7
CVE-2025-5306 - Command Injection in Netflow path
Improper Neutralization of Special Elements in the Netflow directory field may allow OS command injection. This issue affects Pandora FMS 774 through 778
9.8
CVE-2025-6688 - Simple Payment 1.3.6 - 2.3.8 - Authentication Bypass to Admin
The Simple Payment plugin for WordPress is vulnerable to Authentication Bypass in versions 1.3.6 to 2.3.8. This is due to the plugin not properly verifying a user's identity prior to logging them in through the create_user() function. This makes it possible for unauthenticated attackers to log in a…
4.3
CVE-2025-5936 - VR Calendar <= 2.4.7 - Cross-Site Request Forgery to Calendar Sync
The VR Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.7. This is due to missing or incorrect nonce validation on the syncCalendar() function. This makes it possible for unauthenticated attackers to trigger a calendar sync via a fo…
6.4
CVE-2025-5940 - Osom Blocks <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via class_name Para…
The Osom Blocks – Custom Post Type listing block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class_name’ parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attacker…
6.4
CVE-2025-6550 - The Pack Elementor addon <= 2.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
The The Pack Elementor addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘slider_options’ parameter in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contribu…
6.4
CVE-2025-4587 - A/B Testing for WordPress <= 1.18.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
The A/B Testing for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ab-testing-for-wp/ab-test-block' block in all versions up to, and including, 1.18.2 due to insufficient input sanitization and output escaping on the 'id' parameter. This makes it possi…
6.4
CVE-2025-6689 - FL3R Accessibility Suite <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via fl3r…
The FL3R Accessibility Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fl3raccessibilitysuite shortcode in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible f…
4.3
CVE-2025-5526 - BuddyPress Docs < 2.2.5 - Subscriber+ Arbitrary Document Read/Update
The BuddyPress Docs WordPress plugin before 2.2.5 lacks proper access controls and allows a logged in user to view and download files belonging to another user
4.8
CVE-2025-5194 - WP Map Block by aBlocks < 2.0.3 - Contributor+ Stored XSS via Marker
The WP Map Block WordPress plugin before 2.0.3 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
5.4
CVE-2025-5093 - Responsive Lightbox & Gallery < 2.5.2 - Contributor+ Stored XSS
The Responsive Lightbox & Gallery WordPress plugin before 2.5.2 use the Swipebox library which does not validate and escape title attributes before outputting them back in a page/post where used, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting atta…