Wordfence Intelligence Weekly WordPress Vulnerability Report (September 1, 2025 to September 7, 2025)

Calling all Vulnerability Researchers and Bug Bounty Hunters!

  Operation: Maximum Impact Challenge! Now through November 10, 2025, earn 2X bounty rewards for all in-scope submissions in software with at least 5,000 active installs and fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big!

 Participate in the SQLsplorer Challenge! Now through September 22, 2025, all SQL Injection vulnerabilities in software with at least 25 active installs are considered in-scope for all researchers, regardless of researcher tier AND earn a 20% bonus on all SQL Injection vulnerability submissions.

Last week, there were 191 vulnerabilities disclosed in 178 WordPress Plugins and 7 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 52 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 28,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Total Unpatched & Patched Vulnerabilities Last Week

Total Vulnerabilities by CVSS Severity Last Week

Total Vulnerabilities by CWE Type Last Week

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Nguyen Xuan Chien	28
Kévin Mosbahi (Mika)	19
Peter Thaleikis	17
Muhammad Yudha – DJ	13
Que Thanh Tuan	11
Nabil Irawan	9
Bao	8
zaim	7
theviper17y	6
Martino Spagnuolo	5
Jonas Benjamin Friedli	5
Drew Webber (mcdruid)	5
stealthcopter	4
Denver Jackson	4
Prissy	3
Webbernaut	3
Vinit Lakra	3
zer0gh0st	3
Tran Nguyen Bao Khanh	2
vodanh	2
kr0d	2
Hiro	2
LVT-tholv2k	2
Michael	1
dutafi	1
Phat RiO – BlueRock	1
Kishan Vyas	1
Martin Herancourt	1
Skalucy	1
MD ISMAIL	1
Bonds	1
0xbeven	1
Aril Aprilio (forsak3n)	1
Ananda Dhakal	1
Matteo Leonelli	1
David D.	1
63n0	1
Nguyễn Trung Kiên	1
Ilkeggs	1
Muhammad Zidan Ali Mansur	1
tmrswrr	1
Nguyen Xuan Chien	1
Jack Pas (Dark.)	1
Gai Tanaka (63n0)	1
ISMAILSHADOW	1
Tonn	1
István Márton	1
Ryan Kozak	1
0xd4rk5id3	1
Fiqro Najiah (EscapesCode)	1
Nguyen Ngoc Quang Bach (maysbachs)	1
domiee13	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

WordPress Themes with Reported Vulnerabilities Last Week

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

AdForest <= 6.0.9 – Authentication Bypass to Admin

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-8359

Patch Status
Patched

Published
Sep 5, 2025

Affected Software
AdForest

Researcher

Tonn

More Details >

immonex Kickstart <= 1.11.6 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-58637

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
immonex Kickstart

Researcher

Peter Thaleikis

More Details >

InPost Gallery <= 2.1.4.5 – Authenticated (Subscriber+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-57889

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
InPost Gallery

Researcher

LVT-tholv2k

More Details >

MediaPress <= 1.5.9.1 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-58608

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
MediaPress

Researcher

zaim

More Details >

Cloud SAML SSO <= 1.0.19 – Missing Authorization to Unauthenticated Settings Modification via set_organization_settings Action

8.2

CVSS Rating
High (8.2)

CVE-ID
CVE-2025-7040

Patch Status
Patched

Published
Sep 5, 2025

Affected Software
Cloud SAML SSO – Single Sign On Login

Researcher

kr0d

More Details >

Quiz And Survey Master <= 10.2.5 – Unauthenticated PHP Object Injection

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-49401

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Researcher

Phat RiO – BlueRock

More Details >

WordPress Helpdesk Integration <= 5.8.10 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-9990

Patch Status
Unpatched

Published
Sep 4, 2025

Affected Software
WordPress Helpdesk Integration

Researcher

Aril Aprilio (forsak3n)

More Details >

Miraculous < 2.0.9 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-58628

Patch Status
Patched

Published
Sep 1, 2025

Affected Software
Miraculous – Multi Vendor Online Music Store Elementor WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Spirit Framework <= 1.2.13 – Authenticated (Subscriber+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-10269

Patch Status
Unpatched

Published
Sep 3, 2025

Affected Software
Spirit Framework

Researcher

Bonds

More Details >

Rehub <= 19.9.7 – Unauthenticated Arbitrary Shortcode Execution via re_filterpost

