenticated attackers to execute commands via the hostname of the device.
6.1
CVE-2025-13895 - Top Position Google Finance <= 0.1.0 - Reflected Cross-Site Scripting
The Top Position Google Finance plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 0.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers tβ¦
6.4
CVE-2025-13900 - WP Popup Magic <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'name' Shortβ¦
The WP Popup Magic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter of the [wppum_end] shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, withβ¦
6.4
CVE-2025-13853 - Nearby Now Reviews <= 5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode β¦
The Nearby Now Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data_tech' parameter of the nn-tech shortcode in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wβ¦
6.4
CVE-2025-13729 - Entry Views <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The Entry Views plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'entry-views' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attβ¦
6.4
CVE-2026-0627 - AMP for WP <= 1.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG File Upload
The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file content that only removes `<script>` tags while allowing other XSS vectors such as event handlers β¦
7.2
CVE-2025-14657 - Eventin β Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered) <= 4β¦
The Eventin β Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthentiβ¦
4.3
CVE-2025-13753 - WP Table Builder <= 2.0.19 - Incorrect Authorization to Authenticated (Subscriber+) Arbitrary Tableβ¦
The WP Table Builder β Drag & Drop Table Builder plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect authorization check on the save_table() function in all versions up to, and including, 2.0.19. This makes it possible for authenticated attackers, with Subscrβ¦
4.3
CVE-2025-13935 - Tutor LMS β eLearning and online course solution <= 3.9.3 - Missing Authorization to Authenticated β¦
The Tutor LMS β eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course completion in all versions up to, and including, 3.9.2. This is due to missing enrollment verification in the 'mark_course_complete' function. This makes it possible for authenticated attaβ¦
4.3
CVE-2025-13934 - Tutor LMS β eLearning and online course solution <= 3.9.3 - Missing Authorization to Authenticated β¦
The Tutor LMS β eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course enrollment in all versions up to, and including, 3.9.3. This is due to a missing capability check and purchasability validation in the `course_enrollment()` AJAX handler. This makes it posβ¦