8.1
CVE-2025-39526 - WordPress Hotel Booking Plugin <= 3.6 - Local File Inclusion vulnerability
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in nicdark Hotel Booking nd-booking allows PHP Local File Inclusion.This issue affects Hotel Booking: from n/a through <= 3.6.
8.8
CVE-2025-39527 - WordPress Rating by BestWebSoft plugin <= 1.7 - PHP Object Injection Vulnerability
Deserialization of Untrusted Data vulnerability in bestweblayout Rating by BestWebSoft rating-bws allows Object Injection.This issue affects Rating by BestWebSoft: from n/a through <= 1.7.
7.5
CVE-2025-39532 - WordPress Spice Blocks plugin <= 2.0.7.7 - Broken Access Control vulnerability
Missing Authorization vulnerability in spicethemes Spice Blocks spice-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spice Blocks: from n/a through <= 2.0.7.7.
8.8
CVE-2025-39533 - WordPress Starfish Review Generation & Marketing plugin <= 3.1.19 - Privilege Escalation vulnerabilβ¦
Missing Authorization vulnerability in Starfish Reviews Starfish Review Generation & Marketing starfish-reviews allows Privilege Escalation.This issue affects Starfish Review Generation & Marketing: from n/a through <= 3.1.19.
7.2
CVE-2025-39535 - WordPress Vitepos plugin <= 3.1.7 - Broken Authentication Vulnerability
Authentication Bypass Using an Alternate Path or Channel vulnerability in appsbd Vitepos vitepos-lite allows Authentication Abuse.This issue affects Vitepos: from n/a through <= 3.1.7.
8.8
CVE-2025-39542 - WordPress Xelion Webchat plugin <= 9.1.0 - Privilege Escalation Vulnerability
Incorrect Privilege Assignment vulnerability in Jauhari Xelion Xelion Webchat xelion-webchat allows Privilege Escalation.This issue affects Xelion Webchat: from n/a through <= 9.1.0.
9.8
CVE-2025-39550 - WordPress FluentCommunity plugin <= 1.2.15 - PHP Object Injection Vulnerability
Deserialization of Untrusted Data vulnerability in Shahjahan Jewel FluentCommunity fluent-community allows Object Injection.This issue affects FluentCommunity: from n/a through <= 1.2.15.
9.8
CVE-2025-39551 - WordPress FluentBoards plugin <= 1.47 - PHP Object Injection Vulnerability
Deserialization of Untrusted Data vulnerability in Mahmudul Hasan Arif FluentBoards fluent-boards allows Object Injection.This issue affects FluentBoards: from n/a through <= 1.47.
6.5
CVE-2025-39554 - WordPress AI Text to Speech plugin <= 3.0.3 - Broken Access Control vulnerability
Missing Authorization vulnerability in Elliot Sowersby / RelyWP AI Text to Speech ai-text-to-speech allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Text to Speech: from n/a through <= 3.0.3.
7.1
CVE-2025-39558 - WordPress CRM Perks plugin <= 1.1.7 - Reflected Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks CRM Perks support-x allows Reflected XSS.This issue affects CRM Perks: from n/a through <= 1.1.7.