4.3
CVE-2025-6833 - All in One Time Clock Lite β Tracking Employee Time Has Never Been Easier <= 2.0 - Insecure Direct β¦
The All in One Time Clock Lite β Tracking Employee Time Has Never Been Easier plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0 via the 'aio_time_clock_lite_js' AJAX action due to missing validation on a user controlled key. This makes β¦
6.9
CVE-2025-11915 - HTTP Desynchronisation in Vertex AI for certain third-party models
Connection desynchronization between an HTTP proxy and the model backend. The fixes were rolled out for all proxies in front of impacted models by 2025-09-28. Users do not need to take any action.
6.4
CVE-2025-11825 - Playerzbr <= 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via URL Meta Field
The Playerzbr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'urlmeta' post meta field in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access aβ¦
4.9
CVE-2025-10047 - Email Tracker <= 5.3.15 - Authenticated (Admin+) SQL Injection
The Email Tracker β Email Log, Email Open Tracking, Email Analytics & Email Management for WordPress Emails plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 5.3.15 due to insufficient escaping on the user supplied parameter and laβ¦
6.4
CVE-2025-11883 - Responsive Progress Bar <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Responsive Progress Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's rprogress shortcode in versions less than, or equal to, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticatedβ¦
6.4
CVE-2025-11817 - Simple Tableau Viz <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The Simple Tableau Viz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tableau' shortcode in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated atβ¦
6.4
CVE-2025-11870 - Simple Business Data <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Simple Business Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'simple_business_data' shortcode attributes in all versions up to, and including, 1.0.1. This is due to the plugin not properly sanitizing user input or escaping output when embedding the `type` attributeβ¦
6.4
CVE-2025-11867 - Bg Book Publisher <= 1.25 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Bg Book Publisher plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `book_author` post meta, rendered through the `[book_author]` shortcode, in all versions up to, and including, 1.25. This is due to the plugin not properly escaping the meta value before output. This makβ¦
6.4
CVE-2025-11819 - WP-Thumbnail <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The WP-Thumbnail plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'roboshot' shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackeβ¦
6.4
CVE-2025-11824 - Cinza Grid <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Skin Content Fieβ¦
The Cinza Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cgrid_skin_content' post meta field in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-β¦