7.3

CVSS Rating
High (7.3)

CVE-ID
CVE-2025-7366

Patch Status
Patched

Published
Sep 5, 2025

Affected Software
REHub – Price Comparison, Multi Vendor Marketplace WordPress Theme

Researcher

stealthcopter

More Details >

atec Debug <= 1.2.22 – Authenticated (Administrator+) Arbitrary File Deletion

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-9518

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
atec Debug

Researcher

Jonas Benjamin Friedli

More Details >

atec Debug <= 1.2.22 – Authenticated (Administrator+) Remote Code Execution

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-9517

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
atec Debug

Researcher

Jonas Benjamin Friedli

More Details >

Bulk Featured Image <= 1.2.2 – Authenticated (Admin+) Arbitrary File Upload

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-58819

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Bulk Featured Image

Researcher

Nabil Irawan

More Details >

Easy Timer <= 4.2.1 – Authenticated (Editor+) Remote Code Execution via Shortcode

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-9519

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
Easy Timer

Researcher

Jonas Benjamin Friedli

More Details >

Exit Intent Popup <= 1.0.1 – Unauthenticated Server-Side Request Forgery

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-58641

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
Exit Intent Popup

Researcher

Tran Nguyen Bao Khanh

More Details >

Make Connector <= 1.5.10 – Authenticated (Administrator+) Arbitrary File Upload

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-6085

Patch Status
Unpatched

Published
Sep 3, 2025

Affected Software
Make Connector

Researcher

Ryan Kozak

More Details >

Multi Step Form <= 1.7.25 – Authenticated (Admin+) Arbitrary File Upload

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-9515

Patch Status
Patched

Published
Sep 5, 2025

Affected Software
Multi Step Form

Researcher

tmrswrr

More Details >

Aitasi Coming Soon <= 2.0.2 – Authenticated (Administrator+) PHP Object Injection

6.6

CVSS Rating
Medium (6.6)

CVE-ID
CVE-2025-58815

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Aitasi Coming Soon

Researcher

Drew Webber (mcdruid)

More Details >

eDS Responsive Menu <= 1.2 – Authenticated (Administrator+) PHP Object Injection

6.6

CVSS Rating
Medium (6.6)

CVE-ID
CVE-2025-58839

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
eDS Responsive Menu

Researcher

Drew Webber (mcdruid)

More Details >

LTL Freight Quotes – TQL Edition <= 1.2.6 – Authenticated (Administrator+) PHP Object Injection

6.6

CVSS Rating
Medium (6.6)

CVE-ID
CVE-2025-58644

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
LTL Freight Quotes – TQL Edition

Researcher

Drew Webber (mcdruid)

More Details >

LTL Freight Quotes – Day & Ross Edition <= 2.1.11 – Authenticated (Administrator+) PHP Object Injection

6.6

CVSS Rating
Medium (6.6)

CVE-ID
CVE-2025-58642

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
LTL Freight Quotes – Day & Ross Edition

Researcher

Drew Webber (mcdruid)

More Details >

LTL Freight Quotes – Daylight Edition <= 2.2.7 – Authenticated (Administrator+) PHP Object Injection

6.6

CVSS Rating
Medium (6.6)

CVE-ID
CVE-2025-58643

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
LTL Freight Quotes – Daylight Edition

Researcher

Drew Webber (mcdruid)

More Details >

Ai Engine <= 2.9.5 – Missing Authorization to Unauthenticated Uploaded Files Disclosure And Deletion

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-8268

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
AI Engine

Researcher

ISMAILSHADOW

More Details >

Cloud SAML SSO <= 1.0.19 – Missing Authorization to Unauthenticated Identity Provider Deletion via delete_config Action

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-7045

Patch Status
Patched

Published
Sep 5, 2025

Affected Software
Cloud SAML SSO – Single Sign On Login

Researcher

kr0d

More Details >

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder 5.1.16 – 6.1.1 – Authenticated (Subscriber+) PHP Object Injection To Arbitrary File Read

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-9260

Patch Status
Patched

Published
Sep 2, 2025

Affected Software
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Researcher

Webbernaut

More Details >

New Simple Gallery <= 8.0 – Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-58881

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
New Simple Gallery

Researcher

Peter Thaleikis

More Details >

Ray Enterprise Translation <= 1.7.1 – Missing Authorization

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-58785

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Ray Enterprise Translation

Researcher

LVT-tholv2k

More Details >

UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP <= 1.2.44 – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-10003

