7.5
CVE-2025-11722 - Category and Products Accordion Panel <= 1.0 - Authenticated (Contributor+) Local File Inclusion
The Woocommerce Category and Products Accordion Panel plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0 via the 'categoryaccordionpanel' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to incl…
6.4
CVE-2025-10133 - URLYar <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
The URLYar URL Shortner plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'urlyar_shortlink' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for auth…
8.8
CVE-2025-10299 - WPBifröst – Instant Passwordless Temporary Login Links <= 1.0.7 - Missing Authorization to Authenti…
The WPBifröst – Instant Passwordless Temporary Login Links plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the ctl_create_link AJAX action in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Subscriber…
7.5
CVE-2025-11177 - External Login <= 1.11.2 - Unauthenticated SQL Injection via log
The External Login plugin for WordPress is vulnerable to SQL Injection via the 'log' parameter in all versions up to, and including, 1.11.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthent…
7.2
CVE-2025-10051 - Demo Import Kit <= 1.1.0 - Authenticated (Admin+) Arbitrary File Upload
The Demo Import Kit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.1.0 via the import functionality. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arb…
9.8
CVE-2025-10041 - Flex QR Code Generator <= 1.2.5 - Unauthenticated Arbitrary File Upload
The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in thesave_qr_code_to_db() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected…
5.3
CVE-2025-10186 - WhyDonate – FREE Donate button – Crowdfunding – Fundraising <= 4.0.15 - Missing Authorization to Un…
The WhyDonate – FREE Donate button – Crowdfunding – Fundraising plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the remove_row function in all versions up to, and including, 4.0.15. This makes it possible for unauthenticated attackers to delete r…
6.5
CVE-2025-10575 - WP jQuery Pager <= 1.4.0 - Authenticated (Contributor+) SQL Injection via Shortcode
The WP jQuery Pager plugin for WordPress is vulnerable to SQL Injection via the 'ids' shortcode attribute parameter handled by the WPJqueryPaged::get_gallery_page_imgs() function in all versions up to, and including, 1.4.0 due to insufficient escaping on the user supplied parameter and lack of suff…
4.3
CVE-2025-10301 - FunKItools <= 1.0.2 - Cross-Site Request Forgery to Settings Update
The FunKItools plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the saveFields() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged…
6.5
CVE-2025-10730 - Wp tabber widget <= 4.0 - Authenticated (Contributor+) SQL Injection
The Wp tabber widget plugin for WordPress is vulnerable to SQL Injection via the 'wp-tabber-widget' shortcode in all versions up to, and including, 4.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible f…