Wordfence Intelligence Weekly WordPress Vulnerability Report (June 2, 2025 to June 8, 2025)

Calling all Vulnerability Researchers and Bug Bounty Hunters!  

Spring into Summer with Wordfence! Now through August 4, 2025, earn 2X bounty rewards for all in-scope submissions from our ‘High Threat’ list in software with fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big!

Last week, there were 257 vulnerabilities disclosed in 233 WordPress Plugins and 13 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 66 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 27,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

• WAF-RULE-844 – Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Total Vulnerabilities by CVSS Severity Last Week

Total Vulnerabilities by CWE Type Last Week

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
muhammad yudha	25
Nguyen Xuan Chien	19
Tran Nguyen Bao Khanh	19
Nabil Irawan	18
domiee13	16
Chu The Anh	14
ch4r0n	13
Bonds	9
Peter Thaleikis	9
HLog	7
Nguyen Ngoc Quang Bach (maysbachs)	6
Hiro	6
Trương Hữu Phúc (truonghuuphuc)	5
Nguyen Kim Sang	4
Martino Spagnuolo	4
Nguyễn Trung Kiên	4
Skalucy	4
theviper17y	3
haudayroi	3
Phat RiO – BlueRock	3
0xd4rk5id3	3
Rafie Muhammad	3
Prissy	3
Kévin Mosbahi (Mika)	3
Annn	3
Foxyyy	3
LVT-tholv2k	2
0x1ceKing	2
Asaf Mozes	2
Vo Thi Ngoc Nhi	2
zer0gh0st	2
timomangcut	2
rajanhoyr	2
István Márton	2
Denver Jackson	2
sterva	1
Matteo Leonelli	1
David D.	1
Marek Mikita	1
Webbernaut	1
Jang Jeong Ahn (Jhanks)	1
bintable	1
Martin Martin	1
ghsinfosec	1
johska	1
Brian Sans-Souci (liardom)	1
the sneaky squirrel	1
l33ch	1
zaim	1
TANG Cheuk Hei (siunam)	1
Naveen H N	1
siavashvafshar	1
Ryan Novotny	1
Noah Stead (TurtleBurg)	1
Blair Crawford	1
lucky_buddy	1
kr0d	1
Drew Webber (mcdruid)	1
Chuck	1
Shivam Khanna	1
Abdullah Shittu	1
Christie BOUTIER	1
Nguyen Quang Minh	1
Abdulaziz Alzamil	1
Mohamed Ali	1
Jorgson	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

WordPress Themes with Reported Vulnerabilities Last Week

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Arlo <= 6.0.3 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-39475

Patch Status
Unpatched

Published
Jun 3, 2025

Affected Software
Arlo | Portfolio WordPress Theme

Researcher

Bonds

More Details >

FLAP – Business WordPress Theme <= 1.5 – Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-31396

Patch Status
Unpatched

Published
Jun 3, 2025

Affected Software
FLAP – Business WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Golo <= 1.7.0 – Authentication Bypass to Account Takeover

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-4797

Patch Status
Patched

Published
Jun 2, 2025

Affected Software
Golo – City Travel Guide WordPress Theme

Researcher

Foxyyy

More Details >

HyperComments <= 1.2.2 – Unauthenticated (Subscriber+) Arbitrary Options Update

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-5701

Patch Status
Unpatched

Published
Jun 4, 2025

Affected Software
HyperComments

Researchers

Matteo Leonelli

David D.

More Details >

Krowd <= 1.4.1 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-32595

Patch Status
Unpatched

Published
Jun 3, 2025

Affected Software
Krowd – Crowdfunding & Charity WordPress Theme

Researcher

Bonds

More Details >

Motors – Events <= 1.4.7 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-47586

Patch Status
Unpatched

Published
Jun 3, 2025

Affected Software
Motors – Events

Researcher

Rafie Muhammad

More Details >

PayU CommercePro Plugin <= 3.8.5 – Authentication Bypass

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-31022

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
PayU CommercePro Plugin

Researcher

Rafie Muhammad

More Details >

PIMP – Creative MultiPurpose <= 1.7 – Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-31398

Patch Status
Unpatched

Published
Jun 3, 2025

Affected Software
PIMP – Creative MultiPurpose Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

PressGrid – Frontend Publish Reaction & Multimedia Theme <= 1.3.1 – Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-31429

Patch Status
Unpatched

Published
Jun 4, 2025

Affected Software
PressGrid – Frontend Publish Reaction & Multimedia Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Revo <= 4.0.26 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-39476

Patch Status
Unpatched

Published
Jun 3, 2025

Affected Software
Revo – Multipurpose Elementor WooCommerce WordPress Theme (25+ Homepages & 5+ Mobile Layouts)

Researcher

Bonds

More Details >

Seofy Core <= 1.4.5 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-39473

Patch Status
Unpatched

Published
Jun 3, 2025

Affected Software
Seofy Core

Researcher

Bonds

More Details >

Sweet Dessert < 1.1.13 – Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-49073

Patch Status
Patched

Published
Jun 3, 2025

Affected Software
Sweet Dessert | Candy Shop & Cafe WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

WP Email Debug 1.0 – 1.1.0 – Missing Authorization to Unauthenticated Privilege Escalation via Password Reset

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-5486

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
WP Email Debug

Researcher

kr0d

More Details >

AI Mortgage Calculator <= 1.0.1 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2023-25995

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
AI Mortgage Calculator

Researcher

0x1ceKing

More Details >

BRW <= 1.8.6 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-49313

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
BRW – Booking Rental Plugin WooCommerce

Researcher

Phat RiO – BlueRock

More Details >

Password Policy Manager <= 2.0.4 – Authenticated (Subscriber+) Privilege Escalation via Account Takeover

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-31019

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Password Policy Manager | Password Manager

Researcher

Rafie Muhammad

More Details >

Sunshine Photo Cart <= 3.4.11 – Authenticated (Subscriber+) Privilege Escalation

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-5482

Patch Status
Patched

Published
Jun 3, 2025

Affected Software
Sunshine Photo Cart: Free Client Photo Galleries for Photographers