Patch Status
Patched

Published
Sep 5, 2025

Affected Software
UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP

Researcher

Nguyen Ngoc Quang Bach (maysbachs)

More Details >

Admin Menu Editor <= 1.14 – Authenticated (Contributor+) Stored Cross-Site Scripting via placeholder Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-9493

Patch Status
Patched

Published
Sep 5, 2025

Affected Software
Admin Menu Editor

Researcher

Muhammad Yudha – DJ

More Details >

Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One <= 2.2.6 – Authenticated (Subscriber+) Server-Side Request Forgery

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58829

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One

Researcher

Martino Spagnuolo

More Details >

Aparat Video Shortcode <= 0.2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58876

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Aparat Video Shortcode

Researcher

Kévin Mosbahi (Mika)

More Details >

ARI Fancy Lightbox <= 1.4.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58784

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
ARI Fancy Lightbox – Popup for WordPress

Researcher

Prissy

More Details >

aThemes Addons for Elementor Lite <= 1.1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-8149

Patch Status
Patched

Published
Sep 5, 2025

Affected Software
aThemes Addons for Elementor

Researcher

zer0gh0st

More Details >

Best Restaurant Menu by PriceListo <= 1.4.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58812

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Great Restaurant Menu WP

Researcher

Prissy

More Details >

Biagiotti Core <= 2.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-9057

Patch Status
Patched

Published
Sep 5, 2025

Affected Software
Biagiotti Core

Researcher

István Márton

More Details >

Booking Ultra Pro <= 1.1.21 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58633

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
Booking Ultra Pro Appointments Booking Calendar Plugin

Researcher

Muhammad Yudha – DJ

More Details >

Boxed Content <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58851

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Boxed Content

Researcher

Kévin Mosbahi (Mika)

More Details >

Content Views <= 4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Grid and List Widgets

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-8722

Patch Status
Patched

Published
Sep 5, 2025

Affected Software
Content Views – Post Grid & Filter, Recent Posts, Category Posts … (Shortcode, Blocks, and Elementor Widgets)

Researcher

Webbernaut

More Details >

Cookie Notice & Consent Banner for GDPR & CCPA Compliance <= 1.7.11 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58607

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
Cookie Notice & Consent Banner for GDPR & CCPA Compliance

Researcher

zaim

More Details >

Course Booking Platform <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58887

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Course Booking Platform

Researcher

Peter Thaleikis

More Details >

Custom Team Manager <= 2.4.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58840

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Custom Team Manager

Researcher

Bao

More Details >

Dadevarzan WordPress Common <= 2.2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58632

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
Dadevarzan WordPress Common

Researcher

Muhammad Yudha – DJ

More Details >

Document Engine <= 1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58640

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
Document Engine – Download Posts as PDF, PDF Embedder, Posts to PDF

Researcher

Peter Thaleikis

More Details >

Donation Forms WP by Givecloud <= 1.0.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58842

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Donation Forms WP by Givecloud

Researcher

Peter Thaleikis

More Details >

Easy Download Media Counter <= 1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58867

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Easy Download Media Counter

Researcher

Kévin Mosbahi (Mika)

More Details >

Easy Flash Embed <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-48105

Patch Status
Unpatched

Published
Sep 2, 2025

Affected Software
Easy Flash Embed

Researcher

Muhammad Yudha – DJ

More Details >

Easy Social Feed – Social Photos Gallery – Post Feed – Like Box <= 6.6.7 – Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-6067

Patch Status
Patched

Published
Sep 5, 2025

Affected Software
Easy Social Feed – Social Photos Gallery – Post Feed – Like Box

Researcher

Webbernaut

More Details >

Event Feed for Eventbrite <= 1.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58623

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
Show Eventbrite Events – Event Feed for Eventbrite

Researcher

Muhammad Yudha – DJ

More Details >

Exchange Rates <= 1.2.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58624

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
Exchange Rates

Researcher

Muhammad Yudha – DJ

More Details >

Flatsome <= 3.20.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-8684

Patch Status
Patched

Published
Sep 4, 2025

Affected Software
Flatsome

Researcher

stealthcopter

More Details >

FW Anker <= 1.2.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58836

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
FW Anker

Researcher

Kévin Mosbahi (Mika)

More Details >

Gallery PhotoBlocks <= 1.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58610

