4.3
CVE-2025-9944 - Professional Contact Form <= 1.0.0 - Cross-Site Request Forgery to Test Email Sending
The Professional Contact Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the watch_for_contact_form_submit function. This makes it possible for unauthenticated attackers to triβ¦
4.3
CVE-2025-9898 - cForms β Light speed fast Form Builder <= 3.0.0 - Cross-Site Request Forgery
The cForms β Light speed fast Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the cforms_api function. This makes it possible for unauthenticated attackers to modify foβ¦
6.1
CVE-2025-9899 - Trust Reviews plugin for Google, Tripadvisor, Yelp, Airbnb and other platforms <= 1.0 - Cross-Site β¦
The Trust Reviews plugin for Google, Tripadvisor, Yelp, Airbnb and other platforms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the feed_save function. This makes it possible for uβ¦
4.3
CVE-2025-9894 - Sync Feedly <= 1.0.1 - Cross-Site Request Forgery to Sync Trigger
The Sync Feedly plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the crsf_cron_job_func function. This makes it possible for unauthenticated attackers to trigger content synchronizatβ¦
4.3
CVE-2025-9896 - HidePost <= 2.3.8 - Cross-Site Request Forgery
The HidePost plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.8. This is due to missing or incorrect nonce validation on the options.php settings page. This makes it possible for unauthenticated attackers to modify plugin settings via a forgβ¦
5.3
CVE-2025-11051 - SourceCodester Pet Grooming Management Software cross-site request forgery
A vulnerability has been found in SourceCodester Pet Grooming Management Software 1.0. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack is possible to be carried out remotely.
7.5
CVE-2025-3193 - algoliasearch-helper: algoliasearch-helper prototype pollution
Versions of the package algoliasearch-helper from 2.0.0-rc1 and before 3.11.2 are vulnerable to Prototype Pollution in the _merge() function in merge.js, which allows constructor.prototype to be written even though doing so throws an error. In the "extreme edge-case" that the resulting error is cauβ¦
6.9
CVE-2025-10954 -
Versions of the package github.com/nyaruka/phonenumbers before 1.2.2 are vulnerable to Improper Validation of Syntactic Correctness of Input in the phonenumbers.Parse() function. An attacker can cause a panic by providing crafted input causing a "runtime error: slice bounds out of range".
5.3
CVE-2025-11050 - Portabilis i-Educar periodo-lancamento improper authorization
A flaw has been found in Portabilis i-Educar up to 2.10. This affects an unknown part of the file /periodo-lancamento. Executing manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been published and may be used.
7.2
CVE-2025-9816 - WP Statistics <= 14.5.4 - Unauthenticated Stored Cross-Site Scripting via User-Agent Header
The WP Statistics β The Most Popular Privacy-Friendly Analytics Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent Header in all versions up to, and including, 14.5.4 due to insufficient input sanitization and output escaping. This makes it possible for unauβ¦