2.3
CVE-2025-27427 - Apache ActiveMQ Artemis: Address routing-type can be updated by user without the createAddress permβ¦
A vulnerability exists in Apache ActiveMQ Artemis whereby a user with the createDurableQueue or createNonDurableQueue permission on an address can augment the routing-type supported by that address even if said user doesn't have the createAddress permission for that particular address. When combineβ¦
6.4
CVE-2025-1512 - PowerPack Elementor Addons (Free Widgets, Extensions and Templates) <= 2.9.0 - Authenticated (Contrβ¦
The PowerPack Elementor Addons (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom Cursor Extension in all versions up to, and including, 2.9.0 due to insufficient input sanitization and output escaping. This makes it possible foβ¦
5.5
CVE-2025-1267 - Groundhogg <= 3.7.4.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via label Parameβ¦
The Groundhogg plugin for Wordpress is vulnerable to Stored Cross-Site Scripting via the βlabel' parameter in versions up to, and including, 3.7.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access, to inβ¦
6.4
CVE-2024-12189 - WDesignKit β Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder <=β¦
The WDesignKit β Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom widgets in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping. This makeβ¦
7.2
CVE-2024-12278 - Booster for WooCommerce <= 7.2.4 - Unauthenticated Stored Cross-Site Scripting
The Booster for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via any location that typically sanitizes data using wp_kses, like comments, in all versions up to, and including, 7.2.4 due to insufficient input sanitization and output escaping. This makes it possible fβ¦
4.1
CVE-2025-2048 - Lana Downloads Manager < 1.10.0 - Admin+ Arbitrary File Download via Path Traversal
The Lana Downloads Manager WordPress plugin before 1.10.0 does not validate user input used in a path, which could allow users with an admin role to perform path traversal attacks and download arbitrary files on the server
4.1
CVE-2025-1986 - Gutentor < 3.4.7 - Admin+ SQL Injection
The Gutentor WordPress plugin before 3.4.7 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
6.5
CVE-2025-31409 - WordPress Bridge Core plugin < 3.3.1 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Bridge Core allows Stored XSS. This issue affects Bridge Core: from n/a through n/a.
0.0
CVE-2025-31024 - WordPress RJ Quickcharts plugin <= 0.6.1 - SQL Injection vulnerability
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in randyjensen RJ Quickcharts rj-quickcharts allows SQL Injection.This issue affects RJ Quickcharts: from n/a through <= 0.6.1.
0.0
CVE-2025-31001 - WordPress GTM Kit plugin <= 2.4.0 - Sensitive Data Exposure vulnerability
Debug Messages Revealing Unnecessary Information vulnerability in TLA Media GTM Kit gtm-kit allows Retrieve Embedded Sensitive Data.This issue affects GTM Kit: from n/a through <= 2.4.0.