6.5
CVE-2025-14153 - Page Expire Popup/Redirection for WordPress <= 1.0 - Authenticated (Author+) SQL Injection via 'id'โฆ
The Page Expire Popup/Redirection for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' shortcode attribute in all versions up to, and including, 1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQโฆ
6.5
CVE-2026-0604 - FastDup <= 2.7 - Authenticated (Contributor+) Path Traversal via 'dir_path' REST Parameter
The FastDup โ Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.7 via the 'dir_path' parameter in the 'njt-fastdup/v1/template/directory-tree' REST API endpoint. This makes it possible for authenticated attackers, wโฆ
6.5
CVE-2025-13652 - CBX Bookmark & Favorite <= 2.0.4 - Authenticated (Subscriber+) SQL Injection via `orderby` Parameter
The CBX Bookmark & Favorite plugin for WordPress is vulnerable to generic SQL Injection via the โorderbyโ parameter in all versions up to, and including, 2.0.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it poโฆ
6.5
CVE-2025-11723 - Appointment Booking Calendar โ Simply Schedule Appointments Booking Plugin <= 1.6.9.5 - Unauthenticโฆ
The Appointment Booking Calendar โ Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.9.5 via the hash() function due to use of a hardcoded fall-back salt. This makes it possible for unauthenticaโฆ
4.9
CVE-2025-13409 - Form Vibes โ Database Manager for Forms <= 1.4.13 - Authenticated (Admin+) SQL Injection
The Form Vibes โ Database Manager for Forms plugin for WordPress is vulnerable to SQL Injection via the 'params' parameter in all versions up to, and including, 1.4.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makโฆ
8.8
CVE-2026-21485 - iccDEV Undefined Behavior (UB) and Out of Memory in CIccProfile::LoadTag()
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1.1 and below are prone to have Undefined Behavior (UB) and Out of Memory errors. This issue is fixed in version 2.3.1.2.
8.8
CVE-2026-21677 - iccDEV has Undefined Behavior in CIccCLUT::Init()
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have Undefined Behavior in its CIccCLUT::Init function which initializes and sets the size of a CLUT. This issue is fixed in version 2.3.1.1.
8.8
CVE-2026-21676 - iccDEV has a Heap-based Buffer Overflow in its CIccMBB::Validate() function
iccDEV provides a set of libraries and tools for working with ICC color management profiles. Versions 2.3.1 and below have a Heap-based Buffer Overflow in its CIccMBB::Validate function which checks tag data validity. This issue is fixed in version 2.3.1.1.
8.5
CVE-2025-12793 -
An uncontrolled DLL loading path vulnerability exists in AsusSoftwareManagerAgent. A local attacker may influence the application to load a DLL from an attacker-controlled location, potentially resulting in arbitrary code execution. Refer to the ' Security Update for MyASUS' section on the ASUS Seโฆ
7.3
CVE-2025-15364 - Download Manager <= 3.3.40 - Unauthenticated Limited Privilege Escalation via updatePassword
The Download Manager plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.40. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthentiโฆ