7.2
CVE-2025-0918 - SMTP for SendGrid β YaySMTP <= 1.4 - Unauthenticated Stored Cross-Site Scripting via Email Logs
The SMTP for SendGrid β YaySMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that willβ¦
7.2
CVE-2024-13869 - Migration, Backup, Staging β WPvivid <= 0.9.112 - Authenticated (Admin+) Arbitrary File Upload via β¦
The Migration, Backup, Staging β WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_files' function in all versions up to, and including, 0.9.112. This makes it possible for authenticated attackers, with Adminisβ¦
5.1
CVE-2025-1556 - westboy CicadasCMS Template Management system deserialization
A vulnerability, which was classified as problematic, has been found in westboy CicadasCMS 1.0. This issue affects some unknown processing of the file /system of the component Template Management. The manipulation leads to deserialization. The attack may be initiated remotely. The exploit has been β¦
5.1
CVE-2025-1553 - pankajindevops scale project cross site scripting
A vulnerability was found in pankajindevops scale up to 3633544a00245d3df88b6d13d9b3dd0f411be7f6. It has been classified as problematic. Affected is an unknown function of the file /scale/project. The manipulation of the argument goal leads to cross site scripting. It is possible to launch the attaβ¦
7.5
CVE-2025-1361 - IP2Location Country Blocker <= 2.38.8 - Missing Authorization to Unauthenticated Information Exposuβ¦
The IP2Location Country Blocker plugin for WordPress is vulnerable to Regular Information Exposure in all versions up to, and including, 2.38.8 due to missing capability checks on the admin_init() function. This makes it possible for unauthenticated attackers to view the plugin's settings.
6.4
CVE-2024-13564 - Rife Elementor Extensions & Templates <= 1.2.5 - Authenticated (Contributor+) Stored Cross-Site Scrβ¦
The Rife Elementor Extensions & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Writing Effect Headline shortcode in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makβ¦
6.4
CVE-2024-12038 - Frontend Content Forms for User Submissions (UGC) <= 2.8.15 - Authenticated (Contributor+) Stored Cβ¦
The Post Form β Registration Form β Profile Form for User Profiles β Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'buddyforms_nav' shortcode in all versions up to, and including, 2.8.15 due to insufficient inputβ¦
6.1
CVE-2024-12467 - Pago por Redsys <= 1.0.12 - Reflected Cross-Site Scripting
The Pago por Redsys plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'Ds_MerchantParameters' parameter in all versions up to, and including, 1.0.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject β¦
5.3
CVE-2024-13798 - Post Grid and Gutenberg Blocks β ComboBlocks <= 2.3.5 - Unauthenticated Paid Order Creation
The Post Grid and Gutenberg Blocks β ComboBlocks plugin for WordPress is vulnerable to unauthorized order creation in all versions up to, and including, 2.3.5. This is due to insufficient verification on form fields. This makes it possible for unauthenticated attackers to create new orders for prodβ¦
7.5
CVE-2024-13474 - LTL Freight Quotes β Purolator Edition <= 2.2.3 - Unauthenticated SQL Injection
The LTL Freight Quotes β Purolator Edition plugin for WordPress is vulnerable to SQL Injection via the 'dropship_edit_id' and 'edit_id' parameters in all versions up to, and including, 2.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existiβ¦