Wordfence Intelligence Weekly WordPress Vulnerability Report (June 23, 2025 to June 29, 2025)

Calling all Vulnerability Researchers and Bug Bounty Hunters!

Spring into Summer with Wordfence! Now through August 4, 2025, earn 2X bounty rewards for all in-scope submissions from our ‘High Threat’ list in software with fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big!

Last week, there were 197 vulnerabilities disclosed in 161 WordPress Plugins and 33 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 48 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 27,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

• Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.44.2 – Unauthenticated Arbitrary File Deletion Triggered via Administrator Form Submission Deletion
• WAF-RULE-854 – Data redacted while we work with the vendor on a patch.
• WAF-RULE-855 – Data redacted while we work with the vendor on a patch.
• WAF-RULE-857 – Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Total Vulnerabilities by CVSS Severity Last Week

Total Vulnerabilities by CWE Type Last Week

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Nguyen Xuan Chien	22
Tran Nguyen Bao Khanh	16
Peter Thaleikis	15
Gilang	11
muhammad yudha	10
Nguyen Ngoc Quang Bach (maysbachs)	10
Skalucy	10
Le Ngoc Anh	9
Phat RiO – BlueRock	7
Frank	6
ch4r0n	6
Nabil Irawan	5
theviper17y	5
Bonds	4
johska	4
Trương Hữu Phúc (truonghuuphuc)	3
Kévin Mosbahi (Mika)	3
domiee13	3
0xd4rk5id3	3
Asaf Mozes	3
Martino Spagnuolo	3
LVT-tholv2k	3
Webbernaut	2
timomangcut	2
Tonn	2
Chuck	2
stealthcopter	2
kr0d	2
Nguyen Kim Sang	2
zaim	2
Nguyễn Trung Kiên	2
Khalid Yusuf	1
Chu The Anh	1
Huynh Dong Quang	1
a00n	1
João Pedro Soares de Alcântara	1
Jonas Benjamin Friedli	1
Lucio Sá	1
Rafie Muhammad	1
khanhhnahk1	1
Prissy	1
Sulabh Jain (pentestmonkey11)	1
norahc	1
Hiro	1
Jamaal ahmed	1
HLog	1
0xVenus	1
Sy5temFr4cture	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

WordPress Themes with Reported Vulnerabilities Last Week

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Davenport – Versatile Blog and Magazine WordPress Theme <= 1.3 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-52811

Patch Status
Unpatched

Published
Jun 25, 2025

Affected Software
Davenport – Versatile Blog and Magazine WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

DWT – Directory & Listing WordPress Theme <= 3.3.6 – Unauthenticated Arbitrary User Password Reset

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-12827

Patch Status
Patched

Published
Jun 26, 2025

Affected Software
DWT – Directory & Listing WordPress Theme

Researcher

Lucio Sá

More Details >

Greenmart <= 4.2.3 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-49883

Patch Status
Patched

Published
Jun 25, 2025

Affected Software
GreenMart – Organic & Food WooCommerce WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

MBStore – Digital WooCommerce WordPress Theme <= 2.3 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-28947

Patch Status
Unpatched

Published
Jun 23, 2025

Affected Software
MBStore – Digital WooCommerce WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

PT Project Notebooks 1.0.0 – 1.1.3 – Missing Authorization to Unauthenticated Privilege Escalation via wpnb_pto_new_users_add Function

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-5304

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
PT Project Notebooks – Take Meeting minutes, create budgets, track task management, and more

Researcher

kr0d

More Details >

Simple Payment 1.3.6 – 2.3.8 – Authentication Bypass to Admin

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-6688

Patch Status
Patched

Published
Jun 26, 2025

Affected Software
Simple Payment

Researcher

kr0d

More Details >

Simple User Registration <= 6.3 – Unauthenticated Privilege Escalation

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-4334

Patch Status
Unpatched

Published
Jun 25, 2025

Affected Software
Simple User Registration

Researcher

Chuck

More Details >

WPKit For Elementor <= 1.1.0 – Missing Authorization to Unauthenticated Arbitrary Options Update

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-32281

Patch Status
Unpatched

Published
Jun 23, 2025

Affected Software
WPKit For Elementor

Researcher

Phat RiO – BlueRock

More Details >

Zenny <= 1.7.5 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-24769

Patch Status
Unpatched

Published
Jun 23, 2025

Affected Software
Zenny – Jewelry, Watches & Glasses Elementor WooCommerce WordPress Theme

Researcher

Phat RiO – BlueRock

More Details >

FW Food Menu <= 6.0.0 – Unauthenticated Arbitrary File Deletion

9.1

CVSS Rating
Critical (9.1)

CVE-ID
CVE-2025-49448

Patch Status
Unpatched

Published
Jun 24, 2025

Affected Software
FW Food Menu – Responsive food menu with ordering & delivery solutions

Researcher

LVT-tholv2k

More Details >

BeeTeam368 Extensions <= 2.3.4 – Authenticated (Subscriber+) Directory Traversal to Arbitrary File Deletion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-6381

Patch Status
Patched

Published
Jun 27, 2025

Affected Software
BeeTeam368 Extensions

Researcher

Tonn

More Details >

BeeTeam368 Extensions Pro <= 2.3.4 – Authenticated (Subscriber+) Directory Traversal to Arbitrary File Deletion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-6379

