5.4
CVE-2025-3056 - Download Manager <= 3.3.12 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.3.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and aboveβ¦
4.8
CVE-2025-2162 - MapPress Maps for WordPress < 2.94.10 - Admin+ Stored XSS
The MapPress Maps for WordPress plugin before 2.94.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
9.8
CVE-2025-1863 - Insecure default settings for recorder products
Insecure default settings have been found in recorder products provided by Yokogawa Electric Corporation. The default setting of the authentication function is disabled on the affected products. Therefore, when connected to a network with default settings, anyone can access all functions related toβ¦
5.3
CVE-2025-3783 - SourceCodester Web-based Pharmacy Product Management System add-product.php unrestricted upload
A vulnerability classified as critical was found in SourceCodester Web-based Pharmacy Product Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /add-product.php. The manipulation of the argument Avatar leads to unrestricted upload. The attack can be launcβ¦
6.1
CVE-2025-3598 - Coupon Affiliates β Affiliate Plugin for WooCommerce <= 6.3.0 - Reflected Cross-Site Scripting via β¦
The Coupon Affiliates β Affiliate Plugin for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the commission_summary parameter in all versions up to, and including, .6.3.0 due to insufficient input sanitization and output escaping. This makes it possible for unauβ¦
7.1
CVE-2025-39469 - WordPress Modal Survey plugin <= 2.0.2.0.1 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pantherius Modal Survey modal-survey.This issue affects Modal Survey: from n/a through <= 2.0.2.0.1.
8.1
CVE-2025-39470 - WordPress Ivy School theme <= 1.6.0 - Local File Inclusion Vulnerability
Path Traversal: '.../...//' vulnerability in ThimPress Ivy School ivy-school allows PHP Local File Inclusion.This issue affects Ivy School: from n/a through <= 1.6.0.
9.3
CVE-2025-39471 - WordPress Modal Survey plugin <= 2.0.2.0.1 - SQL Injection vulnerability
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in pantherius Modal Survey modal-survey.This issue affects Modal Survey: from n/a through <= 2.0.2.0.1.
9.8
CVE-2025-42599 -
Active! mail 6 BuildInfo: 6.60.05008561 and earlier contains a stack-based buffer overflow vulnerability. Receiving a specially crafted request created and sent by a remote unauthenticated attacker may lead to arbitrary code execution and/or a denial-of-service (DoS) condition.
4.4
CVE-2025-2613 - Login Manager β Design Login Page, View Login Activity, Limit Login Attempts <= 2.0.5 - Authenticatβ¦
The Login Manager β Design Login Page, View Login Activity, Limit Login Attempts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Custom logo and background URLs in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping. This makes iβ¦