Researchers

Brian Sans-Souci (liardom)

the sneaky squirrel

More Details >

WP Multilang <= 2.4.19 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-49307

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
WP Multilang – Translation and Multilingual Plugin

Researcher

muhammad yudha

More Details >

WP Shopify <= 1.5.3 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-30999

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
WP Shopify

Researcher

timomangcut

More Details >

WP Travel Engine <= 6.5.1 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-49308

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
WP Travel Engine – Tour Booking Plugin – Tour Operator Software

Researcher

muhammad yudha

More Details >

WP User Frontend Pro <= 4.1.3 – Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-3054

Patch Status
Patched

Published
Jun 4, 2025

Affected Software
WP User Frontend Pro

Researcher

Foxyyy

More Details >

POEditor <= 0.9.10 – Cross-Site Request Forgery

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-49237

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
POEditor

Researcher

Nguyen Xuan Chien

More Details >

WP User Frontend Pro <= 4.1.3 – Authenticated (Subscriber+) Arbitrary File Deletion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-3055

Patch Status
Patched

Published
Jun 4, 2025

Affected Software
WP User Frontend Pro

Researcher

Foxyyy

More Details >

Multi CryptoCurrency Payments <= 2.0.3 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-48141

Patch Status
Unpatched

Published
Jun 3, 2025

Affected Software
Multi CryptoCurrency Payments

Researcher

ch4r0n

More Details >

MyStyle Custom Product Designer <= 3.21.1 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-48281

Patch Status
Patched

Published
Jun 3, 2025

Affected Software
MyStyle Custom Product Designer

Researcher

Martino Spagnuolo

More Details >

Product Filter Pro <= 2.7.6 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-39496

Patch Status
Unpatched

Published
Jun 3, 2025

Affected Software
WooCommerce Product Filter

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Recover abandoned cart for WooCommerce <= 2.5 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-47608

Patch Status
Unpatched

Published
Jun 3, 2025

Affected Software
Recover abandoned cart for WooCommerce

Researcher

ch4r0n

More Details >

Spice Blocks <= 2.0.7.2 – Unauthenticated Arbitrary File Download

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-48130

Patch Status
Unpatched

Published
Jun 4, 2025

Affected Software
Spice Blocks

Researcher

Martino Spagnuolo

More Details >

Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light <= 2.4.37 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-48122

Patch Status
Unpatched

Published
Jun 3, 2025

Affected Software
Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light

Researcher

ch4r0n

More Details >

WooCommerce Ultimate Gift Card – Create, Sell and Manage Gift Cards with Customized Email Templates <= 2.8.10 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-47569

Patch Status
Unpatched

Published
Jun 3, 2025

Affected Software
WooCommerce Ultimate Gift Card

Researcher

Bonds

More Details >

WP Lead Capturing Pages <= 2.3 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-31424

Patch Status
Unpatched

Published
Jun 3, 2025

Affected Software
WP Lead Capturing Pages – WordPress Plugin

Researcher

Tran Nguyen Bao Khanh

More Details >

WPCHURCH <= 2.7.0 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-32303

Patch Status
Unpatched

Published
Jun 3, 2025

Affected Software
WPCHURCH – Church Management System for WordPress

Researcher

Annn

More Details >

Car Repair Services <= 5.0 – Unauthenticated Server-Side Request Forgery

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-30997

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Car Repair Services & Auto Mechanic WordPress Theme + RTL

Researcher

Bonds

More Details >

LTL Freight Quotes – Freightview Edition <= 1.0.11, LTL Freight Quotes – Daylight Edition <=2.2.6 and LTL Freight Quotes – Day & Ross Edition <= 2.1.10 – Unauthenticated Stored Cross-Site Scripting via `expiry_date` Parameter

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-5303

Patch Status
Patched

Published
Jun 6, 2025

Affected Software
LTL Freight Quotes – Freightview Edition
LTL Freight Quotes – Day & Ross Edition
LTL Freight Quotes – Daylight Edition

Researcher

sterva

More Details >

Shared Files <= 1.7.48 – Unauthenticated Stored Cross-Site Scripting via sanitize_file Function

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-4392

Patch Status
Patched

Published
Jun 2, 2025

Affected Software
Shared Files – Frontend File Upload Form & Secure File Sharing

Researcher

Martin Martin

More Details >

Store Locator WordPress <= 1.5.2 – Authenticated (Admin+) Arbitrary File Upload

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-49329

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Store Locator WordPress

Researcher

Nguyen Kim Sang

More Details >

WP Gravity Forms Constant Contact Plugin <= 1.1.0 – Open Redirect

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-30954

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
WP Gravity Forms Constant Contact Plugin

Researcher

Bonds

More Details >

wpForo + wpForo Advanced Attachments <= 3.1.3 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-4224

Patch Status
Patched

Published
Jun 2, 2025

Affected Software
wpForo + wpForo Advanced Attachments

Researcher

Christie BOUTIER

More Details >

Hive Support <= 1.2.4 – Authenticated (Subscriber+) Missing Authorization via hs_update_ai_chat_settings and hive_lite_support_get_all_binbox

7.1

CVSS Rating
High (7.1)

CVE-ID
CVE-2025-5018

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress

Researcher

Vo Thi Ngoc Nhi

More Details >

Hydra Booking <= 1.1.10 – Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-49323

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Hydra Booking – All in One Appointment Booking System | Appointment Scheduling, Booking Calendar & WooCommerce Bookings

Researcher

Nguyen Ngoc Quang Bach (maysbachs)

More Details >

Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin <= 6.4.0.2 – Missing Authorization

