6.4
CVE-2025-9853 - Optio Dentistry <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Optio Dentistry plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'optio-lightbox' shortcode in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticateโฆ
9.8
CVE-2025-8359 - AdForest <= 6.0.9 - Authentication Bypass to Admin
The AdForest theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 6.0.9. This is due to the plugin not properly verifying a user's identity prior to authenticating them. This makes it possible for unauthenticated attackers to log in as other users, includโฆ
4.9
CVE-2025-9085 - User Registration & Membership <= 4.3.0 - Authenticated (Admin+) SQL Injection
The User Registration & Membership plugin for WordPress is vulnerable to SQL Injection via the 's' parameter in version 4.3.0. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated aโฆ
7.2
CVE-2025-9515 - Multi Step Form <= 1.7.25 - Authenticated (Admin+) Arbitrary File Upload
The Multi Step Form plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the import functionality in all versions up to, and including, 1.7.25. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arโฆ
6.4
CVE-2025-8360 - LA-Studio Element Kit for Elementor <= 1.5.5.1 - Authenticated (Contributor+) Stored Cross-Site Scrโฆ
The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin's widgets in all versions up to, and including, 1.5.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible โฆ
7.8
CVE-2025-58374 - Roo Code: Auto-approve allows npm install execution of malicious postinstall scripts
Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions 3.25.23 and below contain a default list of allowed commands that do not need manual approval if auto-approve is enabled, and npm install is included in that list. Because npm install executes lifecycle scriptsโฆ
6.4
CVE-2025-6067 - Easy Social Feed โ Social Photos Gallery โ Post Feed โ Like Box <= 6.6.7 - Authenticated (Contributโฆ
The Easy Social Feed โ Social Photos Gallery โ Post Feed โ Like Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-caption` and `data-linktext` parameters in all versions up to, and including, 6.6.7 due to insufficient input sanitization and output escaping. This maโฆ
6.4
CVE-2025-9849 - Html Social share buttons <= 2.1.16 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Html Social share buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'zm_sh_btn' shortcode in all versions up to, and including, 2.1.16 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authโฆ
5.3
CVE-2025-7368 - Rehub <= 19.9.7 - Unauthenticated Password Protected Post Disclosure
The REHub - Price Comparison, Multi Vendor Marketplace Wordpress Theme theme for WordPress is vulnerable to Information Exposure in all versions up to, and including, 19.9.7 via the 'ajax_action_re_getfullcontent' function due to insufficient restrictions on which posts can be included. This makes โฆ
7.3
CVE-2025-7366 - Rehub <= 19.9.7 - Unauthenticated Arbitrary Shortcode Execution via re_filterpost
The The REHub - Price Comparison, Multi Vendor Marketplace Wordpress Theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 19.9.7. This is due to the software allowing users to execute an action that does not properly validate a value before โฆ