Wordfence Intelligence Weekly WordPress Vulnerability Report (December 15, 2025 to January 4, 2026)

Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest.

Special Note: This week’s Wordfence Intelligence Weekly WordPress Vulnerability Report is an extended edition to cover the last few weeks in December over the holidays and the first week in January.

Over the past three weeks, there were 459 vulnerabilities disclosed in 390 WordPress Plugins and 29 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 95 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 32,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Total Unpatched & Patched Vulnerabilities Last Week

Total Vulnerabilities by CVSS Severity Last Week

Total Vulnerabilities by CWE Type Last Week

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Muhammad Yudha – DJ	49
Nabil Irawan	44
Legion Hunter	35
Phat RiO – BlueRock	33
daroo	33
João Pedro S Alcântara (Kinorth)	21
Muhammad Nur Ibnu Hubab (Ibnu)	21
Athiwat Tiprasaharn (Jitlada)	20
benzdeus	11
Doan Dinh Van (DinhVan52)	10
Skalucy	10
shark3y	9
zaim	8
Marcin Dudek (dudekmar)	8
Nguyen Xuan Chien	8
Bonds	7
Peter Thaleikis	7
NumeX	7
Powpy	6
Tran Nguyen Bao Khanh	5
Jarno Vos (jarnovos)	4
Dmitrii Ignatyev	4
Zeeshan Haider	4
type5afe	4
Que Thanh Tuan – Blue Rock	3
zer0gh0st	3
Md. Moniruzzaman Prodhan (NomanProdhan)	3
Bao – BlueRock	3
Abdulsamad Yusuf (0xVenus)	3
Itthidej Aramsri (Boeing777)	3
Muhammad Zeeshan (Xib3rR4dAr)	3
Drew Webber (mcdruid)	3
Deadbee	2
afnaan	2
MD ISMAIL	2
HunSec	2
Trương Hữu Phúc (truonghuuphuc)	2
Tarcísio Luchesi(Poystick)	2
w41bu1	2
PPzzAArr	2
meghnine islem	2
Waris Damkham	2
Varakorn Chanthasri (iCreaM)	2
Peerapat Samatathanyakorn	2
Rooting	2
kr0d	2
Webbernaut	2
0xd4rk5id3	2
Nguyen Tran Tuan Dung (domiee13)	2
johska	2
Offensive Labs	1
stealthcopter	1
Asaf Mozes	1
Paolo Tresso	1
Mdr	1
Hieus	1
ch1mk	1
Lucas Montes (NiRoX)	1
Rafshanzani Suhada	1
Sopon Tangpathum (SoNaJaa)	1
wesley (wcraft)	1
Ahmed Rayen Ayari	1
Tiến Dũng Nguyễn	1
blue0x1	1
Supakiad S. (m3ez)	1
Ananda Dhakal	1
JongHwan Shin (zzzsleep)	1
bosz	1
Dieu Link	1
GCSC Vietnam	1
ISMAILSHADOW	1
tiborisaak	1
Arif Shaikh	1
Nguyen Truong (Roll)	1
シルAsuna	1
Myungju Kim	1
Boris Bogosavac	1
Certus Cybersecurity	1
LionTree	1
Ahmad Salem (a7mad.cc)	1
dayea song	1
Bhumividh Treloges	1
ChamlaVic	1
Denver Jackson	1
Tri Firdyanto (Firdy)	1
LVT-tholv2k	1
Sarawut Poolkhet (MisterHelloz)	1
Krissaphat Jankaew	1
Abu Hurayra (HurayraIIT)	1
Abhinav Jaswal (wrath_exe)	1
Rapid0nion	1
Arkadiusz Hydzik	1
timomangcut	1
LIM MINHYEOK	1
NosleeP++	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

WordPress Themes with Reported Vulnerabilities Last Week

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Branda – White Label & Branding, Free Login Page Customizer <= 3.4.24 – Unauthenticated Privilege Escalation via Account Takeover

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-14998

Patch Status
Patched

Published
Jan 1, 2026

Affected Software
Branda – White Label & Branding, Free Login Page Customizer

Researcher

Drew Webber (mcdruid)

