4.4
CVE-2025-14379 - Testimonials Creator 1.6 - Authenticated (Admin+) Stored Cross-Site Scripting
The Testimonials Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in version 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbiโฆ
4.3
CVE-2025-15377 - Sosh Share Buttons <= 1.1.0 - Cross-Site Request Forgery
The Sosh Share Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the 'admin_page_content' function. This makes it possible for unauthenticated attackers to update the plugin's settings viaโฆ
9.8
CVE-2025-14301 - Integration Opvius AI for WooCommerce <= 1.3.0 - Unauthenticated Arbitrary File Deletion/Read via Pโฆ
The Integration Opvius AI for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.0. This is due to the `process_table_bulk_actions()` function processing user-supplied file paths without authentication checks, nonce verification, or path validโฆ
4.4
CVE-2026-0680 - Real Post Slider Lite <= 2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settiโฆ
The Real Post Slider Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level acceโฆ
4.4
CVE-2025-14725 - Internal Link Builder <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugiโฆ
The Internal Link Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissioโฆ
5.3
CVE-2026-0717 - LottieFiles โ Lottie block for Gutenberg <= 3.0.0 - Unauthenticated Sensitive Information Exposure
The LottieFiles โ Lottie block for Gutenberg plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.0 via the `/wp-json/lottiefiles/v1/settings/` REST API endpoint. This makes it possible for unauthenticated attackers to retrieve the site owneโฆ
4.3
CVE-2025-14389 - WPBlogSyn <= 1.0 - Cross-Site Request Forgery to Arbitrary Remote Sync Configuration Update
The WPBlogSyn plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the plugin's remote sync settings via a forged request granted tโฆ
7.1
CVE-2025-14615 - DASHBOARD BUILDER <= 1.5.7 - Cross-Site Request Forgery to SQL Injection
The DASHBOARD BUILDER โ WordPress plugin for Charts and Graphs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.7. This is due to missing nonce validation on the settings handler in dashboardbuilder-admin.php. This makes it possible for unauโฆ
6.1
CVE-2026-0594 - List Site Contributors <= 1.1.8 - Reflected Cross-Site Scripting via alpha
The List Site Contributors plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'alpha' parameter in versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web โฆ
6.8
CVE-2026-22718 - Command injection vulnerability
The VSCode extension for Spring CLI are vulnerable to command injection, resulting in command execution on the users machine.