Patch Status
Patched

Published
Jun 27, 2025

Affected Software
BeeTeam368 Extensions Pro

Researcher

Tonn

More Details >

Game Users Share Buttons <= 1.3.0 – Authenticated (Subscriber+) Arbitrary File Deletion via themeNameId Parameter

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-6755

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Game Users Share Buttons

Researcher

theviper17y

More Details >

MDJM Event Management <= 1.7.6 – Authenticated (Subscriber+) Privilege Escalation

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-52824

Patch Status
Unpatched

Published
Jun 23, 2025

Affected Software
MDJM Event Management

Researcher

0xd4rk5id3

More Details >

Owl carousel responsive <= 1.9 – Authenticated (Contributor+) SQL Injection via id Parameter

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-5590

Patch Status
Unpatched

Published
Jun 25, 2025

Affected Software
Owl carousel responsive

Researcher

Peter Thaleikis

More Details >

Red Art <= 3.7 – Authenticated (Subscriber+) PHP Object Injection

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-52828

Patch Status
Unpatched

Published
Jun 26, 2025

Affected Software
Red Art | Artist Portfolio WordPress

Researcher

Frank

More Details >

WP SmartPay <= 2.7.13 – Authenticated (Subscriber+) Account Takeover

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-25171

Patch Status
Unpatched

Published
Jun 24, 2025

Affected Software
Download Manager and Payment Form WordPress Plugin – WP SmartPay

Researcher

Le Ngoc Anh

More Details >

Blogbyte <= 1.1.1 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-49275

Patch Status
Patched

Published
Jun 25, 2025

Affected Software
Blogbyte

Researcher

Le Ngoc Anh

More Details >

Blogmine <= 1.1.7 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-49276

Patch Status
Patched

Published
Jun 25, 2025

Affected Software
Blogmine

Researcher

Le Ngoc Anh

More Details >

Blogprise <= 1.0.9 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-49277

Patch Status
Patched

Published
Jun 25, 2025

Affected Software
Blogprise

Researcher

Le Ngoc Anh

More Details >

Blogty <= 1.0.11 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-49278

Patch Status
Patched

Published
Jun 25, 2025

Affected Software
Blogty

Researcher

Le Ngoc Anh

More Details >

Blogvy <= 1.0.7 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-49279

Patch Status
Patched

Published
Jun 25, 2025

Affected Software
Blogvy

Researcher

Le Ngoc Anh

More Details >

BRW <= 1.8.7 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-52814

Patch Status
Patched

Published
Jun 23, 2025

Affected Software
BRW – Booking Rental Plugin WooCommerce

Researcher

Tran Nguyen Bao Khanh

More Details >

CityGov <= 1.9 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-52815

Patch Status
Unpatched

Published
Jun 25, 2025

Affected Software
CityGov – City Government & Municipal WordPress Theme

Researcher

Bonds

More Details >

CTUsers <= 1.0.0 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-32298

Patch Status
Unpatched

Published
Jun 25, 2025

Affected Software
CTUsers

Researcher

Bonds

More Details >

Domnoo <= 1.49 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-52812

Patch Status
Unpatched

Published
Jun 25, 2025

Affected Software
Domnoo – Pizza & Restaurant WordPress Theme

Researcher

Phat RiO – BlueRock

More Details >

FW Gallery <= 8.0.0 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-49416

Patch Status
Unpatched

Published
Jun 25, 2025

Affected Software
FW Gallery – Photo, video, audio media presentation and management system with players and slideshow

Researcher

LVT-tholv2k

More Details >

Image Shadow <= 1.1.0 – Authenticated (Subscriber+) Arbitrary File Deletion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-24765

Patch Status
Unpatched

Published
Jun 23, 2025

Affected Software
Image Shadow

Researcher

ch4r0n

More Details >

Katerio – Magazine <= 1.5.1 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-52810

Patch Status
Unpatched

Published
Jun 25, 2025

Affected Software
Katerio – Magazine & Blog WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Magty <= 1.0.6 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-49280

Patch Status
Patched

Published
Jun 25, 2025

Affected Software
Magty

Researcher

Le Ngoc Anh

More Details >

Magways <= 1.2.1 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-49281

Patch Status
Patched

Published
Jun 25, 2025

Affected Software
Magways

Researcher

Le Ngoc Anh

More Details >

Magze <= 1.0.9 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-49282

Patch Status
Patched

Published
Jun 25, 2025

Affected Software
Magze

Researcher

Le Ngoc Anh

More Details >

National Weather Service Alerts <= 1.3.5 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-52809

Patch Status
Unpatched

Published
Jun 23, 2025

Affected Software
National Weather Service Alerts

Researcher

Nguyen Xuan Chien

More Details >

PrintXtore <= 1.7.5 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-28946

Patch Status
Unpatched

Published
Jun 25, 2025

Affected Software
PrintXtore – Printing Services & Design Online WordPress WooCommerce Theme