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-48133

Patch Status
Patched

Published
Jun 2, 2025

Affected Software
Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin

Researcher

Denver Jackson

More Details >

Welcart e-Commerce <= 2.11.13 – Authenticated (Editor+) Arbitrary File Deletion

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-47511

Patch Status
Patched

Published
Jun 3, 2025

Affected Software
Welcart e-Commerce

Researcher

Martino Spagnuolo

More Details >

WP-Addpub <= 1.2.8 – Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-5563

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
WP-Addpub

Researcher

muhammad yudha

More Details >

Abbie Expander <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-49427

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Abbie Expander

Researcher

Chu The Anh

More Details >

All Currencies for WooCommerce <= 2.4.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-30950

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
All Currencies for WooCommerce

Researcher

muhammad yudha

More Details >

Bacon Ipsum <= 2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-49443

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Bacon Ipsum

Researcher

Chu The Anh

More Details >

Bellows Accordion Menu <= 1.4.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-49242

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Bellows Accordion Menu

Researcher

muhammad yudha

More Details >

Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress <= 6.7 – Authenticated (Subscriber+) Stored Cross-Site Scripting via SVG File Uploads

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-1725

Patch Status
Patched

Published
Jun 2, 2025

Affected Software
Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress

Researcher

TANG Cheuk Hei (siunam)

More Details >

BlockStrap Page Builder – Bootstrap Blocks <= 0.1.36 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-30951

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
BlockStrap Page Builder – Bootstrap Blocks

Researcher

Prissy

More Details >

BM Content Builder <= 3.16.2.1 – Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via ux_cb_page_options_save

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-1777

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
BM Content Builder

Researcher

István Márton

More Details >

BNS Featured Category <= 2.8.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5538

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
BNS Featured Category

Researcher

muhammad yudha

More Details >

BRW <= 1.8.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-49314

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
BRW – Booking Rental Plugin WooCommerce

Researcher

Phat RiO – BlueRock

More Details >

Contact Form <= 2.0.12 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-30935

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Contact Form

Researcher

theviper17y

More Details >

Domain For Sale <= 3.0.10 – Authenticated (Contributor+) Stored Cross-Site Scripting via class_name Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5239

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Domain For Sale, Domain appraisal, Domain auction, Domain marketplace – Best Domain For sale Plugin for WordPress

Researcher

Peter Thaleikis

More Details >

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 6.1.12 – Authenticated(Contributor+) Stored Cross-Site Scripting via Event Calendar Widget

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-9993

Patch Status
Patched

Published
Jun 6, 2025

Affected Software
Essential Addons for Elementor – Popular Elementor Templates and Widgets

Researcher

zer0gh0st

More Details >

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 6.1.12 – Authenticated(Contributor+) Stored Cross-Site Scripting via Pricing Table Widget

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2024-9994

Patch Status
Patched

Published
Jun 6, 2025

Affected Software
Essential Addons for Elementor – Popular Elementor Templates and Widgets

Researcher

zer0gh0st

More Details >

ESV Bible Shortcode for WordPress <= 1.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5534

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
ESV Bible Shortcode for WordPress

Researcher

muhammad yudha

More Details >

Event post <= 5.10.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-49298

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Event post

Researcher

Peter Thaleikis

More Details >

Faculty Staff and Student Directory Plugin – Campus Directory <= 1.9.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5532

Patch Status
Patched

Published
Jun 3, 2025

Affected Software
Campus Directory – Faculty, Staff & Student Directory Plugin for WordPress

Researcher

muhammad yudha

More Details >

Forminator <= 1.44.1 – Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via id and data-size Parameters

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5341

Patch Status
Patched

Published
Jun 4, 2025

Affected Software
Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Researcher

Asaf Mozes

More Details >

Freemind Viewer <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5536

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Freemind Viewer

Researcher

muhammad yudha

More Details >

Frontend Dashboard <= 2.2.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-49310

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Frontend Dashboard

Researcher

muhammad yudha

More Details >

Greenshift <= 11.5.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-49301

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Greenshift – animation and page builder blocks

Researcher

Peter Thaleikis

More Details >

Hide It <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5565

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Hide It

Researcher

muhammad yudha

More Details >

HT Team Member <= 1.1.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-49309

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
WP Team – WordPress Team Member Plugin

Researcher

muhammad yudha

More Details >

Image Hover Effects Block <= 1.4.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-31025

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Image Hover Effects Block

Researcher

zaim

More Details >

Knowledge Base <= 2.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5533

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Knowledge Base

Researcher

muhammad yudha

More Details >

Music Player for Elementor <= 2.4.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via album_buy_url Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5340

Patch Status
Patched

Published
Jun 2, 2025

Affected Software
Music Player for Elementor – Audio Player & Podcast Player

Researcher

Webbernaut

More Details >

Nasa Core < 6.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-49067

Patch Status
Patched

Published
Jun 3, 2025

Affected Software
Nasa Core

Researcher

Phat RiO – BlueRock

More Details >

Nexa Blocks <= 1.1.0 – Authenticated (Contributor+) Server-Side Request Forgery

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-30976

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE

Researcher

theviper17y

More Details >

Nexa Blocks <= 1.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-30952

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE

Researcher

Prissy

More Details >

Next Event Calendar <= 1.2 – Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2023-26001

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Next Event Calendar

Researcher

Nguyen Ngoc Quang Bach (maysbachs)

More Details >

Paged Gallery <= 0.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5686

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Paged Gallery

Researcher

muhammad yudha

More Details >

Popup Maker <= 1.20.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via popupID Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-4205

Patch Status
Patched

Published
Jun 2, 2025

Affected Software
Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder

Researcher

Asaf Mozes

More Details >

Premium Packages <= 6.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-30991

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Premium Packages – Sell Digital Products Securely

Researcher

Peter Thaleikis

More Details >

Product Catalog Simple <= 1.8.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-49305

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Product Catalog Simple

Researcher

muhammad yudha

More Details >

Profile Builder <= 3.13.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via user_meta and compare Shortcodes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-4671

Patch Status
Patched

Published
Jun 2, 2025

Affected Software
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Researcher

muhammad yudha

More Details >

RTMKit Addons for Elementor <= 1.6.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-49235

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
RTMKit Addons for Elementor

Researcher

Prissy

More Details >

Runners Log <= 3.9.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5541

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Runners Log

Researcher

muhammad yudha

More Details >

Search with Typesense <= 2.0.10 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-49304