More Details >

File Uploader for WooCommerce <= 1.0.3 – Unauthenticated Arbitrary File Upload via add-image-data

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-13329

Patch Status
Patched

Published
Dec 19, 2025

Affected Software
File Uploader for WooCommerce

Researcher

Md. Moniruzzaman Prodhan (NomanProdhan)

More Details >

Flex Store Users <= 1.1.0 – Unauthenticated Privilege Escalation

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-13619

Patch Status
Unpatched

Published
Dec 19, 2025

Affected Software
Flex Store Users

Researcher

シルAsuna

More Details >

Fox LMS – WordPress LMS Plugin 1.0.4.7 – 1.0.5.1 – Unauthenticated Privilege Escalation via ‘createOrder’

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-14156

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Fox LMS – WordPress LMS Plugin

Researcher

kr0d

More Details >

Mobile builder <= 1.4.2 – Authentication Bypass

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-68860

Patch Status
Unpatched

Published
Dec 26, 2025

Affected Software
Mobile builder

Researcher

Jarno Vos (jarnovos)

More Details >

PhastPress <= 3.7 – Unauthenticated Arbitrary File Read via Null Byte Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-14388

Patch Status
Patched

Published
Dec 22, 2025

Affected Software
PhastPress

Researcher

shark3y

More Details >

Print Invoice & Delivery Notes for WooCommerce <= 5.8.0 – Unauthenticated Remote Code Execution

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-13773

Patch Status
Patched

Published
Dec 23, 2025

Affected Software
Print Invoice & Delivery Notes for WooCommerce

Researchers

shark3y

Marcin Dudek (dudekmar)

More Details >

Demo Importer Plus <= 2.0.8 – Missing Authorization to Authenticated (Subscriber+) Site Reset and Privilege Escalation

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-14364

Patch Status
Patched

Published
Dec 17, 2025

Affected Software
Demo Importer Plus

Researcher

shark3y

More Details >

IF AS Shortcode <= 1.2 – Authenticated (Contributor+) Remote Code Execution

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-68897

Patch Status
Unpatched

Published
Dec 25, 2025

Affected Software
IF AS Shortcode

Researcher

Drew Webber (mcdruid)

More Details >

MapSVG <= 8.7.3 – Authenticated (Contributor+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-68562

Patch Status
Patched

Published
Dec 24, 2025

Affected Software
MapSVG – Vector maps, Image maps, Google Maps

Researcher

stealthcopter

More Details >

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery <= 3.59.12 – Authenticated (Contributor+) Local File Inclusion via ‘template’

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-13641

Patch Status
Patched

Published
Dec 17, 2025

Affected Software
Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

Beaver Builder – WordPress Page Builder <= 2.9.4.1 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Update

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-12934

Patch Status
Patched

Published
Dec 22, 2025

Affected Software
Beaver Builder Page Builder – Drag and Drop Website Builder

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

CedCommerce Integration for Good Market <= 1.0.6 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-68877

Patch Status
Unpatched

Published
Dec 26, 2025

Affected Software
CedCommerce Integration for Good Market

Researcher

Nguyen Xuan Chien

More Details >

CookieHint WP <= 1.0.0 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-68870

Patch Status
Unpatched

Published
Dec 25, 2025

Affected Software
CookieHint WP

Researcher

Nguyen Xuan Chien

More Details >

Docket Cache <= 24.07.03 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-68506

Patch Status
Patched

Published
Dec 24, 2025

Affected Software
Docket Cache – Object Cache Accelerator

Researcher

Nguyen Xuan Chien

More Details >

Lekker <= 1.8 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-69034

Patch Status
Unpatched

Published
Dec 30, 2025

Affected Software
Lekker – Portfolio WordPress Theme

Researcher

Bonds

More Details >

Redirection for Contact Form 7 <= 3.2.7 – Unauthenticated Arbitrary File Copy via move_file_to_upload

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-14800

Patch Status
Patched

Published
Dec 20, 2025

Affected Software
Redirection for Contact Form 7

Researcher

LionTree

More Details >

WPCOM Member <= 1.7.16 – Authentication Bypass via Weak OTP

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-14002

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
WPCOM Member

Researcher

wesley (wcraft)