Researcher

Phat RiO – BlueRock

More Details >

Puca <= 2.6.33 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-30992

Patch Status
Patched

Published
Jun 23, 2025

Affected Software
Puca – Optimized Mobile WooCommerce Theme

Researcher

Phat RiO – BlueRock

More Details >

RealtyElite <= 1.0.0 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-52808

Patch Status
Unpatched

Published
Jun 25, 2025

Affected Software
RealtyElite – Real Estate & Property Sales WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Samex – Clean, Minimal Shop WooCommerce WordPress Theme <= 2.6 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2023-25998

Patch Status
Unpatched

Published
Jun 25, 2025

Affected Software
Samex – Clean, Minimal Shop WooCommerce WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

SERPed.net <= 4.6 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-28998

Patch Status
Patched

Published
Jun 25, 2025

Affected Software
SERPed.net

Researcher

timomangcut

More Details >

SNS Vicky <= 3.7 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-28990

Patch Status
Unpatched

Published
Jun 25, 2025

Affected Software
SNS Vicky – Cosmetic WooCommerce WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Sofass <= 1.3.4 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-24760

Patch Status
Unpatched

Published
Jun 23, 2025

Affected Software
Sofass – Elementor WooCommerce WordPress Theme

Researcher

Phat RiO – BlueRock

More Details >

WP Optimize By xTraffic <= 5.1.6 – Unauthenticated PHP Object Injection

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-28970

Patch Status
Unpatched

Published
Jun 23, 2025

Affected Software
WP Optimize By xTraffic

Researcher

timomangcut

More Details >

Zikzag Core <= 1.4.5 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-49886

Patch Status
Patched

Published
Jun 24, 2025

Affected Software
Zikzag Core

Researcher

Bonds

More Details >

Zita <= 1.6.5 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-52816

Patch Status
Unpatched

Published
Jun 23, 2025

Affected Software
Zita

Researcher

Tran Nguyen Bao Khanh

More Details >

Aiomatic – AI Content Writer, Editor, ChatBot & AI Toolkit <= 2.5.0 – Authenticated (Subscriber+) Arbitrary File Upload

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-6206

Patch Status
Patched

Published
Jun 23, 2025

Affected Software
Aiomatic – Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit

Researcher

khanhhnahk1

More Details >

Amely <= 3.1.4 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-39474

Patch Status
Patched

Published
Jun 23, 2025

Affected Software
Amely – Fashion Shop WordPress Theme for WooCommerce

Researcher

Bonds

More Details >

Devnex Addons For Elementor <= 1.0.9 – Authenticated (Contributor+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-53339

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Devnex Addons For Elementor

Researcher

Prissy

More Details >

DirectIQ Email Marketing <= 2.0 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-52829

Patch Status
Unpatched

Published
Jun 23, 2025

Affected Software
DirectIQ Email Marketing

Researcher

Nguyen Kim Sang

More Details >

Everest Forms (Pro) <= 1.9.4 – Unauthenticated Path Traversal to Arbitrary File Deletion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-5927

Patch Status
Patched

Published
Jun 24, 2025

Affected Software
Everest Forms Pro

Researcher

Phat RiO – BlueRock

More Details >

GG Bought Together for WooCommerce <= 1.0.2 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-23967

Patch Status
Unpatched

Published
Jun 24, 2025

Affected Software
GG Bought Together for WooCommerce

Researcher

ch4r0n

More Details >

Gmedia Photo Gallery <= 1.23.0 – Authenticated (Contributor+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-53257

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Gmedia Photo Gallery

Researcher

LVT-tholv2k

More Details >

Homey <= 2.4.5 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-52834

Patch Status
Unpatched

Published
Jun 24, 2025

Affected Software
Homey

Researcher

Frank

More Details >

Hotel Booking <= 3.7 – Authenticated (Contributor+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-53259

Patch Status
Patched

Published
Jun 27, 2025

Affected Software
Hotel Booking

Researcher

muhammad yudha

More Details >

Nuss <= 1.3.3 – Authenticated (Subscriber+) PHP Object Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-52827

Patch Status
Unpatched

Published
Jun 23, 2025

Affected Software
Nuss – Hotel Booking WordPress

Researcher

Frank

More Details >

Sala <= 1.1.3 – Authenticated (Subscriber+) PHP Object Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-52826

Patch Status
Unpatched

Published
Jun 23, 2025

Affected Software
Sala – Startup & SaaS WordPress Theme

Researcher

Frank

More Details >

WPB Category Slider for WooCommerce <= 1.71 – Authenticated (Contributor+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-53281

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
WPB Category Slider for WooCommerce – Product Categories Carousel Slider & Grid with Icon and Images

Researcher

muhammad yudha

More Details >

Content No Cache <= 0.1.4 – Unauthenticated Arbitrary Function Call

7.3

CVSS Rating
High (7.3)

CVE-ID
CVE-2025-28993

Patch Status
Patched

Published
Jun 23, 2025

Affected Software
Content No Cache | Serve uncached partial content even when you add it to a page that is fully cached.