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Search with Typesense

Researcher

muhammad yudha

More Details >

SEPA Girocode <= 0.5.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-49450

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
SEPA Girocode

Researcher

Chu The Anh

More Details >

ShiftNav – Responsive Mobile Menu <= 1.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-49243

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
ShiftNav – Responsive Mobile Menu

Researcher

muhammad yudha

More Details >

Shortcodes Ultimate <= 7.3.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-49244

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
WP Shortcodes Plugin — Shortcodes Ultimate

Researcher

muhammad yudha

More Details >

Simple Google Static Map <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-27334

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Simple Google Static Map

Researcher

Chu The Anh

More Details >

Simple Nested Menu <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-49442

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Simple Nested Menu

Researcher

Chu The Anh

More Details >

Simplify Contact Management: WP Easy Contact <= 4.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5539

Patch Status
Patched

Published
Jun 3, 2025

Affected Software
Simple Contact Form Plugin for WordPress – WP Easy Contact

Researcher

muhammad yudha

More Details >

SocialMark <= 2.0.7 – Authenticated (Subscriber+) Server-Side Request Forgery

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-29008

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
SocialMark – Easy Watermark/Logo on Social Media Post Link Share Preview

Researcher

theviper17y

More Details >

Staff Directory – Employee Directory for WordPress <= 4.5.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5531

Patch Status
Patched

Published
Jun 3, 2025

Affected Software
Employee Directory – Staff Listing & Team Directory Plugin for WordPress

Researcher

muhammad yudha

More Details >

StageShow <= 10.0.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via anchor Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5703

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
StageShow

Researcher

Peter Thaleikis

More Details >

The Events Calendar Countdown Addon <= 1.4.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-49311

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
The Events Calendar Countdown Addon

Researcher

muhammad yudha

More Details >

The Holiday Calendar <= 1.18.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-29003

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
The Holiday Calendar

Researcher

Nguyen Xuan Chien

More Details >

Vayu Blocks <= 1.3.1 – Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via containerWidth Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-4420

Patch Status
Patched

Published
Jun 2, 2025

Affected Software
Vayu Blocks – Website Builder for the Block Editor

Researcher

Chuck

More Details >

Video Embeds <= 0.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-49429

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Video Embeds

Researcher

Chu The Anh

More Details >

WebHotelier <= 1.9.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-49299

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
WebHotelier for WordPress

Researcher

Peter Thaleikis

More Details >

WordPress Ajax Load More and Infinite Scroll <= 1.6.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5586

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
WordPress Ajax Load More and Infinite Scroll

Researcher

Peter Thaleikis

More Details >

WordPress Comments Import & Export <= 2.4.3 – Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-3919

Patch Status
Patched

Published
Jun 2, 2025

Affected Software
WordPress Comments Import & Export

Researcher

Jorgson

More Details >

WP Plugin Info Card <= 5.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via containerid Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5116

Patch Status
Patched

Published
Jun 2, 2025

Affected Software
WP Plugin Info Card

Researcher

Peter Thaleikis

More Details >

WP Social Widget <= 2.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-49306

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
WP Social Widget

Researcher

muhammad yudha

More Details >

WpEvently <= 4.4.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5568

Patch Status
Patched

Published
Jun 6, 2025

Affected Software
Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin

Researcher

siavashvafshar

More Details >

YouTube Simple Gallery <= 2.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-29011

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
YouTube Simple Gallery

Researcher

Skalucy

More Details >

Category Icon <= 1.0.2 – Authenticated (Author+) XML External Entity Injection

6.3

CVSS Rating
Medium (6.3)

CVE-ID
CVE-2025-31039

Patch Status
Unpatched

Published
Jun 3, 2025

Affected Software
Category Icon

Researcher

Drew Webber (mcdruid)

More Details >

Backup and Staging by WP Time Capsule <= 1.22.23 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-47477

Patch Status
Patched

Published
Jun 4, 2025

Affected Software
Backup and Staging by WP Time Capsule

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Bg Orthodox Calendar <= 0.13.10 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-28958

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Bg Orthodox Calendar

Researcher

Nguyen Xuan Chien

More Details >

BP Profile as Homepage <= 1.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-49453

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
BP Profile as Homepage

Researcher

johska

More Details >

FlatNews <= 5.8 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-32305

Patch Status
Unpatched

Published
Jun 3, 2025

Affected Software
FlatNews – Responsive Magazine WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

MC Woocommerce Wishlist <= 1.9.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-47487

Patch Status
Patched

Published
Jun 4, 2025

Affected Software
WooCommerce Wishlist (High customization, fast setup,Free Elementor Wishlist, most features)

Researcher

Peter Thaleikis

More Details >

Mediabay – WordPress Media Library Folders <= 1.4 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-28948

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Mediabay – WordPress Media Library Folders

Researcher

Tran Nguyen Bao Khanh

More Details >

Newspack Newsletters <= 3.13.0 – Open Redirect

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-49325

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Newspack Newsletters

Researcher

Hiro

More Details >

Personal Favicon <= 2.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-28964

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Personal Favicon

Researcher

Nguyen Xuan Chien

More Details >

Revolution Video Player <= 2.9.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-31058

Patch Status
Unpatched

Published
Jun 3, 2025

Affected Software
Revolution Video Player With Bottom Playlist WordPress Plugin – YouTube/Vimeo/Self-Hosted Support

Researcher

Tran Nguyen Bao Khanh

More Details >

SHOUT <= 3.5.3 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-31925

Patch Status
Unpatched

Published
Jun 3, 2025

Affected Software
SHOUT

Researcher

Tran Nguyen Bao Khanh

More Details >

Social Sharing Plugin – Sassy Social Share <= 3.3.75 – Reflected Cross-Site Scripting via ‘heateor_mastodon_share’ Parameter

