6.4
CVE-2024-13411 - Zapier for WordPress <= 1.5.1 - Authenticated (Subscriber+) Blind Server-Side Request Forgery via u…
The Zapier for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.5.1 via the updated_user() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locat…
7.2
CVE-2024-13889 - WordPress Importer <= 0.8.3 - Authenticated (Administrator+) PHP Object Injection
The WordPress Importer plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 0.8.3 via deserialization of untrusted input in the 'maybe_unserialize' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to…
4.9
CVE-2025-1769 - Product Import Export for WooCommerce <= 2.5.0 - Directory Traversal to Authenticated (Administrato…
The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.5.0 via the download_file() function. This makes it possible for authenticated attackers, with Administrator-level access and…
8.8
CVE-2025-2110 - WP Compress <= 6.30.15 - Authenticated (Subscriber+) Missing Authorization via Multiple Functions
The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to missing capability checks on its on its AJAX functions in all versions up to, and including, 6.30.15. This makes it possible for authenticated …
4
CVE-2025-27552 - DBIx::Class::EncodedColumn until 0.00032 for Perl uses insecure rand() function for salting passwor…
DBIx::Class::EncodedColumn use the rand() function, which is not cryptographically secure to salt password hashes. This vulnerability is associated with program files Crypt/Eksblowfish/Bcrypt.pm. This issue affects DBIx::Class::EncodedColumn until 0.00032.
4
CVE-2025-27551 - DBIx::Class::EncodedColumn until 0.00032 for Perl uses insecure rand() function for salting passwor…
DBIx::Class::EncodedColumn use the rand() function, which is not cryptographically secure to salt password hashes. This vulnerability is associated with program files lib/DBIx/Class/EncodedColumn/Digest.pm. This issue affects DBIx::Class::EncodedColumn until 0.00032.
9.3
CVE-2025-1542 - Improper permission control in OXARI ServiceDesk
Improper permission control vulnerability in the OXARI ServiceDesk application could allow an attacker using a guest access or an unprivileged account to gain additional administrative permissions in the application.This issue affects OXARI ServiceDesk in versions before 2.0.324.0.
2.3
CVE-2025-2596 - Session logout can be overwritten by long lasting request
Session logout could be overwritten in Checkmk GmbH's Checkmk versions <2.3.0p30, <2.2.0p41, and 2.1.0p49 (EOL)
5.3
CVE-2025-1440 - Advanced iFrame <= 2024.5 - Unauthenticated Settings Update
The Advanced iFrame plugin for WordPress is vulnerable to unauthorized excessive creation of options on the aip_map_url_callback() function in all versions up to, and including, 2024.5 due to insufficient restrictions. This makes it possible for unauthenticated attackers to update the advancediFram…
6.4
CVE-2025-1703 - Ultimate Blocks <= 3.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via content Par…
The Ultimate Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘content’ parameter in all versions up to, and including, 3.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access…