Researcher

HLog

More Details >

File Manager Plugin For WordPress <= 7.5 – Authenticated (Admin+) Arbitrary File Upload

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-53260

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
File Manager Plugin For WordPress

Researcher

0xd4rk5id3

More Details >

Ninja Tables – Easy Data Table Builder <= 5.0.18 – Unauthenticated Server-Side Request Forgery

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-2940

Patch Status
Patched

Published
Jun 26, 2025

Affected Software
Ninja Tables – Easy Data Table Builder

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Ultra Addons for Contact Form 7 3.5.11 – 3.5.19 – Unauthenticated Stored Cross-Site Scripting via Database module

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-6212

Patch Status
Patched

Published
Jun 25, 2025

Affected Software
Ultra Addons for Contact Form 7

Researcher

Sy5temFr4cture

More Details >

Frontend Admin by DynamiApps <= 3.28.7 – Authenticated (Editor+) Arbitrary File Deletion

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-49303

Patch Status
Patched

Published
Jun 26, 2025

Affected Software
Frontend Admin by DynamiApps

Researcher

0xd4rk5id3

More Details >

Simple Link Directory <= 14.7.3 – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-32297

Patch Status
Unpatched

Published
Jun 23, 2025

Affected Software
Simple Link Directory Pro

Researcher

Nguyễn Trung Kiên

More Details >

A/B Testing for WordPress <= 1.18.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-4587

Patch Status
Unpatched

Published
Jun 26, 2025

Affected Software
A/B Testing for WordPress

Researcher

Chuck

More Details >

Conference Scheduler <= 2.5.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via className Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5258

Patch Status
Patched

Published
Jun 23, 2025

Affected Software
Conference Scheduler

Researcher

Peter Thaleikis

More Details >

Drive Folder Embedder <= 1.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via tablecssclass Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-6546

Patch Status
Unpatched

Published
Jun 25, 2025

Affected Software
Drive Folder Embedder

Researcher

Gilang

More Details >

e.nigma buttons <= 1.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5535

Patch Status
Unpatched

Published
Jun 25, 2025

Affected Software
e.nigma buttons

Researcher

muhammad yudha

More Details >

Event RSVP and Simple Event Management Plugin <= 4.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5540

Patch Status
Unpatched

Published
Jun 25, 2025

Affected Software
Event RSVP and Simple Event Management Plugin

Researcher

muhammad yudha

More Details >

EZ SQL Reports Shortcode Widget and DB Backup <= 5.25.11 – Authenticated (Contributor+) Stored Cross-Site Scripting via SQLREPORT Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-6462

Patch Status
Patched

Published
Jun 28, 2025

Affected Software
EZ SQL Reports Shortcode Widget and DB Backup

Researcher

Gilang

More Details >

FL3R Accessibility Suite <= 1.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via fl3raccessibilitysuite Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-6689

Patch Status
Unpatched

Published
Jun 26, 2025

Affected Software
FL3R Accessibility Suite

Researcher

Gilang

More Details >

Football Pool <= 2.12.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-53280

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Football Pool

Researcher

muhammad yudha

More Details >

Free Downloads EDD <= 1.0.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-53320

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Free Downloads EDD

Researcher

Peter Thaleikis

More Details >

GC Social wall <= 1.15 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5564

Patch Status
Unpatched

Published
Jun 25, 2025

Affected Software
GC Social Wall

Researcher

muhammad yudha

More Details >

HT Mega – Absolute Addons for WPBakery Page Builder <= 1.0.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-53206

Patch Status
Patched

Published
Jun 27, 2025

Affected Software
HT Mega – Absolute Addons for WPBakery Page Builder

Researcher

theviper17y

More Details >

HT Slider For Elementor <= 1.6.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-53199

Patch Status
Patched

Published
Jun 27, 2025

Affected Software
HT Slider For Elementor

Researcher

theviper17y

More Details >

Image Editor by Pixo <= 2.3.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via download Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5588

Patch Status
Patched

Published
Jun 25, 2025

Affected Software
Image Editor by Pixo

Researcher

Peter Thaleikis

More Details >

isMobile <= 1.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via device Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-6488

Patch Status
Patched

Published
Jun 26, 2025

Affected Software
isMobile() Shortcode for WordPress

Researcher

Gilang

More Details >

JetEngine <= 3.7.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-53195

Patch Status
Patched

Published
Jun 27, 2025

Affected Software
JetEngine

Researcher

stealthcopter

More Details >

Leyka <= 3.31.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-53275

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Leyka

Researcher

Peter Thaleikis

More Details >

Modern Design Library <= 1.1.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via class Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5842

Patch Status
Patched

Published
Jun 25, 2025

Affected Software
Modern Design Library

Researcher

Peter Thaleikis

More Details >

My Resume Builder <= 1.0.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-53336

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
My Resume Builder

Researcher

Nguyen Ngoc Quang Bach (maysbachs)

More Details >

Namasha By Mdesign <= 1.2.00 – Authenticated (Contributor+) Stored Cross-Site Scripting via playicon_title Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-6537

Patch Status
Unpatched

Published
Jun 25, 2025

Affected Software
Namasha By Mdesign

Researcher

Gilang

More Details >

Ninja Forms <= 3.10.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via CSTI

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5398

Patch Status
Patched

Published
Jun 26, 2025

Affected Software
Ninja Forms – The Contact Form Builder That Grows With You

Researcher

Asaf Mozes

More Details >

Omnipress <= 1.6.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-53276

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Omnipress

Researcher

Khalid Yusuf

More Details >

Osom Blocks <= 1.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via class_name Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5940