More Details >

WP JobHunt <= 7.7 – Missing Authorization to Authenticated (Candidate+) Stored Cross-Site Scripting via ‘status’

7.6

CVSS Rating
High (7.6)

CVE-ID
CVE-2025-7782

Patch Status
Unpatched

Published
Dec 20, 2025

Affected Software
WP JobHunt

Researcher

meghnine islem

More Details >

Aora <= 1.3.15 – Authenticated (Contributor+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-68985

Patch Status
Unpatched

Published
Dec 20, 2025

Affected Software
Aora – Home & Lifestyle Elementor WooCommerce Theme

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Besa <= 2.3.15 – Authenticated (Contributor+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-67530

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Besa – Elementor Marketplace WooCommerce Theme

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Booking Calendar <= 10.14.8 – Unauthenticated SQL Injection via dates_to_check

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-14383

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Booking Calendar

Researcher

Marcin Dudek (dudekmar)

More Details >

Bookory <= 2.2.7 – Authenticated (Contributor+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-68530

Patch Status
Patched

Published
Jan 1, 2026

Affected Software
bookory

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Cinerama – A WordPress Theme for Movie Studios and Filmmakers <= 2.4 – Authenticated (Contributor+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-68987

Patch Status
Unpatched

Published
Dec 20, 2025

Affected Software
Cinerama – A WordPress Theme for Movie Studios and Filmmakers

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Diza <= 1.3.15 – Authenticated (Contributor+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-68544

Patch Status
Patched

Published
Dec 23, 2025

Affected Software
Diza – Pharmacy Store Elementor WooCommerce Theme

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Download Media Library <= 0.2.1 – Unauthenticated Sensitive Information Exposure

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-62114

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Download Media Library

Researcher

Nabil Irawan

More Details >

ekommart < 4.3.1 – Authenticated (Contributor+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-67525

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
ekommart – All-in-one eCommerce WordPress Theme

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Fana <= 1.1.35 – Authenticated (Contributor+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-68540

Patch Status
Patched

Published
Dec 28, 2025

Affected Software
Fana – Fashion Shop WordPress Theme

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Fashion < 5.3.0 – Authenticated (Contributor+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-67529

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Fashion – WooCommerce Responsive WordPress Theme

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Greenmart <= 4.2.11 – Authenticated (Contributor+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-68983

Patch Status
Unpatched

Published
Dec 20, 2025

Affected Software
GreenMart – Organic & Food WooCommerce WordPress Theme

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Hara <= 1.2.17 – Authenticated (Contributor+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-67532

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Hara – Beauty and Cosmetics Shop WooCommerce Theme

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Hummingbird <= 3.18.0 – Unauthenticated Sensitive Information Exposure via Log File

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-14437

Patch Status
Patched

Published
Dec 17, 2025

Affected Software
Hummingbird Performance – Cache & Page Speed Optimization for Core Web Vitals | Critical CSS | Minify CSS | Defer CSS Javascript | CDN

Researcher

ISMAILSHADOW

More Details >

Live Composer – Free WordPress Website Builder <= 2.0.2 – Authenticated (Contributor+) PHP Object Injection via dslc_module_posts_output Shortcode

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-14071

Patch Status
Unpatched

Published
Dec 20, 2025

Affected Software
Live Composer – Free WordPress Website Builder

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

MAS Videos <= 1.3.2 – Authenticated (Contributor+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-62753

Patch Status
Unpatched

Published
Dec 30, 2025

Affected Software
MAS Videos

Researcher

Muhammad Yudha – DJ

More Details >

Nika <= 1.2.14 – Authenticated (Contributor+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-68546

Patch Status
Patched

Published
Dec 23, 2025

Affected Software
Nika – Medical Elementor WooCommerce Theme

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Ninja Forms – The Contact Form Builder That Grows With You <= 3.13.2 – Insecure Direct Object Reference to Unauthenticated Sensitive Information Exposure via Unscoped Bearer Token

