6.4

CVSS3.1

CVE-2025-10131 - All Social Share Options <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The All Social Share Options plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sc' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated a…

πŸ“… Published: Sept. 30, 2025, 3:35 a.m. πŸ”„ Last Modified: April 22, 2026, 1:30 p.m.

8.1

CVSS3.1

CVE-2025-9993 - Bei Fen – WordPress Backup Plugin <= 1.4.2 - Authenticated (Subscriber+) Local File Inclusion

The Bei Fen – WordPress Backup Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.2 via the 'task'. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .php files on the…

πŸ“… Published: Sept. 30, 2025, 3:35 a.m. πŸ”„ Last Modified: April 21, 2026, 2:45 a.m.

6.4

CVSS3.1

CVE-2025-9852 - Yoga Schedule Momoyoga <= 2.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Yoga Schedule Momoyoga plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'momoyoga-schedule' shortcode in all versions up to, and including, 2.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for …

πŸ“… Published: Sept. 30, 2025, 3:35 a.m. πŸ”„ Last Modified: April 21, 2026, 7 p.m.

6.4

CVSS3.1

CVE-2025-8560 - FancyTabs <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via title Parameter

The FancyTabs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the β€˜title’ parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and abo…

πŸ“… Published: Sept. 30, 2025, 3:35 a.m. πŸ”„ Last Modified: April 21, 2026, 7 p.m.

6.4

CVSS3.1

CVE-2025-10000 - Qyrr – simply and modern QR-Code creation <= 2.0.7 - Authenticated (Contributor+) Arbitrary File Up…

The Qyrr – simply and modern QR-Code creation plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the blob_to_file() function in all versions up to, and including, 2.0.7. This makes it possible for authenticated attackers, with Contributor-level acces…

πŸ“… Published: Sept. 30, 2025, 3:35 a.m. πŸ”„ Last Modified: April 22, 2026, 5 p.m.

6.4

CVSS3.1

CVE-2025-10130 - Layers <= 0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Layers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'webcam' shortcode in all versions up to, and including, 0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with…

πŸ“… Published: Sept. 30, 2025, 3:35 a.m. πŸ”„ Last Modified: April 22, 2026, 1:30 p.m.

9.8

CVSS3.1

CVE-2025-8625 - Copypress Rest API 1.1 - 1.2 - Missing Configurable JWT Secret and File-Type Validation to Unauthen…

The Copypress Rest API plugin for WordPress is vulnerable to Remote Code Execution via copyreap_handle_image() Function in versions 1.1 to 1.2. The plugin falls back to a hard-coded JWT signing key when no secret is defined and does not restrict which file types can be fetched and saved as attachme…

πŸ“… Published: Sept. 30, 2025, 3:35 a.m. πŸ”„ Last Modified: April 15, 2026, 12:35 a.m.

6.4

CVSS3.1

CVE-2025-10179 - My AskAI <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The My AskAI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'myaskai' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers,…

πŸ“… Published: Sept. 30, 2025, 3:35 a.m. πŸ”„ Last Modified: April 22, 2026, 10:15 p.m.

6.4

CVSS3.1

CVE-2025-8566 - GutenBee – Gutenberg Blocks <= 2.18.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The GutenBee – Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via parameters in the CountUp and Google Maps Blocks in all versions up to, and including, 2.18.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated at…

πŸ“… Published: Sept. 30, 2025, 3:35 a.m. πŸ”„ Last Modified: April 22, 2026, 2:30 p.m.

9.3

CVSS4.0

CVE-2025-61584 - serverless-dns is vulnerable to Command Injection through pr.yml GitHub Action Workflow

serverless-dns is a RethinkDNS resolver that deploys to Cloudflare Workers, Deno Deploy, Fastly, and Fly.io. Versions through abd including 0.1.30 have a vulnerability where the pr.yml GitHub Action interpolates in an unsafe manner untrusted input, specifically the github.event.pull_request.head.re…

πŸ“… Published: Sept. 30, 2025, 12:12 a.m. πŸ”„ Last Modified: April 15, 2026, 12:35 a.m.
Total resulsts: 349182
Page 3634 of 34,919
Β« previous page Β» next page
Filters