Patch Status
Patched

Published
Jun 26, 2025

Affected Software
Osom Blocks

Researcher

Peter Thaleikis

More Details >

Podcast Feed Player Widget and Shortcode <= 2.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-53300

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Podcast Feed Player Widget and Shortcode

Researcher

Nguyen Ngoc Quang Bach (maysbachs)

More Details >

Popup addon for Ninja Forms <= 3.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-53279

Patch Status
Patched

Published
Jun 27, 2025

Affected Software
Popup addon for Ninja Forms

Researcher

muhammad yudha

More Details >

Post Rating and Review <= 1.3.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via class Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-6538

Patch Status
Unpatched

Published
Jun 25, 2025

Affected Software
Post Rating and Review

Researcher

Gilang

More Details >

Qi Addons For Elementor <= 1.9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-6252

Patch Status
Patched

Published
Jun 27, 2025

Affected Software
Qi Addons For Elementor

Researcher

Webbernaut

More Details >

Raise The Money <= 5.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-53321

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Raise The Money

Researcher

Peter Thaleikis

More Details >

Responsive Blocks <= 2.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-53202

Patch Status
Patched

Published
Jun 27, 2025

Affected Software
Responsive Blocks – WordPress Gutenberg Blocks

Researcher

zaim

More Details >

Responsive Food and Drink Menu <= 2.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via display_pdf_menus Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-6378

Patch Status
Unpatched

Published
Jun 25, 2025

Affected Software
Responsive Food and Drink Menu

Researcher

Gilang

More Details >

Royal Elementor Addons <= 1.7.1024 – Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Multiple Widgets

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5338

Patch Status
Patched

Published
Jun 25, 2025

Affected Software
Royal Elementor Addons and Templates

Researcher

Asaf Mozes

More Details >

SiteOrigin Widgets Bundle <= 1.68.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via `data-url` DOM Element Attribute

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5585

Patch Status
Patched

Published
Jun 24, 2025

Affected Software
SiteOrigin Widgets Bundle

Researcher

Asaf Mozes

More Details >

Smart Agenda <= 4.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-53294

Patch Status
Patched

Published
Jun 27, 2025

Affected Software
SmartAgenda – Prise de rendez-vous en ligne

Researcher

Peter Thaleikis

More Details >

The Countdown <= 2.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via clientId Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5929

Patch Status
Unpatched

Published
Jun 25, 2025

Affected Software
The Countdown – Block Countdown Timer

Researcher

Peter Thaleikis

More Details >

The Pack Elementor addon <= 2.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-6550

Patch Status
Unpatched

Published
Jun 26, 2025

Affected Software
The Pack Elementor addon

Researcher

stealthcopter

More Details >

Theme Junkie Team Content <= 0.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-53301

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Theme Junkie Team Content

Researcher

Nguyen Ngoc Quang Bach (maysbachs)

More Details >

Thumbnail Editor <= 2.3.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-53282

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Thumbnail Editor

Researcher

Peter Thaleikis

More Details >

TimeZoneCalculator <= 3.37 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5559

Patch Status
Unpatched

Published
Jun 25, 2025

Affected Software
TimeZoneCalculator

Researcher

muhammad yudha

More Details >

Tournament Bracket Generator <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via bracket Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-6290

Patch Status
Unpatched

Published
Jun 25, 2025

Affected Software
Tournament Bracket Generator

Researcher

Gilang

More Details >

web-cam <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via slug Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-6540

Patch Status
Unpatched

Published
Jun 25, 2025

Affected Software
web-cam

Researcher

Gilang

More Details >

WP AdCenter <= 2.6.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-53278

Patch Status
Patched

Published
Jun 27, 2025

Affected Software
WP AdCenter – Ad Manager & Adsense Ads

Researcher

Peter Thaleikis

More Details >

WP DataTable <= 0.2.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-53292

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
WP DataTable

Researcher

Peter Thaleikis

More Details >

WP Masonry & Infinite Scroll <= 2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-5488

Patch Status
Patched

Published
Jun 25, 2025

Affected Software
WP Masonry & Infinite Scroll

Researcher

Peter Thaleikis

More Details >

WP SoundSystem <= 3.4.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via wpsstm-track Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-6258

Patch Status
Unpatched

Published
Jun 25, 2025

Affected Software
WP SoundSystem

Researcher

Gilang

More Details >

WP Visual Sitemap <= 1.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-53290

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
WP Visual Sitemap

Researcher

muhammad yudha

More Details >

WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress <= 8.5.32 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-6350

Patch Status
Patched

Published
Jun 27, 2025

Affected Software
WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress

Researcher

Webbernaut

More Details >

WP-PhotoNav <= 1.2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via photonav Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-6383

Patch Status
Unpatched

Published
Jun 25, 2025

Affected Software
WP-PhotoNav

Researcher

Gilang

More Details >

Content Manager Light <= 3.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-24771

Patch Status
Unpatched

Published
Jun 26, 2025

Affected Software
Content Manager Light

Researcher

Tran Nguyen Bao Khanh

More Details >

Elessi <= 6.3.9 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-49873

Patch Status
Patched

Published
Jun 25, 2025

Affected Software
Elessi – WooCommerce AJAX WordPress Theme – RTL support

Researcher

Tran Nguyen Bao Khanh

More Details >

Evangelische Termine <= 3.3 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-28960

