4.8
CVE-2025-1289 - Plugin Oficial โ Getnet para WooCommerce <= 1.7.3 - Admin+ Stored XSS
The Plugin Oficial WordPress plugin through 1.7.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
6.1
CVE-2025-1288 - wooexim <= 5.0.0 - CSRF to Reflected XSS
The WOOEXIM WordPress plugin through 5.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make an unauthenticated user vulnerable to reflected XSS via a CSRF attack.
6.1
CVE-2025-1286 - Download HTML TinyMCE Button <= 1.2 - Reflected XSS
The Download HTML TinyMCE Button WordPress plugin through 1.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
4.8
CVE-2025-1033 - Badgearoo <= 1.0.14 - Admin+ Stored XSS
The Badgearoo WordPress plugin through 1.0.14 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
6.1
CVE-2025-0688 - Spiritual Gifts Survey <= 0.9.10 - Unauthenticated CSRF to XSS
The Spiritual Gifts Survey (and optional S.H.A.P.E survey) WordPress plugin through 0.9.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users.
6.1
CVE-2025-0687 - Spiritual Gifts Survey <= 0.9.10 - Unauthenticated CSRF to XSS
The Spiritual Gifts Survey (and optional S.H.A.P.E survey) WordPress plugin through 0.9.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users.
4.8
CVE-2025-0329 - AI ChatBot for WordPress โ WPBot < 6.2.4 - Admin+ Stored XSS
The AI ChatBot for WordPress WordPress plugin before 6.2.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
4.8
CVE-2024-9882 - Salon Booking System < 10.9.4 - Admin+ Stored XSS
The Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses WordPress plugin before 1.9.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capโฆ
5.4
CVE-2024-9879 - Website File Changes < 2.1.1 - Authenticated SQL Injection
The Melapress File Monitor WordPress plugin before 2.1.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
5.4
CVE-2024-9838 - Auto Affiliate Links < 6.4.7 - Admin+ SQL Injection
The Auto Affiliate Links WordPress plugin before 6.4.7 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks