6.4

CVSS3.1

CVE-2025-10189 - BP Direct Menus <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The BP Direct Menus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bpdm_login' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated โ€ฆ

๐Ÿ“… Published: Sept. 30, 2025, 3:35 a.m. ๐Ÿ”„ Last Modified: April 21, 2026, 7 p.m.

8.1

CVSS3.1

CVE-2025-9991 - Tiny Bootstrap Elements Light <= 4.3.34 - Unauthenticated Local File Inclusion

The Tiny Bootstrap Elements Light plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.3.34 via the 'language' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the executโ€ฆ

๐Ÿ“… Published: Sept. 30, 2025, 3:35 a.m. ๐Ÿ”„ Last Modified: April 20, 2026, 7:30 p.m.

6.4

CVSS3.1

CVE-2025-10168 - Any News Ticker <= 3.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Any News Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'any-ticker' shortcode in all versions up to, and including, 3.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated โ€ฆ

๐Ÿ“… Published: Sept. 30, 2025, 3:35 a.m. ๐Ÿ”„ Last Modified: April 22, 2026, 1 a.m.

4.3

CVSS3.1

CVE-2025-9948 - Chat by Chatwee <= 2.1.3 - Cross-Site Request Forgery to Settings Update

The Chat by Chatwee plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.3. This is due to missing or incorrect nonce validation on the admin settings page. This makes it possible for unauthenticated attackers to modify plugin settings via a forโ€ฆ

๐Ÿ“… Published: Sept. 30, 2025, 3:35 a.m. ๐Ÿ”„ Last Modified: April 20, 2026, 7:30 p.m.

6.4

CVSS3.1

CVE-2025-10182 - dbview <= 0.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

The dbview plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dbview' shortcode in all versions up to, and including, 0.5.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, wiโ€ฆ

๐Ÿ“… Published: Sept. 30, 2025, 3:35 a.m. ๐Ÿ”„ Last Modified: April 21, 2026, 2:45 a.m.

6.5

CVSS3.1

CVE-2025-8559 - All in One Music Player <= 1.3.1 - Authenticated (Contributor+) Path Traversal via theme Parameter

The All in One Music Player plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.1 via the 'theme' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of files on the server, which canโ€ฆ

๐Ÿ“… Published: Sept. 30, 2025, 3:35 a.m. ๐Ÿ”„ Last Modified: April 20, 2026, 7:30 p.m.

6.4

CVSS3.1

CVE-2025-8624 - Nexa Blocks <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Google Maps Widโ€ฆ

The Nexa Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Google Maps widget in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackerโ€ฆ

๐Ÿ“… Published: Sept. 30, 2025, 3:35 a.m. ๐Ÿ”„ Last Modified: April 21, 2026, 2:45 a.m.

6.4

CVSS3.1

CVE-2025-10191 - Big Post Shipping for WooCommerce <= 2.1.2 - Authenticated (Contributor+) Stored Cross-Site Scriptiโ€ฆ

The Big Post Shipping for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wooboigpost_shipping_status' shortcode in all versions up to, and including, 2.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This mโ€ฆ

๐Ÿ“… Published: Sept. 30, 2025, 3:35 a.m. ๐Ÿ”„ Last Modified: April 22, 2026, 1:30 p.m.

6.4

CVSS3.1

CVE-2025-8623 - WeedMaps Menu for WordPress <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting viaโ€ฆ

The WeedMaps Menu for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's weedmaps_menu shortcode in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for aโ€ฆ

๐Ÿ“… Published: Sept. 30, 2025, 3:35 a.m. ๐Ÿ”„ Last Modified: April 21, 2026, 2:45 a.m.

9.8

CVSS3.1

CVE-2025-9762 - Post By Email <= 1.0.4b - Unauthenticated Arbitrary File Upload via Email Attachments

The Post By Email plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the save_attachments function in all versions up to, and including, 1.0.4b. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's serโ€ฆ

๐Ÿ“… Published: Sept. 30, 2025, 3:35 a.m. ๐Ÿ”„ Last Modified: April 21, 2026, 2:45 a.m.
Total resulsts: 349182
Page 3633 of 34,919
ยซ previous page ยป next page
Filters