8.1
CVE-2025-2101 - Edumall <= 4.2.4 - Unauthenticated Local File Inclusion
The Edumall theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.2.4 via the 'template' parameter of the 'edumall_lazy_load_template' AJAX action. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files on the serv…
6.5
CVE-2024-13812 - Anps Theme plugin <= 1.1.1 - Unauthenticated Arbitrary Shortcode Execution
The The Anps Theme plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.1.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for …
8.6
CVE-2025-2851 - GL.iNet GL-A1300 Slate Plus RPC plugins.so buffer overflow
A vulnerability classified as critical has been found in GL.iNet GL-A1300 Slate Plus, GL-AR300M16 Shadow, GL-AR300M Shadow, GL-AR750 Creta, GL-AR750S-EXT Slate, GL-AX1800 Flint, GL-AXT1800 Slate AX, GL-B1300 Convexa-B, GL-B3000 Marble, GL-BE3600 Slate 7, GL-E750, GL-E750V2 Mudi, GL-MT300N-V2 Mango,…
5.1
CVE-2025-2850 - GL.iNet GL-A1300 Slate Plus Download Interface improper authorization
A vulnerability was found in GL.iNet GL-A1300 Slate Plus, GL-AR300M16 Shadow, GL-AR300M Shadow, GL-AR750 Creta, GL-AR750S-EXT Slate, GL-AX1800 Flint, GL-AXT1800 Slate AX, GL-B1300 Convexa-B, GL-B3000 Marble, GL-BE3600 Slate 7, GL-E750, GL-E750V2 Mudi, GL-MT300N-V2 Mango, GL-MT1300 Beryl, GL-MT2500 …
6.9
CVE-2025-2811 - GL.iNet GL-A1300 Slate Plus API redos
A vulnerability was found in GL.iNet GL-A1300 Slate Plus, GL-AR300M16 Shadow, GL-AR300M Shadow, GL-AR750 Creta, GL-AR750S-EXT Slate, GL-AX1800 Flint, GL-AXT1800 Slate AX, GL-B1300 Convexa-B, GL-B3000 Marble, GL-BE3600 Slate 7, GL-E750, GL-E750V2 Mudi, GL-MT300N-V2 Mango, GL-MT1300 Beryl, GL-MT2500 …
9.8
CVE-2025-2907 - Order Delivery Date Pro for WooCommerce < 12.3.1 - Unauthenticated Arbitrary Option Update
The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing settings. Furthermore it also lacks proper checks to only update options relevant to the Order Delivery Date WordPress plugin before 12.3.1. This leads to attackers being able to modify…
4.3
CVE-2025-3915 - Aeropage Sync for Airtable <= 3.2.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrar…
The Aeropage Sync for Airtable plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'aeropageDeletePost' function in all versions up to, and including, 3.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and abo…
8.8
CVE-2025-3906 - Integração entre Eduzz e Woocommerce 1.5.0 - 1.7.5 - Missing Authorization to Authenticated (Subscr…
The Integração entre Eduzz e Woocommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wep_opcoes' function in all versions up to, and including, 1.7.5. This makes it possible for authenticated attackers, with Subscriber-level acce…
8.8
CVE-2025-3914 - Aeropage Sync for Airtable <= 3.2.0 - Authenticated (Subscriber+) Arbitrary File Upload
The Aeropage Sync for Airtable plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'aeropage_media_downloader' function in all versions up to, and including, 3.2.0. This makes it possible for authenticated attackers, with Subscriber-level access a…
7.2
CVE-2025-3491 - Add custom page template <= 2.0.1 - Authenticated (Administrator+) PHP Code Injection to Remote Cod…
The Add custom page template plugin for WordPress is vulnerable to PHP Code Injection leading to Remote Code Execution in all versions up to, and including, 2.0.1 via the 'acpt_validate_setting' function. This is due to insufficient sanitization of the 'template_name' parameter. This makes it possi…