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-5528

Patch Status
Patched

Published
Jun 6, 2025

Affected Software
Social Sharing Plugin – Sassy Social Share

Researcher

Naveen H N

More Details >

Soho Hotel <= 4.2.5 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-39539

Patch Status
Unpatched

Published
Jun 4, 2025

Affected Software
Soho Hotel Booking Calendar For WordPress

Researcher

Bonds

More Details >

Spare <= 1.7 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-31638

Patch Status
Unpatched

Published
Jun 4, 2025

Affected Software
Spare – Ultimate MultiPurpose LESS Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Sticky Radio Player <= 3.4 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-31426

Patch Status
Unpatched

Published
Jun 3, 2025

Affected Software
Sticky Radio Player

Researcher

Tran Nguyen Bao Khanh

More Details >

Universal Video Player <= 1.4.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-31057

Patch Status
Unpatched

Published
Jun 3, 2025

Affected Software
Universal Video Player – WordPress Plugin

Researcher

Tran Nguyen Bao Khanh

More Details >

Universal Video Player <= 3.8.3 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-31917

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Universal Video Player

Researcher

Chu The Anh

More Details >

WC MyParcel Belgium <= 4.5.5-beta – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-48279

Patch Status
Patched

Published
Jun 3, 2025

Affected Software
WC MyParcel Belgium

Researcher

Ryan Novotny

More Details >

Wishlist <= 2.1.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-31061

Patch Status
Unpatched

Published
Jun 4, 2025

Affected Software
Wishlist

Researcher

Tran Nguyen Bao Khanh

More Details >

WooCommerce Photo Reviews – Review Reminders – Review for Discounts <= 1.3.13 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-47570

Patch Status
Unpatched

Published
Jun 3, 2025

Affected Software
WooCommerce Photo Reviews Premium

Researcher

Bonds

More Details >

WP Gravity Forms Salesforce <= 1.4.7 – Open Redirect

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-30953

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
WP Gravity Forms Salesforce

Researcher

Nguyen Xuan Chien

More Details >

WP Mail Options <= 0.2.3 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-28981

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
WP Mail Options

Researcher

Nguyen Xuan Chien

More Details >

WP Online Users Stats <= 1.0.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting via hk_dataset_results Function

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-4966

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
WP Online Users Stats

Researcher

rajanhoyr

More Details >

ZoomSounds <= 6.91 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-47566

Patch Status
Unpatched

Published
Jun 3, 2025

Affected Software
ZoomSounds – WordPress Wave Audio Player with Playlist

Researcher

Tran Nguyen Bao Khanh

More Details >

Ninja Tables – Easy Data Table Builder <= 5.0.18 – Unauthenticated PHP Object Injection to Limited Remote Code Execution

5.6

CVSS Rating
Medium (5.6)

CVE-ID
CVE-2025-2939

Patch Status
Patched

Published
Jun 2, 2025

Affected Software
Ninja Tables – Easy Data Table Builder

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

AppBanners <= 1.5.14 – Authenticated (Administrator+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)

CVE-ID
CVE-2025-30625

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
AppBanners

Researcher

Nabil Irawan

More Details >

Developer Formatter <= 2015.0.2.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via Custom CSS

5.5

CVSS Rating
Medium (5.5)

CVE-ID
CVE-2025-5699

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Developer Formatter

Researcher

l33ch

More Details >

Sina Extension for Elementor <= 3.6.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)

CVE-ID
CVE-2025-49262

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Sina Extension for Elementor (Header Builder, Footer Builter, Theme Builder, Slider, Gallery, Form, Modal, Data Table Free Elementor Widgets & Elementor Templates)

Researcher

Nabil Irawan

More Details >

WP Featured Content Slider <= 2.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)

CVE-ID
CVE-2025-30634

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
WP Featured Content Slider

Researcher

Nabil Irawan

More Details >

WP Live Chat + Chatbots Plugin for WordPress – Chaport <= 1.1.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)

CVE-ID
CVE-2025-30977

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
WP Live Chat + Chatbots Plugin for WordPress – Chaport

Researcher

haudayroi

More Details >

Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms <= 2024.7 – Cross-Site Request Forgery to Multiple Administrative Actions

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2025-2935

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms

Researcher

Noah Stead (TurtleBurg)

More Details >

Hive Support <= 1.2.4 – Cross-Site Request Forgery via hs_update_ai_chat_settings Function

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2025-5019

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress

Researcher

Vo Thi Ngoc Nhi

More Details >

Team Showcase < 25.05.13 – Authenticated (Subscriber+) Arbitrary Shortcode Execution

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2025-49250

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Team Showcase

Researcher

Tran Nguyen Bao Khanh

More Details >

bbPress API <= 1.0.14 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-24763

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
bbPress API

Researcher

ch4r0n

More Details >

Crawlomatic Multisite Scraper Post Generator <= 2.6.8.2 – Unauthenticated Information Exposure via Log Files

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-49294

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Crawlomatic Multipage Scraper Post Generator

Researcher

Nguyễn Trung Kiên

More Details >

Direct Checkout for WooCommerce Lite <= 1.0.3 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-29006

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Direct Checkout for WooCommerce Lite

Researcher

HLog

More Details >

elfsight Contact Form widget <= 2.3.1 – Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-31045

Patch Status
Unpatched

Published
Jun 4, 2025

Affected Software
elfsight-contact-form

Researcher

Tran Nguyen Bao Khanh

More Details >

FraudLabs Pro for WooCommerce <= 2.22.11 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-49320

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
FraudLabs Pro for WooCommerce

Researcher

ch4r0n

More Details >

Interactive Regional Map of Florida <= 1.0 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-49441

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Interactive Regional Map of Florida

Researcher

Chu The Anh

More Details >

InWave Jobs <= 3.5.8 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-39477

Patch Status
Unpatched

Published
Jun 4, 2025

Affected Software
InWave Jobs

Researcher

Mohamed Ali

More Details >

Job Board Manager <= 2.1.60 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-49324

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Job Board Manager

Researcher

Hiro

More Details >

KI Live Video Conferences <= 5.5.15 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-23971