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
Gallery PhotoBlocks

Researcher

theviper17y

More Details >

Get Cash <= 3.2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58823

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Get Cash

Researcher

theviper17y

More Details >

Html Social share buttons <= 2.1.16 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-9849

Patch Status
Patched

Published
Sep 5, 2025

Affected Software
Html Social share buttons

Researcher

Peter Thaleikis

More Details >

Ibtana – Ecommerce Product Addons <= 0.4.7.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58786

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Ibtana – Ecommerce Product Addons

Researcher

zaim

More Details >

If-So Dynamic Content Personalization <= 1.9.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58602

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
If-So Dynamic Content Personalization

Researcher

zaim

More Details >

IssueM <= 2.9.0 – Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58631

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
IssueM

Researcher

Muhammad Yudha – DJ

More Details >

Kiwi <= 2.1.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58790

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Social Sharing Plugin – Kiwi

Researcher

theviper17y

More Details >

LA-Studio Element Kit for Elementor <= 1.5.5.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-8360

Patch Status
Patched

Published
Sep 5, 2025

Affected Software
LA-Studio Element Kit for Elementor

Researcher

zer0gh0st

More Details >

Latest Post Shortcode <= 14.0.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58609

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
Latest Post Shortcode

Researcher

Gai Tanaka (63n0)

More Details >

Master Paper Collapse Toggle <= 1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58871

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Master Paper Collapse Toggle

Researcher

Kévin Mosbahi (Mika)

More Details >

Optio Dentistry <= 2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-9853

Patch Status
Patched

Published
Sep 5, 2025

Affected Software
Optio Dentistry

Researcher

Jonas Benjamin Friedli

More Details >

Orbit Fox by ThemeIsle <= 3.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58593

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More

Researcher

Michael

More Details >

Parallax Scrolling Enllax.js <= 0.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58830

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Parallax Scrolling Enllax.js

Researcher

Kévin Mosbahi (Mika)

More Details >

PDF for WPForms <= 6.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58620

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
PDF for WPForms + Drag and Drop Template Builder

Researcher

Muhammad Yudha – DJ

More Details >

Pie Calendar <= 1.2.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58618

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
WordPress Events Calendar Plugin – Pie Calendar

Researcher

zaim

More Details >

prettyPhoto <= 1.2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58808

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
WordPress prettyPhoto

Researcher(s): Unknown

More Details >

PropertyHive <= 2.1.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58612

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
Property Hive

Researcher

zaim

More Details >

PuzzleMe for WordPress <= 1.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58621

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
PuzzleMe for WordPress

Researcher

Muhammad Yudha – DJ

More Details >

Recent Posts Widget Extended <= 2.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via rpwe Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-6757

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Recent Posts Widget Extended

Researcher

Muhammad Yudha – DJ

More Details >

RumbleTalk Live Group Chat <= 6.3.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58626

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
RumbleTalk Live Group Chat – HTML5

Researcher

Muhammad Yudha – DJ

More Details >

short.io <= 2.4.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58834

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
short.io

Researcher

Peter Thaleikis

More Details >

Showpass WordPress Extension <= 4.0.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58850

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Showpass WordPress Extension

Researcher

Peter Thaleikis

More Details >

SimaCookie <= 1.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58868

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
SimaCookie

Researcher

Kévin Mosbahi (Mika)

More Details >

Simple Text Slider <= 1.0.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58882

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Simple Text Slider

Researcher

Kévin Mosbahi (Mika)

More Details >

SKT Addons for Elementor <= 3.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-8564

Patch Status
Patched

Published
Sep 5, 2025

Affected Software
SKT Addons for Elementor

Researcher

zer0gh0st

More Details >

Smart Table Builder <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-9126

Patch Status
Patched

Published
Sep 5, 2025

Affected Software
Smart Table Builder

Researcher

Peter Thaleikis

More Details >

Smooth Accordion <= 2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58838

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Smooth Accordion

Researcher

Kévin Mosbahi (Mika)

More Details >

SS Font Awesome Icon <= 4.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58837

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
SS Font Awesome Icon

Researcher

Kévin Mosbahi (Mika)

More Details >

Stagtools <= 2.3.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58814

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
StagTools

Researcher

theviper17y

More Details >

StoryMap <= 2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58874

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
WordPress StoryMap Plugin

Researcher

Peter Thaleikis

More Details >

StreamWeasels Kick Integration <= 1.1.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via vodsChannel Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-9442

