4.4
CVE-2025-11753 - Multi-language Responsive Portfolio WordPress <= 1.0 - Authenticated (Admin+) Stored Cross-Site Scrโฆ
The Bootstrap Multi-language Responsive Portfolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with adminโฆ
9.8
CVE-2025-12158 - Simple User Capabilities <= 1.0 - Missing Authorization to Authenticated (Subscriber+) Privilege Esโฆ
The Simple User Capabilities plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the suc_submit_capabilities() function in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to elevate the role of any user accountโฆ
6.1
CVE-2025-12452 - Visit Counter 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
The Visit Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing or incorrect nonce validation on the widgets.php page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged requโฆ
7.2
CVE-2025-11733 - Footnotes Made Easy <= 3.0.7 - Unauthenticated Stored Cross-Site Scripting
The Footnotes Made Easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 3.0.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts โฆ
4.4
CVE-2025-12065 - WP Carticon <= 1.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting
The WP Carticon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'carticon_js_script' parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-levโฆ
4.4
CVE-2025-12371 - Nari Accountant <= 1.0.12 - Authenticated (Editor+) Stored Cross-Site Scripting
The Nari Accountant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via account settings in all versions up to, and including, 1.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and aโฆ
4.3
CVE-2025-12389 - Import Export For WooCommerce <= 1.6.2 - Missing Authorization to Authenticated (Subscriber+) Settiโฆ
The Import Export For WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_setting() function in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with Subscriber-level access โฆ
7.5
CVE-2025-11704 - Elegance Menu <= 1.9 - Authenticated (Contributor+) Local File Inclusion
The Elegance Menu plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9 via the 'elegance-menu' attribute of the `elegance-menu` shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execโฆ
6.1
CVE-2025-12402 - LinkedIn Resume <= 2.00 - Cross-Site Request Forgery to Stored Cross-Site Scripting
The LinkedIn Resume plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.00. This is due to missing or incorrect nonce validation on the linkedinresume_printAdminPage() function. This makes it possible for unauthenticated attackers to update settiโฆ
6.1
CVE-2025-12415 - MapMap <= 1.1 - Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting
The MapMap plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the admin_shortcode_submit, admin_configuration_submit, and admin_shortcode_delete functions. This makes it possible for unaโฆ