6.1
CVE-2025-3867 - Ajax Comment Form CST <= 1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting
The Ajax Comment Form CST plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation via the 'acform_cst_settings' page. This makes it possible for unauthenticated attackers to update settings and …
6.1
CVE-2025-3866 - Add Google +1 (Plus one) social share Button <= 1.0.0 - Cross-Site Request Forgery to Stored Cross-…
The Add Google +1 (Plus one) social share Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the google-plus-one-share-button page. This makes it possible for unauthenticated at…
6.1
CVE-2025-0671 - Email Subscribers < 5.7.50 - Admin+ Stored XSS in Template
The Icegram Express WordPress plugin before 5.7.50 does not sanitise and escape some of its Template settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
5.3
CVE-2025-3923 - Prevent Direct Access – Protect WordPress Files <= 2.8.8 - Unauthenticated Sensitive Information Ex…
The Prevent Direct Access – Protect WordPress Files plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.8 via the 'generate_unique_string' due to insufficient randomness of the generated file name. This makes it possible for unauthenticated…
5.4
CVE-2025-3861 - Prevent Direct Access 2.8.6 - 2.8.8.2 - Incorrect Authorization to Authenticated (Contributor+) Mul…
The Prevent Direct Access – Protect WordPress Files plugin for WordPress is vulnerable to unauthorized access and modification of data| due to a misconfigured capability check on the 'pda_lite_custom_permission_check' function in versions 2.8.6 to 2.8.8.2. This makes it possible for authenticated a…
4.9
CVE-2025-2580 - Contact Form by Bit Form <= 2.18.3 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Fi…
The Contact Form by Bit Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.18.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access a…
7.5
CVE-2025-3511 -
Improper Validation of Specified Quantity in Input vulnerability in Mitsubishi Electric Corporation CC-Link IE TSN Remote I/O module, CC-Link IE TSN Analog-Digital Converter module, CC-Link IE TSN Digital-Analog Converter module, CC-Link IE TSN FPGA module, CC-Link IE TSN Remote Station Communicati…
6.4
CVE-2025-3752 - Able Player, accessible HTML5 media player <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Sit…
The Able Player, accessible HTML5 media player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘preload’ parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wi…
6.5
CVE-2025-3775 - ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (forme…
The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.1.2 via the woolentor_template_proxy function. This makes it possible for u…
8.2
CVE-2025-43865 - React Router allows pre-render data spoofing on React-Router framework mode
React Router is a router for React. In versions on the 7.0 branch prior to version 7.5.2, it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values of the data object passed to the HTML. This issue has been …