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
KI Live Video Conferences

Researcher

HLog

More Details >

KI Live Video Conferences <= 5.5.15 – Unauthenticated Information Disclosure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-23969

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
KI Live Video Conferences

Researcher

HLog

More Details >

Modern Events Calendar <= 7.21.9 – Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-5733

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Modern Events Calendar Lite

Researcher

Abdullah Shittu

More Details >

MultiVendorX <= 4.2.22 – Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-48261

Patch Status
Patched

Published
Jun 4, 2025

Affected Software
MultiVendorX – WooCommerce Multivendor Marketplace Solutions

Researcher

LVT-tholv2k

More Details >

Payment QR WooCommerce <= 1.1.6 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-31000

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Payment QR WooCommerce

Researcher

ch4r0n

More Details >

Profile Builder <= 3.13.8 – Unauthenticated Content Spoofing

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-49292

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Profiler – What Slowing Down Your WP <= 1.0.0 – Missing Authentication to Unauthenticated Arbitrary Plugin Reactivation via State Restoration

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-5814

Patch Status
Unpatched

Published
Jun 6, 2025

Affected Software
Profiler – What Slowing Down Your WP

Researcher

ch4r0n

More Details >

Raychat <= 2.1.0 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-49236

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Raychat

Researcher

Nguyen Xuan Chien

More Details >

Taskbuilder <= 4.0.3 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-30945

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Taskbuilder – WordPress Project & Task Management plugin

Researcher

Hiro

More Details >

TicketBAI Facturas para WooCommerce <= 3.19 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-24762

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
TicketBAI Facturas para WooCommerce

Researcher

ch4r0n

More Details >

Trinity Audio <= 5.20.0 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-49272

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Trinity Audio – Text to Speech AI audio player to convert content into audio

Researcher

Nguyen Xuan Chien

More Details >

Verge3D <= 4.9.4 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-49268

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Verge3D Publishing and E-Commerce

Researcher

Kévin Mosbahi (Mika)

More Details >

Viral Loops WP Integration <= 3.8.1 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-28995

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Viral Loops WP Integration

Researcher

ch4r0n

More Details >

Wordapp <= 1.7.0 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-30927

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Wordapp

Researcher

HLog

More Details >

WP AutoKeyword <= 1.0 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-28997

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
WP AutoKeyword

Researcher

Hiro

More Details >

WP-CRM System <= 3.4.2 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-49270

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
WordPress CRM Plugin – WP-CRM System

Researcher

Kévin Mosbahi (Mika)

More Details >

診断ジェネレータ作成プラグイン <= 1.4.16 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-30934

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
診断ジェネレータ作成プラグイン

Researcher

Nguyen Xuan Chien

More Details >

Complete Google Seo Scan <= 3.5.1 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-26590

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Complete Google Seo Scan

Researcher

Nguyen Quang Minh

More Details >

GamiPress <= 7.4.5 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-49326

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress

Researcher

Nguyen Kim Sang

More Details >

Libro de Reclamaciones y Quejas <= 0.9 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-30989

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Libro de Reclamaciones y Quejas

Researcher

0x1ceKing

More Details >

Persian Woocommerce SMS <= 7.0.10 – Authenticated (Shop manager+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-49315

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
افزونه پیامک ووکامرس Persian WooCommerce SMS

Researcher

Martino Spagnuolo

More Details >

ShortLinks Pro <= 1.0.7 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-49327

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
ShortLinks Pro – Affiliate Links, Link Shortening, Click Tracking & Marketing

Researcher

Nguyen Kim Sang

More Details >

Simple History <= 5.8.1 – Authenticated (Administrator+) Sensitive Information Exposure via Detective Mode

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-5760

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Simple History – Track, Log, and Audit WordPress Changes

Researcher

Blair Crawford

More Details >

Store Locator WordPress <= 1.5.1 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-49328

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Store Locator WordPress

Researcher

Nguyen Kim Sang

More Details >

Ultimate Gift Cards for WooCommerce <= 3.1.4 – Authenticated (Administrator+) SQL Injection via wps_wgm_save_post Function

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-5103

Patch Status
Patched

Published
Jun 2, 2025

Affected Software
Ultimate Gift Cards for WooCommerce

Researcher

Abdulaziz Alzamil

More Details >

WC Vendors Marketplace <= 2.5.6 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-49263

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
WC Vendors – WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors

Researcher

timomangcut

More Details >

WP Online Users Stats <= 1.0.0 – Authenticated (Editor+) SQL Injection via table_name Parameter

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-4964

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
WP Online Users Stats

Researcher

rajanhoyr

More Details >

WP Post Corrector <= 1.0.2 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2023-26003

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
WP Post Corrector

Researcher

Nguyen Ngoc Quang Bach (maysbachs)

More Details >

WP Text Expander <= 1.0.1 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-49421

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
WP Text Expander

Researcher

Chu The Anh

More Details >

«Подсказки» от DaData.ru <= 1.0.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-30931

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
«Подсказки» от DaData.ru

Researcher

Nabil Irawan

More Details >

404 Page by SeedProd <= 1.0.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-49322

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
404 Page by SeedProd

Researcher

Nguyen Ngoc Quang Bach (maysbachs)

More Details >

ACF: Yandex Maps Field <= 1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-30930

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
ACF: Yandex Maps Field

Researcher

Nabil Irawan

More Details >

Bang tinh vay <= 1.0.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2023-26000

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Bang tinh vay

Researcher

Nguyen Ngoc Quang Bach (maysbachs)

More Details >

Booking Ultra Pro <= 1.1.20 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-30637

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Booking Ultra Pro Appointments Booking Calendar Plugin

Researcher

Nabil Irawan

More Details >

Broadly for WordPress <= 3.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-30938

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Broadly for WordPress

Researcher

Nabil Irawan

More Details >

Elegant Visitor Counter <= 3.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-30627

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Elegant Visitor Counter

Researcher

Nabil Irawan

More Details >

Global Translator <= 2.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-30630