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-11924

Patch Status
Patched

Published
Dec 16, 2025

Affected Software
Ninja Forms – The Contact Form Builder That Grows With You

Researchers

Lucas Montes (NiRoX)

Marcin Dudek (dudekmar)

More Details >

Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX <= 5.0.3 – Missing Authorization to Unauthenticated Sensitive Information Exposure

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-12980

Patch Status
Patched

Published
Dec 20, 2025

Affected Software
Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX

Researcher

Marcin Dudek (dudekmar)

More Details >

Puca <= 2.6.39 – Authenticated (Contributor+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-68984

Patch Status
Unpatched

Published
Dec 20, 2025

Affected Software
Puca – Optimized Mobile WooCommerce Theme

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Responsive Posts Carousel Pro <= 15.1 – Authenticated (Contributor+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-68996

Patch Status
Patched

Published
Dec 25, 2025

Affected Software
Responsive Posts Carousel WordPress Plugin

Researcher

Phat RiO – BlueRock

More Details >

Sailing < 4.4.6 – Authenticated (Contributor+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-67526

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
sailing

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Subscribe to Unlock Lite <= 1.3.0 – Authenticated (Subscriber+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-68563

Patch Status
Patched

Published
Dec 24, 2025

Affected Software
Subscribe to Unlock Lite – Opt In Content Locker Plugin for WordPress

Researcher

LVT-tholv2k

More Details >

Terms descriptions <= 3.4.9 – Unauthenticated Information Exposure

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-62139

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Terms descriptions

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

Urna <= 2.5.12 – Authenticated (Contributor+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-67528

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Urna – All-in-one WooCommerce WordPress Theme

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Varnish/Nginx Proxy Caching <= 1.8.3 – Unauthenticated Information Exposure

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-62126

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Varnish/Nginx Proxy Caching

Researcher

Legion Hunter

More Details >

Wilmër < 3.5 – Authenticated (Contributor+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-67515

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Wilmër – Construction WordPress Theme

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Zota <= 1.3.14 – Authenticated (Contributor+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-68537

Patch Status
Patched

Published
Dec 27, 2025

Affected Software
Zota – Elementor Multi-Purpose WooCommerce Theme

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Advanced Ads <= 2.0.14 – Authenticated (Editor+) Remote Code Execution via Shortcode

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-13592

Patch Status
Patched

Published
Dec 29, 2025

Affected Software
Advanced Ads – Ad Manager & AdSense

Researcher

NosleeP++

More Details >

ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.4 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-9343

Patch Status
Patched

Published
Dec 20, 2025

Affected Software
ELEX WordPress HelpDesk & Customer Ticketing System

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player 2.4.0 – 2.5.1 – Unauthenticated Server-Side Request Forgery

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-13999

Patch Status
Patched

Published
Dec 18, 2025

Affected Software
HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player

Researcher

kr0d

More Details >

Kerge <= 4.1.3 – Unauthenticated Server-Side Request Forgery

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-67989

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Personal Portfolio Resume Theme | Kerge

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Lucky Wheel for WooCommerce – Spin a Sale <= 1.1.13 – Authenticated (Administrator+) PHP Code Injection via Conditional Tags

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-14509

Patch Status
Patched

Published
Dec 29, 2025

Affected Software
Lucky Wheel for WooCommerce – Spin a Sale

Researcher

Nguyen Truong (Roll)

More Details >

SlimStat Analytics <= 5.3.2 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-14151

Patch Status
Patched

Published
Dec 18, 2025

Affected Software
SlimStat Analytics

Researcher

Supakiad S. (m3ez)

More Details >

SureForms <= 2.2.0 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-14855

Patch Status
Patched

Published
Dec 20, 2025

Affected Software
SureForms – Contact Form, Payment Form & Other Custom Form Builder

Researcher

Tiến Dũng Nguyễn

More Details >

WordPress & WooCommerce Scraper Plugin, Import Data from Any WebSite. <= 1.0.7 – Unauthenticated Server-Side Request Forgery

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-62088

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
WordPress & WooCommerce Scraper Plugin, Import Data from Any WebSite.

