4.3
CVE-2025-10302 - Ultimate Viral Quiz <= 1.0 - Cross-Site Request Forgery to Settings Update
The Ultimate Viral Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on thesave_options() function. This makes it possible for unauthenticated attackers to update the plugin's setting…
6.4
CVE-2025-10165 - AP Background <= 3.8.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
The AP Background plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'adv_parallax_back' shortcode in all versions up to, and including, 3.8.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authentic…
4.3
CVE-2025-9897 - AP Background <= 3.8.2 - Cross-Site Request Forgery
The AP Background plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.2. This is due to missing or incorrect nonce validation on the advParallaxBackAdminSaveSlider function. This makes it possible for unauthenticated attackers to create or modi…
7.5
CVE-2025-9212 - WP Dispatcher <= 1.2.0 - Authenticated (Subscriber+) Arbitrary File Upload
The WP Dispatcher plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the wp_dispatcher_process_upload() function in all versions up to, and including, 1.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, …
8.8
CVE-2025-9561 - AP Background 3.8.1 - 3.8.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File U…
The AP Background plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization and insufficient file validation within the advParallaxBackAdminSaveSlider() handler in versions 3.8.1 to 3.8.2. This makes it possible for authenticated attackers, with Subscriber-level acce…
4.3
CVE-2025-9194 - Constructor <= 1.6.5 - Missing Authorization to Authenticated (Subscriber+) Theme Clean
The Constructor theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clean() function in all versions up to, and including, 1.6.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger a them…
6.4
CVE-2025-9204 - X Addons for Elementor <= 1.0.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via You…
The X Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Youtube Video ID field in all versions up to, and including, 1.0.16. This is due to insufficient input sanitization and output escaping on the Youtube Video ID parameter. This makes it possible for …
6.4
CVE-2025-9129 - Flexi <= 4.28 - Authenticated (Contributor+) Stored Cross-Site Scripting via flexi-form-tag Shortco…
The Flexi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin for WordPress's flexi-form-tag shortcode in all versions up to, and including, 4.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authentic…
6.3
CVE-2025-7825 - Schema Plugin For Divi, Gutenberg & Shortcodes <= 4.3.2 - Authenticated (Contributor+) Object Insta…
The Schema Plugin For Divi, Gutenberg & Shortcodes plugin for WordPress is vulnerable to Object Instantiation in all versions up to, and including, 4.3.2 via deserialization of untrusted input via the wpt_schema_breadcrumbs shortcode. This makes it possible for authenticated attackers, with Contrib…
4.3
CVE-2025-9895 - Notification Bar <= 2.2 - Cross-Site Request Forgery
The Notification Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2. This is due to missing or incorrect nonce validation on the 'subscriber-list-empty.php' file. This makes it possible for unauthenticated attackers to empty the subscriber…