6.4
CVE-2025-11878 - ST Categories Widget <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
The ST Categories Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's st-categories shortcode in versions less than, or equal to, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for aβ¦
6.4
CVE-2025-11809 - WP-Force Images Download <= 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shorβ¦
The WP-Force Images Download plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpfid' shortcode in all versions up to, and including, 1.8. This is due to insufficient input sanitization and output escaping on the 'class' attribute. This makes it possible for authenticated aβ¦
6.4
CVE-2025-11872 - Material Design Iconic Font Integration <= 2 - Authenticated (Contributor+) Stored Cross-Site Scripβ¦
The Material Design Iconic Font Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mdiconic' shortcode in all versions up to, and including, 2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible β¦
6.4
CVE-2025-11804 - JB News Ticker <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
The JB News Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the 'jbticker' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated aβ¦
6.4
CVE-2025-11834 - WP AD Gallery <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
The WP AD Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'startindex' parameter of the ad-gallery shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attaβ¦
5.3
CVE-2025-11952 - Stored Cross-Site Scripting (XSS) in Oct8ne Chatbot
Stored Cross-site Scripting (XSS) in Oct8ne Chatbot v2.3. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by injecting a malicious payload through the creation of a transcript that is sent by email. This vulnerability can be exploited to steal sensitive userβ¦
7
CVE-2025-41110 - Improper Authentication vulnerability in Ghost Robotics' Vision 60
Encrypted WiFi and SSH credentials were found in the Ghost Robotics Vision 60 v0.27.2 APK. This vulnerability allows an attacker to connect to the robot's WiFi and view all its data, as it runs on ROS 2 without default authentication. In addition, the attacker can connect via SSH and gain full contβ¦
8.7
CVE-2025-41109 - Use of Hard-coded Credentials vulnerability in Ghost Robotics' Vision 60
Ghost Robotics Vision 60 v0.27.2 includes, among its physical interfaces, three RJ45 connectors and a USB Type-C port. The vulnerability is due to the lack of authentication mechanisms when establishing connections through these ports. Specifically, with regard to network connectivity, the robot's β¦
9.2
CVE-2025-41108 - Improper Authentication vulnerability in Ghost Robotics' Vision 60
The communication protocol implemented in Ghost Robotics Vision 60 v0.27.2 could allow an attacker to send commands to the robot from an external attack station, impersonating the control station (tablet) and gaining unauthorised full control of the robot. The absence of encryption and authenticatiβ¦
7.5
CVE-2025-41724 - Sauter: Crash via Incomplete SOAP Request
An unauthenticated remote attacker can crash the wscserver by sending incomplete SOAP requests. The wscserver process will not be restarted by a watchdog and a device reboot is necessary to make it work again.