7.5
CVE-2025-2111 - WP Headers And Footers <= 3.1.1 - Cross-Site Request Forgery to Arbitrary Options Update
The Insert Headers And Footers plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.1. This is due to missing or incorrect nonce validation on the 'custom_plugin_set_option' function. This makes it possible for unauthenticated attackers to updatโฆ
7.5
CVE-2025-3103 - CLEVER - HTML5 Radio Player With History - Shoutcast and Icecast - Elementor Widget Addon <= 2.4 - โฆ
The CLEVER - HTML5 Radio Player With History - Shoutcast and Icecast - Elementor Widget Addon plugin for WordPress is vulnerable to arbitrary file read due to insufficient file path validation in the 'history.php' file in all versions up to, and including, 2.4. This makes it possible for unauthentiโฆ
6.4
CVE-2025-1457 - Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Aโฆ
The Element Pack Addons for Elementor โ Free Templates and Widgets for Your WordPress Websites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Wrapper Link, Countdown and Gallery widgets in all versions up to, and including, 5.10.28 due to insufficient input sanitization aโฆ
6.4
CVE-2025-3275 - Themesflat Addons For Elementor <= 2.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Themesflat Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the TF E Slider widget in all versions up to, and including, 2.2.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributโฆ
9.8
CVE-2025-1093 - AIHub <= 1.3.7 - Unauthenticated Arbitrary File Upload in generate_image
The AIHub theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the generate_image function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which maโฆ
7.5
CVE-2025-2010 - JobWP โ Job Board, Job Listing, Career Page and Recruitment Plugin <= 2.3.9 - Unauthenticated SQL Iโฆ
The JobWP โ Job Board, Job Listing, Career Page and Recruitment Plugin plugin for WordPress is vulnerable to SQL Injection via the 'jobwp_upload_resume' parameter in all versions up to, and including, 2.3.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparatiโฆ
9.8
CVE-2025-3278 - UrbanGo Membership <= 1.0.4 - Unauthenticated Privilege Escalation
The UrbanGo Membership plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.0.4. This is due to the plugin allowing users who are registering new accounts to set their own role or by supplying 'user_register_role' field. This makes it possible for unauthentโฆ
4.3
CVE-2025-3284 - User Registration & Membership PRO โ Custom Registration Form, Login Form, and User Profile <= 5.1.โฆ
The User Registration & Membership โ Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.1.3. This is due to missing or incorrect nonce validation on the user_registration_pro_delete_account(โฆ
2.9
CVE-2023-30421 -
mystrtod in mjson 1.2.7 requires more than a billion iterations during processing of certain digit strings such as 8891110122900e913013935755114.
2.9
CVE-2023-26819 - cJSON: cJSON rejects a valid text
cJSON 1.7.15 might allow a denial of service via a crafted JSON document such as {"a": true, "b": [ null,9999999999999999999999999999999999999999999999912345678901234567]}.