8.1
CVE-2025-2270 - Countdown, Coming Soon, Maintenance β Countdown & Clock <= 2.8.9.1 - Unauthenticated Limited Local β¦
The Countdown, Coming Soon, Maintenance β Countdown & Clock plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.8.9.1 via the createCdObj function. This makes it possible for unauthenticated attackers to include and execute files with the specific fileβ¦
6.4
CVE-2025-2836 - RegistrationMagic β Custom Registration Forms, User Registration, Payment, and User Login <= 6.0.4.β¦
The RegistrationMagic β Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the βpayment_methodβ parameter in all versions up to, and including, 6.0.4.3 due to insufficient input sanitization and output escapingβ¦
4.4
CVE-2024-13898 - Simple Banner <= 3.0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting
The Simple Banner β Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.5 due to insufficient input sanitization and output esβ¦
9.8
CVE-2024-13645 - TagDiv Composer <= 5.3 - Unauthenticated Arbitrary PHP Object Instantiation
The tagDiv Composer plugin for WordPress is vulnerable to PHP Object Instantiation in all versions up to, and including, 5.3 via module parameter. This makes it possible for unauthenticated attackers to Instantiate a PHP Object. No known POP chain is present in the vulnerable software, which means β¦
7.5
CVE-2025-2317 - Product Filter by WBW <= 2.7.9 - Unauthenticated SQL Injection via filtersDataBackend Parameter
The Product Filter by WBW plugin for WordPress is vulnerable to time-based SQL Injection via the filtersDataBackend parameter in all versions up to, and including, 2.7.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This mβ¦
5.3
CVE-2025-3210 - code-projects Patient Record Management System birthing_pending.php sql injection
A vulnerability was found in code-projects Patient Record Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /birthing_pending.php. The manipulation of the argument birth_id leads to sql injection. The attack may be launched remoteβ¦
8.8
CVE-2025-3192 -
Versions of the package spatie/browsershot from 0.0.0 are vulnerable to Server-side Request Forgery (SSRF) in the setUrl() function due to a missing restriction on user input, enabling attackers to access localhost and list all of its directories.
5.3
CVE-2025-3209 - code-projects Patient Record Management System add_patient.php sql injection
A vulnerability was found in code-projects Patient Record Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /add_patient.php. The manipulation of the argument itr_no leads to sql injection. The attack can be launched remoβ¦
5.1
CVE-2025-3191 -
All versions of the package react-draft-wysiwyg are vulnerable to Cross-site Scripting (XSS) via the Embedded button which will then result in saving the payload in the <iframe> tag.
6.9
CVE-2025-3197 -
Versions of the package expand-object from 0.0.0 are vulnerable to Prototype Pollution in the expand() function in index.js. This function expands the given string into an object and allows a nested property to be set without checking the provided keys for sensitive properties like __proto__.