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Global Translator

Researcher

Nabil Irawan

More Details >

IFrame Widget <= 4.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-30939

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
IFrame Widget

Researcher

Nabil Irawan

More Details >

Melipayamak <= 2.2.12 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-30940

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Melipayamak

Researcher

Nabil Irawan

More Details >

Pinterest Verify Meta Tag <= 1.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-30941

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Pinterest Verify Meta Tag

Researcher

Nabil Irawan

More Details >

Post Custom Templates Lite <= 1.14 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-30942

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Post Custom Templates Lite

Researcher

domiee13

More Details >

Powie’s Uptime Robot <= 0.9.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-30638

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Powie’s Uptime Robot Plugin

Researcher

Nabil Irawan

More Details >

Read More Login <= 2.0.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-28989

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Read More Login

Researcher

Nguyen Ngoc Quang Bach (maysbachs)

More Details >

Responsify WP <= 1.9.11 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-30937

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Responsify WP

Researcher

Nabil Irawan

More Details >

Simple Membership <= 4.6.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-49333

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Simple Membership

Researcher

bintable

More Details >

WP Biographia <= 4.0.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-30928

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
WP Biographia

Researcher(s): Unknown

More Details >

WPtouch <= 4.3.60 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-49318

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
WPtouch – Make your WordPress Website Mobile-Friendly

Researcher

Nabil Irawan

More Details >

6Storage Rentals <= 2.19.6 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2023-26002

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
6Storage Rentals

Researcher

ghsinfosec

More Details >

Accessibility Suite <= 4.19 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-30636

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Accessibility Suite by Ability, Inc

Researcher

Nguyen Xuan Chien

More Details >

Activity Plus Reloaded for BuddyPress <= 1.1.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-30957

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Activity Plus Reloaded for BuddyPress

Researcher

domiee13

More Details >

Admin Notes <= 1.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49446

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Admin Notes

Researcher

Chu The Anh

More Details >

Advanced Post List <= 0.5.6.2 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-30968

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Advanced Post List

Researcher

Nguyen Xuan Chien

More Details >

Anti-spam, Spam protection, ReCaptcha for all forms and GDPR-compliant <= 4.1.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49283

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Anti-spam, Spam protection, ReCaptcha for all forms and GDPR-compliant

Researcher

Skalucy

More Details >

Art Theme <= 3.12.2.3 – Missing Authorization to Authenticated (Subscriber+) Theme Option Delete

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-1778

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Art Theme

Researcher

István Márton

More Details >

Atelier Create CV <= 1.1.2 – Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49439

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Atelier Create CV

Researcher

Chu The Anh

More Details >

Backwp <= 2.0.2 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-28954

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Backwp

Researcher

Nguyen Xuan Chien

More Details >

Behance Portfolio Manager <= 1.7.4 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-29010

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Behance Portfolio Manager

Researcher

domiee13

More Details >

Bitly URL Shortener <= 1.3.3 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-30629

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Bitly URL Shortener

Researcher

Nabil Irawan

More Details >

Booqable Rental <= 2.4.20 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-30956

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Booqable Rental Plugin

Researcher

Nguyen Xuan Chien

More Details >

Broken Link Checker <= 2.4.4 – Missing Autorization to Authenticated (Subscriber+) Plugin Status Dashboard View

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-4047

Patch Status
Patched

Published
Jun 2, 2025

Affected Software
Broken Link Checker

Researcher

Nguyễn Trung Kiên

More Details >

Calculated Fields Form <= 5.3.58 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49291

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Calculated Fields Form

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Contact Forms by Cimatti Plugin <= 1.9.8 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49069

Patch Status
Patched

Published
Jun 2, 2025

Affected Software
WordPress Contact Forms by Cimatti

Researcher

Shivam Khanna

More Details >

Crawlomatic Multisite Scraper Post Generator <= 2.6.8.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49293

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Crawlomatic Multipage Scraper Post Generator

Researcher

Nguyễn Trung Kiên

More Details >

CubePoints <= 3.2.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-28952

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
CubePoints

Researcher

Nguyen Xuan Chien

More Details >

CubeWP – All-in-One Dynamic Content Framework <= 1.1.24 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-30994

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
CubeWP – All-in-One Dynamic Content Framework

Researcher

domiee13

More Details >

Custom Bulk/Quick Edit <= 1.6.10 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-30946

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Custom Bulk/Quick Edit

Researcher

domiee13

More Details >

Custom Category/Post Type Post order <= 1.5.9 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-29013

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Custom Category Post Order

Researcher

domiee13

More Details >

DocsPress <= 2.5.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49240

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
DocsPress – Online Documentation

Researcher

domiee13

More Details >

Elastic Email Subscribe Form <= 1.2.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-28985

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Elastic Email Subscribe Form

Researcher

Hiro

More Details >

Elite Video Player <= 10.0.5 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-30986

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Elite Video Player

Researcher

Nguyễn Trung Kiên

More Details >

Epicwin Plugin <= 1.5 – Cross-Site Request Forgery to SQL Injection

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-28986

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Epicwin Plugin

Researcher

Nguyen Xuan Chien

More Details >

Everest Backup <= 2.3.3 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49238

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin

Researcher

domiee13

More Details >

FastBook <= 1.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-26593

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
FastBook – Responsive Appointment Booking and Scheduling System

Researcher

HLog

More Details >

Free WP Mail SMTP <= 1.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-28974

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Free WP Mail SMTP (Official – 2019)

Researcher

Nguyen Xuan Chien

More Details >

Global Translator <= 2.0.2 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-30632

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Global Translator

Researcher

Nabil Irawan

More Details >

GPP Slideshow <= 1.3.5 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-28996

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
GPP Slideshow

Researcher

HLog

More Details >

HR Management Lite <= 3.3 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-29005

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
HR Management Lite

Researcher

Hiro

More Details >

Icegram Collect – Easy Form, Lead Collection and Subscription plugin <= 1.3.18 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47527

Patch Status
Patched

Published
Jun 4, 2025

Affected Software
Icegram Collect – Easy Form, Lead Collection and Subscription plugin

