6.5
CVE-2025-4523 - IDonate 2.0.0 - 2.1.9 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information β¦
The IDonate β Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the admin_donor_profile_view() function in versions 2.0.0 to 2.1.9. This makes it possible for authenticated attackers, with Subscβ¦
8.1
CVE-2025-7443 - BerqWP <= 2.2.42 - Unauthenticated Arbitrary File Upload
The BerqWP β Automated All-In-One Page Speed Optimization for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the store_javascript_cache.php file in all versions up to, and including, 2.2.4β¦
7.2
CVE-2025-7725 - Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery β Upload, Vote, Sell β¦
The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery β Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the comment feature in all versions up to, and including, 26.1.0 due to insβ¦
6.9
CVE-2025-8434 - code-projects Online Movie Streaming admin.php authorization
A vulnerability was found in code-projects Online Movie Streaming 1.0. It has been classified as critical. Affected is an unknown function of the file /admin.php. The manipulation of the argument ID leads to missing authorization. It is possible to launch the attack remotely. The exploit has been dβ¦
9.8
CVE-2025-5947 - Service Finder Bookings <= 6.0 - Authentication Bypass via User Switch Cookie
The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to, and including, 6.0. This is due to the plugin not properly validating a user's cookie value prior to logging them in through the service_finder_switch_back() functβ¦
5.3
CVE-2025-8433 - code-projects Document Management System dell.php unlink path traversal
A vulnerability was found in code-projects Document Management System 1.0 and classified as critical. This issue affects the function unlink of the file /dell.php. The manipulation of the argument ID leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to thβ¦
9.8
CVE-2025-5954 - Service Finder SMS System <= 2.0.0 - Unauthenticated Privilege Escalation
The Service Finder SMS System plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.0.0. This is due to the plugin not restricting user role selection at the time of registration through the aonesms_fn_savedata_after_signup() functioβ¦
6.9
CVE-2025-8431 - PHPGurukul Boat Booking System add-boat.php sql injection
A vulnerability has been found in PHPGurukul Boat Booking System 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/add-boat.php. The manipulation of the argument boatname leads to sql injection. The attack can be initiated remotely. The exploit has been discβ¦
7.6
CVE-2025-51504 -
Microweber CMS 2.0 is vulnerable to Cross Site Scripting (XSS)in the /projects/profile, homepage endpoint via the last name field.
9.1
CVE-2025-52390 -
Saurus CMS Community Edition since commit d886e5b0 (2010-04-23) is vulnerable to a SQL Injection vulnerability in the `prepareSearchQuery()` method in `FulltextSearch.class.php`. The application directly concatenates user-supplied input (`$search_word`) into SQL queries without sanitization, allowiβ¦