8.5
CVE-2025-32687 - WordPress Review Stars Count For WooCommerce plugin <= 2.0 - SQL Injection Vulnerability
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Magnigenie Review Stars Count For WooCommerce review-stars-count-for-woocommerce allows SQL Injection.This issue affects Review Stars Count For WooCommerce: from n/a through <= 2.0.
8.1
CVE-2025-32668 - WordPress Real Estate Manager plugin <= 7.3 - Local File Inclusion vulnerability
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Rameez Iqbal Real Estate Manager real-estate-manager allows PHP Local File Inclusion.This issue affects Real Estate Manager: from n/a through <= 7.3.
6
CVE-2024-38865 - Livestatus command injection in RestAPI
Improper neutralization of livestatus command delimiters in a specific endpoint within RestAPI of Checkmk prior to 2.2.0p39, 2.3.0p25, and 2.1.0p51 (EOL) allows arbitrary livestatus command execution. Exploitation requires the attacker to have a contact group assigned to their user account and for β¦
8.8
CVE-2025-3417 - Embedder 1.3 - 1.3.5 - Authenticated (Subscriber+) Arbitrary Options Update
The Embedder plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ajax_set_global_option() function in versions 1.3 to 1.3.5. This makes it possible for authenticated attackers, with Subscriber-level aβ¦
4.9
CVE-2024-13909 - Accredible Certificates & Open Badges <= 1.4.9 - Authenticated (Administrator+) SQL Injection via oβ¦
The Accredible Certificates & Open Badges plugin for WordPress is vulnerable to time-based SQL Injection via the βorderbyβ parameter in all versions up to, and including, 1.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. β¦
7.3
CVE-2025-2805 - ORDER POST <= 2.0.2 - Unauthenticated Arbitrary Shortcode Execution
The ORDER POST plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticβ¦
6.5
CVE-2025-2719 - Swatchly β WooCommerce Variation Swatches for Products (product attributes: Image swatch, Color swaβ¦
The Swatchly β WooCommerce Variation Swatches for Products (product attributes: Image swatch, Color swatches, Label swatches) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_dismiss function in versions 1.2.8 to 1.4.0. This makesβ¦
7.3
CVE-2025-2809 - azurecurve Shortcodes in Comments <= 2.0.2 - Unauthenticated Arbitrary Shortcode Execution
The azurecurve Shortcodes in Comments plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it pβ¦
6.4
CVE-2024-10894 - Payment Forms for Paystack <= 4.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Payment Forms for Paystack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes like 'datepicker', 'textarea', and 'text' in all versions up to, and including, 4.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. β¦
6.5
CVE-2024-13896 - WP-GeSHi-Highlight <= 1.4.3 - Author+ ReDoS
The WP-GeSHi-Highlight β rock-solid syntax highlighting for 259 languages WordPress plugin through 1.4.3 processes user-supplied input as a regular expression via the wp_geshi_filter_replace_code() function, which could lead to Regular Expression Denial of Service (ReDoS) issue