Patch Status
Unpatched

Published
Jun 23, 2025

Affected Software
Evangelische Termine

Researcher

Nguyen Xuan Chien

More Details >

Eventin <= 4.0.28 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-49321

Patch Status
Patched

Published
Jun 23, 2025

Affected Software
Event Manager, Events Calendar, Booking, Registrations and Tickets – Eventin

Researcher

Nguyen Ngoc Quang Bach (maysbachs)

More Details >

Flexo Counter <= 1.0001 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-50052

Patch Status
Unpatched

Published
Jun 23, 2025

Affected Software
Flexo Counter

Researcher

Huynh Dong Quang

More Details >

Homey <= 2.4.5 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-31037

Patch Status
Unpatched

Published
Jun 26, 2025

Affected Software
Homey

Researcher

a00n

More Details >

Infility Global <= 2.12.7 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-52774

Patch Status
Unpatched

Published
Jun 23, 2025

Affected Software
Infility Global

Researcher

0xVenus

More Details >

JobSearch <= 2.9.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-52798

Patch Status
Unpatched

Published
Jun 26, 2025

Affected Software
JobSearch WP Job Board

Researcher

Tran Nguyen Bao Khanh

More Details >

LMS <= 9.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-52799

Patch Status
Unpatched

Published
Jun 23, 2025

Affected Software
LMS – Education WordPress Theme

Researcher

Frank

More Details >

MagOne <= 8.5 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-39488

Patch Status
Unpatched

Published
Jun 23, 2025

Affected Software
MagOne

Researcher

Tran Nguyen Bao Khanh

More Details >

Off-Canvas Sidebars & Menus (Slidebars) <= 0.5.8.4 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-49290

Patch Status
Patched

Published
Jun 23, 2025

Affected Software
Off-Canvas Sidebars & Menus (Slidebars)

Researcher

domiee13

More Details >

Photo Express for Google <= 0.3.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-27361

Patch Status
Unpatched

Published
Jun 23, 2025

Affected Software
Photo Express for Google

Researcher

João Pedro Soares de Alcântara

More Details >

Pressroom – News Magazine WordPress Theme <= 6.9 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-32311

Patch Status
Unpatched

Published
Jun 26, 2025

Affected Software
Pressroom – News Magazine WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Rankie <= 1.8.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-39487

Patch Status
Unpatched

Published
Jun 26, 2025

Affected Software
Rankie – WordPress Rank Tracker Plugin

Researcher

Nguyễn Trung Kiên

More Details >

SB Breadcrumbs <= 1.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-28978

Patch Status
Unpatched

Published
Jun 26, 2025

Affected Software
SB Breadcrumbs

Researcher

Nguyen Xuan Chien

More Details >

Seven Stars <= 1.4.4 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-31067

Patch Status
Unpatched

Published
Jun 23, 2025

Affected Software
Seven Stars – Modern Responsive MultiPurpose Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Team Showcase < 25.05.13 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-49247

Patch Status
Patched

Published
Jun 26, 2025

Affected Software
Team Showcase

Researcher

Tran Nguyen Bao Khanh

More Details >

Video List Manager <= 1.7 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-52776

Patch Status
Unpatched

Published
Jun 26, 2025

Affected Software
Video List Manager

Researcher

Nguyen Xuan Chien

More Details >

WP Front User Submit / Front Editor <= 4.9.3 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-28988

Patch Status
Patched

Published
Jun 23, 2025

Affected Software
Guest posting / Frontend Posting / Front Editor – WP Front User Submit

Researcher

Nguyen Ngoc Quang Bach (maysbachs)

More Details >

WP Wall <= 1.7.3 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-28968

Patch Status
Unpatched

Published
Jun 26, 2025

Affected Software
WP Wall

Researcher

Nguyen Xuan Chien

More Details >

WP-Recall <= 16.26.14 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-52796

Patch Status
Unpatched

Published
Jun 26, 2025

Affected Software
WP-Recall – Registration, Profile, Commerce & More

Researcher

Nguyen Xuan Chien

More Details >

WPCRM – CRM for Contact form CF7 & WooCommerce <= 3.2.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-24774

Patch Status
Unpatched

Published
Jun 23, 2025

Affected Software
WPCRM – CRM for Contact form CF7 & WooCommerce

Researcher

Frank

More Details >

xili-dictionary <= 2.12.5.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-52778

Patch Status
Unpatched

Published
Jun 23, 2025

Affected Software
xili-dictionary

Researcher

Nguyen Xuan Chien

More Details >

ChatBot <= 6.7.3 – Missing Authorization

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2025-53200

Patch Status
Patched

Published
Jun 27, 2025

Affected Software
AI ChatBot for WordPress – WPBot

Researcher

zaim

More Details >

Abandoned Contact Form 7 <= 2.0 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-52817

Patch Status
Unpatched

Published
Jun 23, 2025

Affected Software
Abandoned Contact Form 7

Researcher

theviper17y

More Details >

Accept Authorize.NET Payments Using Contact Form 7 <= 2.5 – Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-53322

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Accept Authorize.NET Payments Using Contact Form 7

Researcher

Martino Spagnuolo

More Details >

Accept Stripe Payments Using Contact Form 7 <= 3.0 – Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-53309