Patch Status
Patched

Published
Sep 5, 2025

Affected Software
StreamWeasels Kick Integration

Researcher

Peter Thaleikis

More Details >

Themify Popup <= 1.4.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58787

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Themify Popup

Researcher

Peter Thaleikis

More Details >

Today’s Date Inserter <= 1.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-48103

Patch Status
Unpatched

Published
Sep 2, 2025

Affected Software
Today’s Date Inserter

Researcher

Muhammad Yudha – DJ

More Details >

Tooltipy <= 5.5.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58614

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
Tooltipy (tooltips for WP)

Researcher

63n0

More Details >

Translate This gTranslate Shortcode <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58880

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Translate This gTranslate Shortcode

Researcher

Kévin Mosbahi (Mika)

More Details >

Vayu Blocks <= 1.3.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Block Attributes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-9378

Patch Status
Patched

Published
Sep 2, 2025

Affected Software
Vayu Blocks – Website Builder for the Block Editor

Researchers

stealthcopter

Ilkeggs

More Details >

WordPress Events Calendar Plugin – connectDaily <= 1.5.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58862

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
connectDaily Events Calendar Plugin

Researcher

Kévin Mosbahi (Mika)

More Details >

WP Delicious <= 1.8.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58605

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes)

Researcher

zaim

More Details >

WP Flow Plus <= 5.2.5 – Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58625

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
WP Flow Plus

Researcher

Muhammad Yudha – DJ

More Details >

WP Github Gist <= 0.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58875

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
WP Github Gist

Researcher

Kévin Mosbahi (Mika)

More Details >

WP Mail <= 1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58822

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
WP Mail

Researcher

Peter Thaleikis

More Details >

WP Notification Bell <= 1.4.6 – Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58821

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
WP Notification Bell

Researcher

Nabil Irawan

More Details >

WP Publication Archive <= 3.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58826

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
WP Publication Archive

Researcher

theviper17y

More Details >

WP-GraphViz <= 1.5.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58870

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
WP-GraphViz

Researcher

Peter Thaleikis

More Details >

WPB Elementor Addons <= 1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58793

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
WPB Elementor Addons

Researcher

Prissy

More Details >

WPB Image Widget <= 1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58858

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
WPB Image Widget

Researcher

Kévin Mosbahi (Mika)

More Details >

Zoomify embed for WP <= 1.5.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58863

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Zoomify embed for WP

Researcher

Peter Thaleikis

More Details >

金数据 <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58864

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
金数据

Researcher

Kévin Mosbahi (Mika)

More Details >

코드엠샵 소셜톡 <= 1.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-58828

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
코드엠샵 소셜톡

Researcher

theviper17y

More Details >

Floating Window Music Player <= 3.4.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-48104

Patch Status
Unpatched

Published
Sep 2, 2025

Affected Software
Floating Window Music Player

Researcher

Skalucy

More Details >

Woocommerce Notify Updated Product <= 1.6 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-58856

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Woocommerce Notify Updated Product

Researcher

Nguyen Xuan Chien

More Details >

WordPress Assistant <= 1.5.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-53307

Patch Status
Unpatched

Published
Sep 3, 2025

Affected Software
Assistant – Every Day Productivity Apps

Researcher

Martin Herancourt

More Details >

WP likes <= 3.1.1 – Cross-Site Request Forgery to Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-58848

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
WP likes

Researcher

Nguyen Xuan Chien

More Details >

WP Bannerize Pro <= 1.10.0 – Authenticated (Editor+) Server-Side Request Forgery

5.5

CVSS Rating
Medium (5.5)

CVE-ID
CVE-2025-58615

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
WP Bannerize Pro

Researcher

Nabil Irawan

More Details >

Job Board Manager <= 2.1.61 – Authenticated (Job Poster+) Arbitrary Shortcode Execution

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2025-58827

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Job Board Manager

Researcher

Kishan Vyas

More Details >

Bonus for Woo <= 7.4.1 – Insufficient Input Validation

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-58835

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Bonus for Woo

Researcher

Martino Spagnuolo

More Details >

Ninja Charts <= 3.3.2 – Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-58797

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Ninja Charts – WordPress Charts and Graphs Plugin

Researcher

Hiro

More Details >

Paid Member Subscriptions <= 2.15.9 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-58600

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction

Researcher

MD ISMAIL

More Details >

Payoneer Checkout <= 3.4.0 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-58795

