7.5
CVE-2025-8877 - AffiliateWP <= 2.28.2 - Unauthenticated SQL Injection
The AffiliateWP plugin for WordPress is vulnerable to SQL Injection via the ajax_get_affiliate_id_from_login function in all versions up to, and including, 2.28.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes itβ¦
4.3
CVE-2025-11163 - SmartCrawl SEO checker, analyzer & optimizer <= 3.14.3 - Missing Authorization to Plugin Settings Uβ¦
The SmartCrawl SEO checker, analyzer & optimizer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_submodule() function in all versions up to, and including, 3.14.3. This makes it possible for authenticated attackers, with Subscrβ¦
7.5
CVE-2025-11149 -
This affects all versions of the package node-static; all versions of the package @nubosoftware/node-static. The package fails to catch an exception when user input includes null bytes. This allows attackers to access http://host/%00 and crash the server.
9.8
CVE-2025-11148 -
All versions of the package check-branches are vulnerable to Command Injection check-branches is a command-line tool that is interacted with locally, or via CI, to confirm no conflicts exist in git branches. However, the library follows these conventions which can be abused: 1. It trusts branch naβ¦
8.8
CVE-2025-7052 - LatePoint <= 5.1.94 - Cross-Site Request Forgery to Account Takeover via change_password() Function
The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.1.94. This is due to missing nonce validation on the change_password() function of its customer_cabinet__change_password AJAX route. The plugin hooks this endpoint via wp_ajax and β¦
8.2
CVE-2025-7038 - LatePoint <= 5.1.94 - Unauthenticated Authentication Bypass via load_step Function
The LatePoint plugin for WordPress is vulnerable to Authentication Bypass due to insufficient identity verification within the steps__load_step route of the latepoint_route_call AJAX endpoint in all versions up to, and including, 5.1.94. The endpoint reads the client-supplied customer email and relβ¦
6.4
CVE-2025-6941 - LatePoint <= 5.1.94 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The LatePoint β Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'latepoint_resources' shortcode in all versions up to, and including, 5.1.94 due to insufficient input sanitization and output escapingβ¦
5.5
CVE-2025-6815 - LatePoint <= 5.1.94 - Authenticated (Administrator+) Stored Cross-Site Scripting
The LatePoint β Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the βservice[name]β parameter in all versions up to, and including, 5.1.94 due to insufficient input sanitization and output escaping. This makes it possible forβ¦
8.7
CVE-2025-59668 -
Multiple versions of Central Monitor CNS-6201 contain a NULL pointer dereference vulnerability. When processing a crafted certain UDP packet, the affected device may abnormally terminate.
6.4
CVE-2025-8777 - planetcalc <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via language Parameter
The planetcalc plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the βlanguageβ parameter in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and aβ¦