10
CVE-2025-12600 - Web UI Malfunction
Web UI Malfunction when setting unexpected locale via API.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
10
CVE-2025-12599 - Multiple Devices are Sharing the Same Secrets for SDKSocket (TCP/5000)
Multiple Devices are Sharing the Same Secrets for SDKSocket (TCP/5000).This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
8.8
CVE-2025-36367 - IBM i is affected by a privilege escalation in IBM i SQL services
IBM i 7.6, 7.5, 7.4, 7.3, and 7.2 is vulnerable to privilege escalation caused by an invalid IBM i SQL services authorization check. A malicious actor can use the elevated privileges of another user profile to gain root access to the host operating system.
6.4
CVE-2025-6988 - Kallyas <= 4.23.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
The kallyas theme for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin's shortcodes in all versions up to, and including, 4.23.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackersβ¦
8.8
CVE-2025-6990 - Kallyas <= 4.24.0 - Authenticated (Contributor+) Remote Code Execution
The kallyas theme for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.0 via the `TH_PhpCode` pagebuilder widget. This is due to the theme not restricting access to the code editor widget for non-administrators. This makes it possible for authenticated atβ¦
4.9
CVE-2025-12137 - Import WP β Export and Import CSV and XML files to WordPress <= 2.14.16 - Authenticated (Admin+) Arβ¦
The Import WP β Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.14.16. This is due to the plugin's REST API endpoint accepting arbitrary absolute file paths without proper validation in the 'attach_fiβ¦
8.8
CVE-2025-12171 - RESTful Content Syndication 1.1.0 - 1.5.0 - Authenticated (Contributor+) Arbitrary File Upload
The RESTful Content Syndication plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ingest_image() function in versions 1.1.0 to 1.5.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary filβ¦
8.8
CVE-2025-11755 - Delicious Recipes <= 1.9.0 - Authenticated (Contributor+) Arbitrary File Upload
The WP Delicious β Recipe Plugin for Food Bloggers (formerly Delicious Recipes) plugin for WordPress is vulnerable to arbitrary file uploads when importing recipes via CSV in all versions up to, and including, 1.9.0. This flaw allows an attacker with at least Contributor-level permissions to uploadβ¦
7.3
CVE-2025-10487 - Advanced Ads <= 2.0.12 - Unauthenticated Limited Code Execution
The Advanced Ads βΒ Ad Manager & AdSense plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.0.12 via the select_one() function. This is due to the endpoint not properly restricting access to the AJAX endpoint or limiting the functions that can be callβ¦
9.8
CVE-2025-11499 - Tablesome Table β Contact Form DB β WPForms, CF7, Gravity, Forminator, Fluent <= 1.1.32 - Unauthentβ¦
The Tablesome Table β Contact Form DB β WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_featured_image_from_external_url() function in all versions up to, and including, 1.1.32. This makes it possiβ¦