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Payoneer Checkout

Researcher

Nguyen Xuan Chien

More Details >

PeachPay Payments <= 1.117.4 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-58634

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
Payments Plugin and Checkout Plugin for WooCommerce: Stripe, PayPal, Square, Authorize.net

Researcher

Nabil Irawan

More Details >

PopAd <= 1.0.4 – Cross-Site Request Forgery to Settings Update

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-9616

Patch Status
Unpatched

Published
Sep 3, 2025

Affected Software
PopAd

Researcher

Nabil Irawan

More Details >

Posts Table with Search & Sort <= 1.4.10 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-58613

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
Posts Table with Search & Sort

Researcher

Bao

More Details >

Rehub <= 19.9.7 – Unauthenticated Password Protected Post Disclosure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-7368

Patch Status
Patched

Published
Sep 5, 2025

Affected Software
REHub – Price Comparison, Multi Vendor Marketplace WordPress Theme

Researcher

stealthcopter

More Details >

Support Genix <= 1.4.23 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-58635

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
Support Genix – Helpdesk & Customer Support Ticket System

Researcher

Bao

More Details >

Surfer <= 1.6.4.574 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-58603

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
Surfer – WordPress Plugin

Researcher

Hiro

More Details >

atec Debug <= 1.2.22 – Authenticated (Administrator+) Arbitrary File Read

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-9516

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
atec Debug

Researcher

Jonas Benjamin Friedli

More Details >

ELEX WooCommerce Google Shopping (Google Product Feed) <= 1.4.3 – Authenticated (Admin+) SQL Inejction

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-10046

Patch Status
Patched

Published
Sep 5, 2025

Affected Software
ELEX WooCommerce Google Shopping (Google Product Feed)

Researcher

dutafi

More Details >

License Manager for WooCommerce <= 3.0.12 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-58788

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
License Manager for WooCommerce

Researcher

Que Thanh Tuan

More Details >

Mail Mint <= 1.18.5 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-58604

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
Email Marketing, Email Automation, Newsletter & Cart Abandonment for WordPress and WooCommerce – Mail Mint

Researcher

vodanh

More Details >

User Registration & Membership <= 4.3.0 – Authenticated (Admin+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-9085

Patch Status
Patched

Published
Sep 5, 2025

Affected Software
User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin

Researcher

Jack Pas (Dark.)

More Details >

WP Full Stripe Free <= 8.3.0 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-58789

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions

Researcher

Que Thanh Tuan

More Details >

Carousel Ultimate <= 1.8 – Authenticated (Editor+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-58820

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Carousel Ultimate

Researcher

Nabil Irawan

More Details >

Comment Form WP – Customize Default Comment Form <= 2.0.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-58825

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Comment Form WP – Customize Default Comment Form

Researcher

Bao

More Details >

Elementor Element Condition <= 1.0.5 – Authenticated (Editor+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-58796

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Elementor Element Condition

Researcher

Que Thanh Tuan

More Details >

GoUrl Bitcoin Payment Gateway & Paid Downloads & Membership <= 1.6.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-48102

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
GoUrl Bitcoin Payment Gateway & Paid Downloads & Membership

Researcher

Nabil Irawan

More Details >

Instant Locations <= 1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-58886

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Instant Locations

Researcher

Vinit Lakra

More Details >

MailOptin <= 1.2.75.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-58596

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
Popup, Optin Form & Email Newsletters for Mailchimp, HubSpot, AWeber – MailOptin

Researcher

Fiqro Najiah (EscapesCode)

More Details >

Pushe Web Push Notification <= 0.5.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-58873

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Pushe Web Push Notification

Researcher

Que Thanh Tuan

More Details >

Search by Google <= 1.9 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-58832

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Search by Google

Researcher

Que Thanh Tuan

More Details >

Search Cloud One <= 2.2.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-58883

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Search Cloud One

Researcher

Vinit Lakra

More Details >

SEO Auto Linker <= 1.5.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-58791

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
SEO Auto Linker

Researcher

Que Thanh Tuan

More Details >

Simple Link List Widget <= 0.3.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-58810

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Simple Link List Widget

Researcher

Que Thanh Tuan

More Details >

Simple Matomo Tracking Code <= 1.1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-58630

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
Simple Matomo Tracking Code

Researcher

Que Thanh Tuan

More Details >

Ultimate Client Dash <= 4.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-58811