Researcher

ch4r0n

More Details >

Interactive Regional Map of Africa <= 1.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49449

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Interactive Regional Map of Africa

Researcher

Chu The Anh

More Details >

Interactive UK Regional Map <= 2.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49445

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Interactive UK Regional Map

Researcher

Chu The Anh

More Details >

Konami Easter Egg <= v0.4 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49425

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Konami Easter Egg

Researcher

Marek Mikita

More Details >

Layouts for Elementor <= 1.11 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-30948

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Layouts for Elementor

Researcher

domiee13

More Details >

Market Exporter <= 2.0.22 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49269

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Market Exporter

Researcher

Kévin Mosbahi (Mika)

More Details >

No Spam At All <= 1.3 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-24778

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
No Spam At All

Researcher

ch4r0n

More Details >

oik <= 4.15.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49241

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
oik

Researcher

Annn

More Details >

Pay with Contact Form 7 <= 1.0.4 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-24772

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Pay with Contact Form 7

Researcher

haudayroi

More Details >

PDF for WPForms <= 5.5.0 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49289

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
PDF for WPForms + Drag and Drop Template Builder

Researcher

domiee13

More Details >

Post Author <= 1.1.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-28950

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Post Author

Researcher

Skalucy

More Details >

Post Grid Master <= 3.4.13 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-30974

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder

Researcher

muhammad yudha

More Details >

Product Feed for WooCommerce <= 2.2.8 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49287

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Product Feed for WooCommerce – Google Shopping Feed, Pinterest Feed, TikTok Ads & More

Researcher

domiee13

More Details >

Quick Event Calendar <= 1.4.9 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-27360

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Quick Event Calendar

Researcher

haudayroi

More Details >

Recent Posts Slider Responsive <= 1.0.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-28966

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Recent Posts Slider Responsive

Researcher

Nguyen Xuan Chien

More Details >

Responsive Flipbooks <= 1.0 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-24776

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Responsive Flipbooks

Researcher

ch4r0n

More Details >

Simple Keyword to Link <= 1.5 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-30980

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Simple Keyword to Link

Researcher

Nguyen Xuan Chien

More Details >

Slack Notifications by dorzki <= 2.0.7 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-30978

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Slack Notifications by dorzki

Researcher

Annn

More Details >

Sola Support Ticket <= 3.18 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2023-25997

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Sola Support Tickets

Researcher

lucky_buddy

More Details >

Stock Locations for WooCommerce <= 2.8.6 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47463

Patch Status
Patched

Published
Jun 7, 2025

Affected Software
Stock Locations for WooCommerce

Researcher

LVT-tholv2k

More Details >

Subscription Renewal Reminders for WooCommerce <= 1.3.7 – Cross-Site Request Forgery to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-28984

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Subscription Renewal Reminders for WooCommerce

Researcher

0xd4rk5id3

More Details >

Team Builder <= 1.5.7 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-32308

Patch Status
Unpatched

Published
Jun 4, 2025

Affected Software
Team Builder — Meet The Team WordPress Plugin

Researcher

Tran Nguyen Bao Khanh

More Details >

Team Showcase < 25.05.13 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49248

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Team Showcase

Researcher

Tran Nguyen Bao Khanh

More Details >

Testimonials Showcase <= 1.9.16 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49246

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Testimonials Showcase

Researcher

Tran Nguyen Bao Khanh

More Details >

ThemeHunk <= 1.1.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-30990

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Easy Mega Menu Plugin for WordPress – ThemeHunk

Researcher

domiee13

More Details >

Ultimate WP Mail <= 1.3.5 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49288

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Ultimate WP Mail

Researcher

domiee13

More Details >

WordLift <= 3.54.4 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-30624

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
WordLift – AI powered SEO – Schema

Researcher

domiee13

More Details >

WP Compress for MainWP <= 6.30.32 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-30932

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
WP Compress for MainWP

Researcher

HLog

More Details >

WP Cookie Notice for GDPR, CCPA & ePrivacy Consent <= 3.8.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49285

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent

Researcher

domiee13

More Details >

WP Maintenance Mode & Site Under Construction <= 4.3 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49284

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
WP Maintenance Mode & Site Under Construction

Researcher

Skalucy

More Details >

WP Media File Type Manager <= 2.3.0 – Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-27359

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
WP Media File Type Manager

Researcher

0xd4rk5id3

More Details >

WP Page Loading <= 1.0.6 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49317

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
WP Page Loading

Researcher

Nabil Irawan

More Details >

WP Security Master <= 1.0.2 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49440

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
WP Security Master

Researcher

Chu The Anh

More Details >

WP Table Builder <= 2.0.6 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49286

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
WP Table Builder – WordPress Table Plugin

Researcher

domiee13

More Details >

WP Time Slots Booking Form <= 1.2.30 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49332

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
WP Time Slots Booking Form

Researcher

Jang Jeong Ahn (Jhanks)

More Details >

WP Tools <= 5.24 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49273

Patch Status
Patched

Published
Jun 5, 2025

Affected Software
WP Tools Repair, Javascript errors, Jquery errors, Increase Maximum Limits, File Permissions, Transients, Error Log

Researcher

Nguyen Xuan Chien

More Details >

WP-Recall <= 16.26.14 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-30981

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
WP-Recall – Registration, Profile, Commerce & More

Researcher

0xd4rk5id3

More Details >

Viral Loops WP Integration <= 3.8.1 – Missing Authorization

3.1

CVSS Rating
Low (3.1)

CVE-ID
CVE-2025-28994

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Viral Loops WP Integration

Researcher

ch4r0n

More Details >

Foxit eSign for WordPress <= 2.0.3 – Authenticated (Admin+) Information Exposure

2.7

CVSS Rating
Low (2.7)

CVE-ID
CVE-2025-49419

Patch Status
Unpatched

Published
Jun 5, 2025

Affected Software
Foxit eSign for WordPress

Researcher

Denver Jackson

More Details >