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Accept Stripe Payments Using Contact Form 7

Researcher

Martino Spagnuolo

More Details >

Amazon Products to WooCommerce <= 1.2.7 – Missing Authorization to Unauthenticated Arbitrary Product Creation

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-5813

Patch Status
Unpatched

Published
Jun 25, 2025

Affected Software
Amazon Products to WooCommerce

Researcher

ch4r0n

More Details >

Audio Editor & Recorder <= 2.2.3 – Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-53211

Patch Status
Patched

Published
Jun 27, 2025

Affected Software
Audio Editor & Recorder

Researcher

Martino Spagnuolo

More Details >

Constructor <= 1.6.5 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-53302

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Constructor

Researcher

Sulabh Jain (pentestmonkey11)

More Details >

Contact Form – 7 : Hide Success Message <= 1.1.4 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-53304

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Contact Form – 7 : Hide Success Message

Researcher

Kévin Mosbahi (Mika)

More Details >

HurryTimer <= 2.13.1 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-53255

Patch Status
Patched

Published
Jun 27, 2025

Affected Software
HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce

Researcher

ch4r0n

More Details >

iCount Payment Gateway <= 2.0.6 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-53295

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
iCount Payment Gateway

Researcher

ch4r0n

More Details >

Mollie Payments for WooCommerce <= 8.0.2 – Unauthenticated Insecure Direct Object Reference

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-39362

Patch Status
Unpatched

Published
Jun 26, 2025

Affected Software
Mollie Payments for WooCommerce

Researcher

Rafie Muhammad

More Details >

Trusty Whistleblowing <= 1.5.2 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-52818

Patch Status
Unpatched

Published
Jun 23, 2025

Affected Software
Trusty Whistleblowing Solution

Researcher

Hiro

More Details >

Hover Effects <= 2.1.2 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-53258

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Hover Effects – easily create any hover effect

Researcher

Jamaal ahmed

More Details >

Plugin Inspector <= 1.5 – Authenticated (Admin+) Arbitrary File Download

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-53298

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Plugin Inspector

Researcher

Nguyen Ngoc Quang Bach (maysbachs)

More Details >

WP Forum Server <= 1.8.2 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-53306

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
WP Forum Server

Researcher

Nguyen Xuan Chien

More Details >

YaySMTP <= 2.6.5 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-53256

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service

Researcher

Nguyen Kim Sang

More Details >

Add & Replace Affiliate Links for Amazon <= 1.0.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-53285

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Add & Replace Affiliate Links for Amazon

Researcher

Nabil Irawan

More Details >

Beauty Contact Popup Form <= 6.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-53325

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Beauty Contact Popup Form

Researcher

Nguyen Ngoc Quang Bach (maysbachs)

More Details >

Charitable <= 1.8.6.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin’s Privacy Settings

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-5275

Patch Status
Patched

Published
Jun 25, 2025

Affected Software
Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More

Researcher

Jonas Benjamin Friedli

More Details >

EC Stars Rating <= 1.0.11 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-53296

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
EC Stars Rating

Researcher

Nguyen Ngoc Quang Bach (maysbachs)

More Details >

Quick Favicon <= 0.22.8 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-53287

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Quick Favicon

Researcher

Nabil Irawan

More Details >

WP Edit <= 4.0.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-53253

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
WP Edit

Researcher(s): Unknown

More Details >

Additional Order Filters for WooCommerce <= 1.22 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53271

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Additional Order Filters for WooCommerce

Researcher

Skalucy

More Details >

Address Autocomplete via Google for Gravity Forms <= 1.3.4 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53263

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Address Autocomplete via Google for Gravity Forms

Researcher

Nguyen Xuan Chien

More Details >

Aioseo Multibyte Descriptions <= 0.0.6 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53327

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Aioseo Multibyte Descriptions

Researcher

Chu The Anh

More Details >

Burst Statistics <= 2.0.6 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53193

Patch Status
Patched

Published
Jun 27, 2025

Affected Software
Burst Statistics – Privacy-Friendly Analytics for WordPress

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

CMS Blocks <= 1.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53284

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
CMS Blocks

Researcher

muhammad yudha

More Details >

Cookiebot <= 4.5.8 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53197

Patch Status
Patched

Published
Jun 27, 2025

Affected Software
Usercentrics Cookiebot – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode

Researcher

domiee13

More Details >

Cron Logger <= 1.3.0 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53266

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Cron Logger

Researcher

Nguyen Xuan Chien

More Details >

Cyrlitera <= 1.2.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53254

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Cyrlitera – transliteration of links and file names

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Dashboard Widget Sidebar <= 1.2.3 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53293

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Dashboard Widget Sidebar

Researcher

Kévin Mosbahi (Mika)

More Details >

Hide Admin Bar From Front End <= 1.0.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53267

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Hide Admin Bar From Front End

Researcher

Nguyen Xuan Chien

More Details >

HidePost <= 2.3.8 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53310

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
HidePost

Researcher

Nguyen Xuan Chien

More Details >

Homerunner <= 1.0.29 – Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-5932

Patch Status
Unpatched

Published
Jun 25, 2025

Affected Software
Homerunner

Researcher

Nabil Irawan

More Details >

Image Cleanup <= 1.9.2 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53272