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Ultimate Client Dash

Researcher

Que Thanh Tuan

More Details >

vipdrv <= 1.0.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-58884

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
vipdrv

Researcher

Vinit Lakra

More Details >

Widgetize Pages Light <= 3.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-58805

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Widgetize Pages Light

Researcher

Que Thanh Tuan

More Details >

Add to Feedly <= 1.2.11 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58859

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Add to Feedly

Researcher

Nguyen Xuan Chien

More Details >

AP HoneyPot WordPress Plugin <= 1.4 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58855

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
AP HoneyPot WordPress Plugin

Researcher

Nguyen Xuan Chien

More Details >

Authors List <= 2.0.6.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58792

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Authors List

Researcher

Que Thanh Tuan

More Details >

Auto Last Youtube Video <= 1.0.7 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58843

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Auto Last Youtube Video

Researcher

Nguyen Xuan Chien

More Details >

BCM Duplicate Menu <= 1.1.2 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58798

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
BCM Duplicate Menu

Researcher

Nguyen Xuan Chien

More Details >

Brizy <= 2.7.12 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58594

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
Brizy – Page Builder

Researcher

Peter Thaleikis

More Details >

Bulk Watermark <= 1.6.10 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58845

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Bulk Watermark

Researcher

Nguyen Xuan Chien

More Details >

Classified Listing <= 5.0.6 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58601

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
Classified Listing – AI-Powered Classified ads & Business Directory Plugin

Researcher

Denver Jackson

More Details >

Compact Admin <= 1.3.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58865

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Compact Admin

Researcher

Bao

More Details >

Consultstreet <= 3.0.0 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58813

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
ConsultStreet

Researcher

Nguyễn Trung Kiên

More Details >

Contact Form By Mega Forms <= 1.6.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58639

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
Contact Form By Mega Forms – Drag and Drop Form Builder

Researcher

vodanh

More Details >

Custom WooCommerce Checkout Fields Editor <= 1.3.4 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58799

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Custom WooCommerce Checkout Fields Editor

Researcher

Nguyen Xuan Chien

More Details >

Database to Excel <= 1.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58844

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Database to Excel

Researcher

Nguyen Xuan Chien

More Details >

Developer Tools Blocker <= 3.2.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58818

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Developer Tools Blocker

Researcher

Nabil Irawan

More Details >

Enable Latex <= 1.2.16 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58860

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Enable Latex

Researcher

Nguyen Xuan Chien

More Details >

F4 Media Taxonomies <= 1.1.4 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58617

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
F4 Media Taxonomies

Researcher

Nabil Irawan

More Details >

Frisbii Pay <= 1.8.2.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58616

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
Frisbii Pay

Researcher

Denver Jackson

More Details >

Gutentor <= 3.5.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58783

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor

Researcher

Denver Jackson

More Details >

Hide Real Download Path <= 1.6 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58849

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Hide Real Download Path

Researcher

Nguyen Xuan Chien

More Details >

Invelity MyGLS connect <= 1.1.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58833

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Invelity MyGLS connect

Researcher

Martino Spagnuolo

More Details >

Malcure Malware Scanner <= 16.8 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-3701

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
Malcure Malware Scanner — #1 Toolset for Malware Removal

Researcher

domiee13

More Details >

MasterStudy LMS <= 3.6.15 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-54744

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
MasterStudy LMS WordPress Plugin – for Online Courses and Education

Researcher

0xd4rk5id3

More Details >

Media Author <= 1.0.4 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58841

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Media Author

Researcher

Bao

More Details >

Mobile Contact Line <= 2.4.0 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58622

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
Mobile Contact Line

Researcher

0xbeven

More Details >

MSTW League Manager <= 2.10 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58852

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
MSTW League Manager

Researcher

Nguyen Xuan Chien

More Details >

Notification for Telegram <= 3.4.6 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58794

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Notification for Telegram

Researcher

Nguyen Xuan Chien

More Details >

Order Delivery Date for WooCommerce <= 4.1.0 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58599

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
Order Delivery Date for WooCommerce

Researcher

Bao

More Details >

Parallax Scrolling Enllax.js <= 0.0.6 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58831

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Parallax Scrolling Enllax.js

Researcher

Kévin Mosbahi (Mika)

More Details >

Popping Sidebars and Widgets Light <= 1.27 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58853

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Popping Sidebars and Widgets Light

Researcher

Nguyen Xuan Chien

More Details >

Post SMTP <= 3.4.1 – Missing Authorization to Authenticated (Subscriber+) Limited Plugin Option Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-9219

Patch Status
Patched

Published
Sep 2, 2025

Affected Software
Post SMTP – WP SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more

Researchers

Matteo Leonelli

David D.

