7.5
CVE-2025-33122 - IBM i privilege escalation
IBM i 7.2, 7.3, 7.4, 7.5, and 7.6 could allow a user to gain elevated privileges due to an unqualified library call in IBM Advanced Job Scheduler for i. A malicious actor could cause user-controlled code to run with administrator privilege.
4.3
CVE-2025-48111 - WordPress YITH PayPal Express Checkout for WooCommerce plugin <= 1.49.0 - Cross Site Request Forgerβ¦
Cross-Site Request Forgery (CSRF) vulnerability in YITHEMES YITH PayPal Express Checkout for WooCommerce allows Cross Site Request Forgery. This issue affects YITH PayPal Express Checkout for WooCommerce: from n/a through 1.49.0.
7.1
CVE-2025-48333 - WordPress eForm - WordPress Form Builder < 4.19.1 - Cross Site Scripting (XSS) Vulnerability
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPQuark eForm - WordPress Form Builder wp-fsqm-pro allows Reflected XSS.This issue affects eForm - WordPress Form Builder: from n/a through < 4.19.1.
10
CVE-2025-49071 - WordPress Flozen < 1.5.1 - Arbitrary File Upload Vulnerability
Unrestricted Upload of File with Dangerous Type vulnerability in NasaTheme Flozen flozen-theme allows Upload a Web Shell to a Web Server.This issue affects Flozen: from n/a through < 1.5.1.
7.5
CVE-2025-49451 - WordPress Aeroscroll Gallery β Infinite Scroll Image Gallery & Post Grid with Photo Gallery plugin β¦
Path Traversal: '.../...//' vulnerability in yannisraft Aeroscroll Gallery β Infinite Scroll Image Gallery & Post Grid with Photo Gallery aeroscroll-gallery allows Path Traversal.This issue affects Aeroscroll Gallery β Infinite Scroll Image Gallery & Post Grid with Photo Gallery: from n/a through <β¦
9.3
CVE-2025-49452 - WordPress PostaPanduri plugin <= 2.1.3 - SQL Injection Vulnerability
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Adrian LadΓ³ PostaPanduri postapanduri allows SQL Injection.This issue affects PostaPanduri: from n/a through <= 2.1.3.
8.1
CVE-2025-49508 - WordPress CozyStay theme < 1.7.1 - Local File Inclusion vulnerability
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean CozyStay cozystay allows PHP Local File Inclusion.This issue affects CozyStay: from n/a through < 1.7.1.
8.1
CVE-2025-24761 - WordPress DSK theme < 2.4 - Local File Inclusion vulnerability
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme DSK dsk allows PHP Local File Inclusion.This issue affects DSK: from n/a through < 2.4.
9.3
CVE-2025-24773 - WordPress WPCRM - CRM for Contact form CF7 & WooCommerce plugin <= 3.2.0 - SQL Injection Vulnerabilβ¦
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPCRM - CRM for Contact form CF7 & WooCommerce wpcrm allows SQL Injection.This issue affects WPCRM - CRM for Contact form CF7 & WooCommerce: from n/a through <= 3.2.0.
7.6
CVE-2025-28972 - WordPress WP Employee Attendance System plugin <= 3.5 - SQL Injection Vulnerability
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Suhas Surse WP Employee Attendance System wp-employee-attendance-system allows Blind SQL Injection.This issue affects WP Employee Attendance System: from n/a through <= 3.5.