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Image Cleanup

Researcher

Skalucy

More Details >

Image Slider With Description <= 9.2 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53308

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Image slider with description

Researcher

Skalucy

More Details >

Import external attachments <= 1.5.12 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53268

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Import external attachments

Researcher

Nguyen Xuan Chien

More Details >

IS-theme-companion <= 1.57 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53277

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
IS-theme-companion

Researcher

domiee13

More Details >

MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Wallet <= 3.2.0 – Cross-Site Request Forgery to Settings Reset

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-5937

Patch Status
Patched

Published
Jun 27, 2025

Affected Software
MicroPayments – Fans Paysite: Paid Creator Subscriptions, Digital Assets, Wallet

Researcher

Nabil Irawan

More Details >

My Wp Brand <= 1.1.3 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53269

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
My Wp Brand – Hide menu & Hide Plugin

Researcher

Nguyen Xuan Chien

More Details >

Navayan Subscribe <= 1.13 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53311

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Navayan Subscribe

Researcher

Nguyen Xuan Chien

More Details >

ONet Regenerate Thumbnails <= 1.5 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53264

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
ONet Regenerate Thumbnails

Researcher

Nguyen Xuan Chien

More Details >

OnionBuzz <= 1.0.7 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53312

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
OnionBuzz

Researcher

Nguyen Xuan Chien

More Details >

PlatiOnline Payments <= 6.3.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53288

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
PlatiOnline Payments

Researcher

norahc

More Details >

Post Carousel Slider for Elementor <= 1.6.0 – Authenticated (Subscriber+) Missing Authorization via process_wbelps_promo_form Function

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-3863

Patch Status
Patched

Published
Jun 25, 2025

Affected Software
Post Carousel Slider for Elementor

Researcher

Peter Thaleikis

More Details >

Pre-Publish Post Checklist <= 3.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53323

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Pre-Publish Post Checklist

Researcher

Nguyen Ngoc Quang Bach (maysbachs)

More Details >

re.place <= 0.2.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53338

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
re.place

Researcher

johska

More Details >

Relocate Upload <= 0.24.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53315

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Relocate Upload

Researcher

Skalucy

More Details >

RSS Digest <= 1.5 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53331

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
RSS Digest

Researcher

johska

More Details >

Slickstream <= 2.0.3 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53273

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Slickstream: Engagement and Conversions

Researcher

Skalucy

More Details >

Społecznościowa 6 PL 2013 <= 2.0.6 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53329

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Społecznościowa 6 PL 2013

Researcher

johska

More Details >

Track Everything <= 2.0.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53332

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Track Everything

Researcher

johska

More Details >

Twitch TV Embed Suite <= 2.1.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53313

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Twitch TV Embed Suite

Researcher

Skalucy

More Details >

VG WORT METIS <= 2.0.0 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-50039

Patch Status
Unpatched

Published
Jun 26, 2025

Affected Software
VG WORT METIS

Researcher

Nguyen Ngoc Quang Bach (maysbachs)

More Details >

VG WORT METIS <= 2.0.0 – Missing Authorization to Authenticated (Subscriber+) Limited Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-5812

Patch Status
Unpatched

Published
Jun 25, 2025

Affected Software
VG WORT METIS

Researcher

ch4r0n

More Details >

Virusdie <= 1.1.3 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53265

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Virusdie – One-click website security

Researcher

Nguyen Xuan Chien

More Details >

VR Calendar <= 2.4.7 – Cross-Site Request Forgery to Calendar Sync

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-5936

Patch Status
Unpatched

Published
Jun 26, 2025

Affected Software
VR Calendar

Researcher

Nabil Irawan

More Details >

WooCommerce PDF Invoice Builder <= 1.2.148 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53203

Patch Status
Patched

Published
Jun 27, 2025

Affected Software
PDF Builder for WooCommerce. Create invoices,packing slips and more

Researcher

Nguyen Xuan Chien

More Details >

WordPress CTA <= 1.6.9 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53270

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
WP CTA – Call To Action Plugin, Sticky CTA, Sticky Buttons

Researcher

Nguyen Xuan Chien

More Details >

WP DB Booster <= 1.0.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53318

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
WP DB Booster

Researcher

theviper17y

More Details >

WP Forum Server <= 1.8.2 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53305

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
WP Forum Server

Researcher

Nguyen Xuan Chien

More Details >

WP GDPR Cookie Consent <= 1.0.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53316

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
wp-gdpr-cookie-consen

Researcher

Skalucy

More Details >

WP Optimizer <= 2.3.6 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53314

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
WP Optimizer

Researcher

Skalucy

More Details >

WP Permalink Translator <= 1.7.6 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53274

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
WP Permalink Translator

Researcher

Skalucy

More Details >

WP YouTube Live <= 1.10.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53261

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
WP YouTube Live

Researcher

Kévin Mosbahi (Mika)

More Details >

WPShapere – WordPress admin theme <= 1.4.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53317

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
WPShapere Lite

Researcher

Skalucy

More Details >

Writesonic <= 1.0.4 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-53262

Patch Status
Unpatched

Published
Jun 27, 2025

Affected Software
Writesonic

Researcher

Nguyen Xuan Chien

More Details >