8.1
CVE-2025-6043 - Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal <= 17.0 - Authenticated (Subscri…
The Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal plugin for WordPress is vulnerable to Arbitrary File Deletion due to a missing capability check on the wpmr_delete_file() function in all versions up to, and including, 17.0. This makes it possible for authenticated attackers, w…
6.4
CVE-2025-5845 - Affiliate Reviews <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via numColumn…
The Affiliate Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘numColumns’ parameter in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level a…
6.4
CVE-2025-5843 - Brandfolder <= 5.0.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter
The Brandfolder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 5.0.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and abo…
8.2
CVE-2025-7359 - Counter live visitors for WooCommerce <= 1.3.6 - Unauthenticated Arbitrary File Deletion in wcvisit…
The Counter live visitors for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wcvisitor_get_block function in all versions up to, and including, 1.3.6. This makes it possible for unauthenticated attackers to delete arbitrary …
8.1
CVE-2025-52690 - Command Injection Vulnerability in the OmniAccess Stellar over UDP Service
Successful exploitation of the vulnerability could allow an attacker to execute arbitrary commands as root, potentially leading to the loss of confidentiality, integrity, availability, and full control of the access point.
9.8
CVE-2025-52689 - Weak Session ID Check in the OmniAccess Stellar Web Management Interface
Successful exploitation of the vulnerability could allow an unauthenticated attacker to obtain a valid session ID with administrator privileges by spoofing the login request, potentially allowing the attacker to modify the behaviour of the access point.
9.8
CVE-2025-52688 - Command Injection Vulnerability in the OmniAccess Stellar Web Management Interface
Successful exploitation of the vulnerability could allow an attacker to inject commands with root privileges on the access point, potentially leading to the loss of confidentiality, integrity, availability, and full control of the access point.
2.4
CVE-2025-52687 - JavaScript Injection Vulnerability in the OmniAccess Stellar Web Management Interface
Successful exploitation of the vulnerability could allow an attacker with administrator credentials for the access point to inject malicious JavaScript into the payload of web traffics, potentially leading to session hijacking and denial-of-service (DoS).
4.4
CVE-2025-2799 - WP Event Manager <= 3.1.49 - Authenticated (Administrator+) Stored Cross-Site Scripting
The WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tag-name’ parameter in all versions up to, and including, 3.1.49 due to insufficient input sanitization and output escaping. This makes it …
7.2
CVE-2025-2800 - WP Event Manager <= 3.1.50 - Unauthenticated Stored Cross-Site Scripting via 'organizer_name'
The WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘organizer_name' parameter in all versions up to, and including, 3.1.50 due to insufficient input sanitization and output escaping. This mak…