8.8
CVE-2025-12161 - Smart Auto Upload Images <= 1.2.0 - Authenticated (Contributor+) Arbitrary File Upload
The Smart Auto Upload Images plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the auto-image creation functionality in all versions up to, and including, 1.2.0. This makes it possible for authenticated attackers, with Contributor-level access and aβ¦
6.1
CVE-2025-12193 - Mang Board WP <= 2.3.1 - Reflected Cross-Site Scripting
The Mang Board WP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'mp' parameter in all versions up to, and including, 2.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts β¦
4.9
CVE-2025-11972 - Tag, Category, and Taxonomy Manager β AI Autotagger with OpenAI <= 3.40.0 - Authenticated (Editor+)β¦
The Tag, Category, and Taxonomy Manager β AI Autotagger with OpenAI plugin for WordPress is vulnerable to SQL Injection via the 'post_types' parameter in all versions up to, and including, 3.40.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the eβ¦
6.5
CVE-2025-7663 - Ovatheme Events Manager <= 1.8.6 - Missing Authorization
The Ovatheme Events Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the /class-ovaem-ajax.php file in all versions up to, and including, 1.8.6. This makes it possible for unauthenticated attackers to delete ticket files, doβ¦
5.3
CVE-2025-12353 - WPFunnels <= 3.6.2 - Unauthorized User Registration
The WPFunnels β The Easiest Funnel Builder For WordPress And WooCommerce To Collect Leads And Increase Sales plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 3.6.2. This is due to the plugin relying on a user controlled value 'optin_allow_reβ¦
5.3
CVE-2025-12042 - Course Booking System <= 6.1.5 - Missing Authorization to Unauthenticated Booking Data Export
The Course Booking System plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check in the csv-export.php file in all versions up to, and including, 6.1.5. This makes it possible for unauthenticated attackers to directly access the file and obtain an exportβ¦
6.1
CVE-2025-12064 - WP2Social Auto Publish <= 2.4.7 - Reflected Cross-Site Scripting via PostMessage
The WP2Social Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 2.4.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scriptβ¦
5.3
CVE-2025-12177 - Download Manager <= 3.3.30 - Unauthenticated Cron Trigger due to Hardcoded Cron Key
The Download Manager plugin for WordPress is vulnerable to unauthorized access due to a hardcoded Cron key used in the deleteExpired() and clearTempDataCPCron() functions in all versions up to, and including, 3.3.30. This makes it possible for unauthenticated attackers to trigger these cron jobs leβ¦
4.3
CVE-2025-12167 - Contact Form 7 AWeber Extension <= 0.1.42 - Missing Authorization to Authenticated (Subscriber+) Loβ¦
The Contact Form 7 AWeber Extension plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_aweber_logreset' AJAX endpoint in all versions up to, and including, 0.1.42. This makes it possible for authenticated attackers, with Subscriβ¦
6.4
CVE-2025-12583 - Simple Downloads List <= 1.4.3 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-β¦
The Simple Downloads List plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_neofix_sdl_edit' AJAX endpoint along with many others in all versions up to, and including, 1.4.3. This makes it possible for authenticated attackers, β¦