7.2
CVE-2025-15041 - BackWPup <= 5.6.2 - Authenticated (BackWPup Helper+) Privilege Escalation via Arbitrary Options Updβ¦
The BackWPup β WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the save_site_option() function in all versions up to, and including, 5.6.2. This makes it possible forβ¦
5.3
CVE-2025-14294 - Razorpay for WooCommerce <= 4.7.8 - Missing Authentication to Unauthenticated Order Modification
The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getCouponList() function in all versions up to, and including, 4.7.8. This is due to the checkAuthCredentials() permission callback always returning true, prβ¦
4.3
CVE-2025-13413 - Country Blocker for AdSense <= 1.0 - Cross-Site Request Forgery to Settings Update
The Country Blocker for AdSense plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the CBFA_guardar_cbfa() function. This makes it possible for unauthenticated attackers to update the plugin's settinβ¦
6.4
CVE-2025-13732 - s2Member <= 251005 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The s2Member β Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 's2Eot' shortcode in all versions up to, and including, 251005 due to insufficient input sanitization β¦
6.5
CVE-2025-13587 - Two Factor (2FA) Authentication via Email <= 1.9.8 - Two-Factor Authentication Bypass via token
The Two Factor (2FA) Authentication via Email plugin for WordPress is vulnerable to Two-Factor Authentication Bypass in versions up to, and including, 1.9.8. This is because the SS88_2FAVE::wp_login() method only enforces the 2FA requirement if the 'token' HTTP GET parameter is undefined, which makβ¦
6.1
CVE-2026-2502 - xmlrpc attacks blocker <= 1.0 - Unauthenticated Stored Cross-Site Scripting via 'X-Forwarded-For'
The xmlrpc attacks blocker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0, via the 'X-Forwarded-For' HTTP header. This is due to the plugin trusting and logging attacker-controlled IP header data and rendering debug log entries without outputβ¦
5.3
CVE-2026-2704 - Open Babel CIF File transform3d.cpp DescribeAsString out-of-bounds
A security vulnerability has been detected in Open Babel up to 3.1.1. The affected element is the function OpenBabel::transform3d::DescribeAsString of the file src/math/transform3d.cpp of the component CIF File Handler. The manipulation leads to out-of-bounds read. It is possible to initiate the atβ¦
4.8
CVE-2026-2703 - xlnt-community xlnt Encrypted XLSX File base64.cpp decode_base64 off-by-one
A weakness has been identified in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::detail::decode_base64 of the file source/detail/cryptography/base64.cpp of the component Encrypted XLSX File Parser. Executing a manipulation can lead to off-by-one. The attack requires local access. Tβ¦
10
CVE-2025-15586 -
OGP-Website installs prior git commit 52f865a4fba763594453068acf8fa9e3fc38d663 are affected by a type juggling flaw which if exploited can result in authentication bypass without knowledge of the victim account's password.
2.3
CVE-2026-2702 - Beetel 777VR1 WPA2 PSK hard-coded credentials
A security flaw has been discovered in Beetel 777VR1 up to 01.00.09. This issue affects some unknown processing of the component WPA2 PSK. Performing a manipulation results in hard-coded credentials. The attacker must have access to the local network to execute the attack. The complexity of an attaβ¦