6.1
CVE-2025-1286 - Download HTML TinyMCE Button <= 1.2 - Reflected XSS
The Download HTML TinyMCE Button WordPress plugin through 1.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
4.8
CVE-2025-1033 - Badgearoo <= 1.0.14 - Admin+ Stored XSS
The Badgearoo WordPress plugin through 1.0.14 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
6.1
CVE-2025-0688 - Spiritual Gifts Survey <= 0.9.10 - Unauthenticated CSRF to XSS
The Spiritual Gifts Survey (and optional S.H.A.P.E survey) WordPress plugin through 0.9.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users.
6.1
CVE-2025-0687 - Spiritual Gifts Survey <= 0.9.10 - Unauthenticated CSRF to XSS
The Spiritual Gifts Survey (and optional S.H.A.P.E survey) WordPress plugin through 0.9.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users.
4.8
CVE-2025-0329 - AI ChatBot for WordPress โ WPBot < 6.2.4 - Admin+ Stored XSS
The AI ChatBot for WordPress WordPress plugin before 6.2.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
4.8
CVE-2024-9882 - Salon Booking System < 10.9.4 - Admin+ Stored XSS
The Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses WordPress plugin before 1.9.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capโฆ
5.4
CVE-2024-9879 - Website File Changes < 2.1.1 - Authenticated SQL Injection
The Melapress File Monitor WordPress plugin before 2.1.1 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
5.4
CVE-2024-9838 - Auto Affiliate Links < 6.4.7 - Admin+ SQL Injection
The Auto Affiliate Links WordPress plugin before 6.4.7 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
7.2
CVE-2024-9831 - Taskbuilder < 3.0.9 - Admin+ SQL Injection
The Taskbuilder WordPress plugin before 3.0.9 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks
6.5
CVE-2024-9765 - EKC Tournament Manager < 2.2.2 - Local File Download Vulnerability
The EKC Tournament Manager WordPress plugin before 2.2.2 allows a logged in admin to download system files outside of the WordPress directory