6.4
CVE-2025-9858 - Auto Bulb Finder for WordPress <= 2.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Auto Bulb Finder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'abf_vehicle' shortcode in all versions up to, and including, 2.8.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible fo…
4.3
CVE-2025-9630 - WP SinoType <= 1.0 - Cross-Site Request Forgery
The WP SinoType plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the sinotype_config function. This makes it possible for unauthenticated attackers to modify typography settings via a …
8.8
CVE-2025-10582 - WP Dispatcher <= 1.2.0 - Authenticated (Contributor+) SQL Injection
The WP Dispatcher plugin for WordPress is vulnerable to SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticate…
4.3
CVE-2025-9889 - ContentMX Content Publisher <= 1.0.6 - Cross-Site Request Forgery
The ContentMX Content Publisher plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing or incorrect nonce validation on the cmx_activate_connection function. This makes it possible for unauthenticated attackers to bind th…
4.3
CVE-2025-8669 - Customify <= 0.4.11 - Cross-Site Request Forgery
The Customify theme for WordPress is vulnerable to Cross-Site Request Forgery in version 0.4.11. This is due to missing or incorrect nonce validation on the reset_customize_section function. This makes it possible for unauthenticated attackers to reset theme customization settings via a forged requ…
6.4
CVE-2025-9859 - Fintelligence Calculator <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Fintelligence Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fintelligence-calculator' shortcode in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it poss…
6.4
CVE-2025-8776 - Epic Bootstrap Buttons <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via icol P…
The Epic Bootstrap Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘icol’ parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level acce…
5.5
CVE-2025-9372 - Ultimate Multi Design Video Carousel <= 1.4 - Authenticated (Editor+) Stored Cross-Site Scripting
The Ultimate Multi Design Video Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access, to inject ar…
7.5
CVE-2025-9200 - Blappsta Mobile App Plugin – Your native, mobile iPhone App and Android App <= 0.8.8.8 - Unauthenti…
The Blappsta Mobile App Plugin – Your native, mobile iPhone App and Android App plugin for WordPress is vulnerable to SQL Injection via the nh_ynaa_comments() function in all versions up to, and including, 0.8.8.8 due to insufficient escaping on the user supplied parameter and lack of sufficient pr…
5.3
CVE-2025-9892 - Restrict User Registration <= 1.0.1 - Cross-Site Request Forgery to Settings Update
The Restrict User Registration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the update() function. This makes it possible for unauthenticated attackers to update the plugin's set…