More Details >

Product Carousel Slider for Elementor <= 2.1.3 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58816

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Product Carousel Slider for Elementor

Researcher

Peter Thaleikis

More Details >

Purge Varnish Cache <= 2.6 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58807

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Purge Varnish Cache

Researcher

Nguyen Xuan Chien

More Details >

Quick Event Calendar <= 1.4.9 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58861

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Quick Event Calendar

Researcher

Nguyen Xuan Chien

More Details >

Quick Paypal Payments <= 5.7.46 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-27003

Patch Status
Patched

Published
Sep 4, 2025

Affected Software
Quick Paypal Payments

Researcher

Nguyen Xuan Chien

More Details >

Responder <= 4.3.8 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58801

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Responder

Researcher

Nguyen Xuan Chien

More Details >

SaasLauncher <= 1.3.0 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58606

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
SaasLauncher

Researcher

Denver Jackson

More Details >

Shk Corporate <= 2.4.1.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58824

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Shk Corporate

Researcher

Martino Spagnuolo

More Details >

SimaCookie <= 1.3.2 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58869

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
SimaCookie

Researcher

Kévin Mosbahi (Mika)

More Details >

Simple Price Calculator <= 1.3 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58872

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Simple Price Calculator

Researcher

Kévin Mosbahi (Mika)

More Details >

SoftMe <= 1.1.24 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58817

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
SoftMe

Researcher

Martino Spagnuolo

More Details >

Table of content <= 1.5.3.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58857

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Table of content

Researcher

Nguyen Xuan Chien

More Details >

Tickera <= 3.5.5.6 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58611

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
Tickera – WordPress Event Ticketing

Researcher

Nguyen Xuan Chien

More Details >

To Lead For Salesforce <= 2.7.3.9 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58809

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Brilliant Web-to-Lead for Salesforce

Researcher

Nguyen Xuan Chien

More Details >

TrustMate.io – WooCommerce integration <= 1.14.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58802

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
TrustMate.io – WooCommerce integration

Researcher

Nguyen Xuan Chien

More Details >

Ultimate AJAX Login <= 1.2.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58854

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Ultimate AJAX Login

Researcher

Nguyen Xuan Chien

More Details >

WN Flipbox Pro <= 2.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58847

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
WN Flipbox Pro

Researcher

Nguyen Xuan Chien

More Details >

Woocommerce Gifts Product <= 1.0.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58878

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Woocommerce Gifts Product

Researcher

Kévin Mosbahi (Mika)

More Details >

WooCommerce Single Page Checkout <= 1.2.7 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58804

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
WooCommerce Single Page Checkout

Researcher

Nguyen Xuan Chien

More Details >

WordPress Buffer – HYPESocial. Social Media Auto Post, Social Media Auto Publish and Schedule <= 2020.1.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58846

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
WordPress Buffer – HYPESocial. Social Media Auto Post, Social Media Auto Publish and Schedule

Researcher

Nguyen Xuan Chien

More Details >

WordPress Error Monitoring by Bugsnag <= 1.6.3 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58806

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
WordPress Error Monitoring by Bugsnag

Researcher

Nguyen Xuan Chien

More Details >

WP Email Template <= 2.8.3 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58800

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
WP Email Template

Researcher

Nguyen Xuan Chien

More Details >

wpForo Forum <= 2.4.6 – Authenticated (Subscriber+) Insecure Direct Object Reference

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-58597

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
wpForo Forum

Researcher

Muhammad Zidan Ali Mansur

More Details >

Klarna Order Management for WooCommerce <= 1.9.8 – Authenticated (Shop Manager+) Information Disclosure via Log Files

2.7

CVSS Rating
Low (2.7)

CVE-ID
CVE-2025-58598

Patch Status
Patched

Published
Sep 3, 2025

Affected Software
Klarna Order Management for WooCommerce

Researcher

Ananda Dhakal

More Details >

Site Info <= 1.1 – Authenticated (Editor+) Information Exposure

2.7

CVSS Rating
Low (2.7)

CVE-ID
CVE-2025-58866

Patch Status
Unpatched

Published
Sep 5, 2025

Affected Software
Site Info

Researcher

Bao

More Details >