Researcher

Bonds

More Details >

Youzify <= 1.3.5 – Authenticated (Subscriber+) Server-Side Request Forgery

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-69014

Patch Status
Unpatched

Published
Dec 27, 2025

Affected Software
Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

Researcher

NumeX

More Details >

Easy Invoice <= 2.1.4 – Authenticated (Administrator+) Local File Inclusion

6.6

CVSS Rating
Medium (6.6)

CVE-ID
CVE-2025-66115

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Easy Invoice – PDF Invoice Generator & Quote Builder

Researcher

Tarcísio Luchesi(Poystick)

More Details >

Brands for WooCommerce <= 3.8.6.3 – Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-68519

Patch Status
Patched

Published
Dec 26, 2025

Affected Software
Brands for WooCommerce

Researcher

0xd4rk5id3

More Details >

BWL Pro Voting Manager <= 1.4.9 – Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-68990

Patch Status
Unpatched

Published
Dec 22, 2025

Affected Software
BWL Pro Voting Manager

Researcher

Phat RiO – BlueRock

More Details >

Fancy Product Designer | WooCommerce WordPress <= 6.4.8 – Unauthenticated Server-Side Request Forgery via Race Condition

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-13231

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Fancy Product Designer

Researcher

Muhammad Zeeshan (Xib3rR4dAr)

More Details >

MailerLite – WooCommerce integration <= 3.1.3 – Missing Authorization to Data Deletion

6.5

CVSS Rating
Medium (6.5)

CVE-ID
Unknown

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
MailerLite – WooCommerce integration

Researcher

shark3y

More Details >

Tablesome <= 1.1.35.1 – Authenticated (Subscriber+) Information Exposure

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-68516

Patch Status
Patched

Published
Dec 22, 2025

Affected Software
Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent

Researcher

daroo

More Details >

WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) <= 4.0.1 – Missing Authorization to Unauthenticated Plugin’s Settings Disclosure And Modification

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-13880

Patch Status
Patched

Published
Dec 16, 2025

Affected Software
WP Social Ninja – Embed Social Feeds, User Reviews & Chat Widgets

Researcher

shark3y

More Details >

WPBulky <= 1.1.13 – Authenticated (Author+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-68550

Patch Status
Patched

Published
Dec 23, 2025

Affected Software
WPBulky – WordPress Bulk Edit Post Types

Researcher

benzdeus

More Details >

6Storage Rentals <= 2.20.0 – Authenticated (Subscriber+) Server-Side Request Forgery

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-67623

Patch Status
Unpatched

Published
Dec 20, 2025

Affected Software
6Storage Rentals

Researcher

Jarno Vos (jarnovos)

More Details >

Academy LMS <= 3.4.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-68527

Patch Status
Patched

Published
Dec 30, 2025

Affected Software
Academy LMS – WordPress LMS Plugin for Complete eLearning Solution

Researcher

Muhammad Yudha – DJ

More Details >

Add Custom Codes <= 4.80 – Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-62149

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Add Custom Codes – Insert Header, Footer, Custom PHP Snippets, CSS, Javascript

Researcher

Certus Cybersecurity

More Details >

Add Featured Image Custom Link <= 2.0.0 – Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-62119

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Add Featured Image Custom Link

Researcher

Nabil Irawan

More Details >

AdWords Conversion Tracking Code <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-62118

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
AdWords Conversion Tracking Code

Researcher

Muhammad Yudha – DJ

More Details >

Audiomack <= 1.4.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-49357

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Audiomack

Researcher

Jarno Vos (jarnovos)

More Details >

Auto Listings <= 2.7.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-69089

Patch Status
Patched

Published
Dec 30, 2025

Affected Software
Auto Listings – Car Listings & Car Dealership Plugin for WordPress

Researcher

Muhammad Yudha – DJ

More Details >

BA Book Everything <= 1.8.14 – Authenticated (Contributor+) Stored Cross-Site Scripting via babe-search-form Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-14449

Patch Status
Patched

Published
Dec 18, 2025

Affected Software
BA Book Everything

Researcher

Muhammad Yudha – DJ

More Details >

Blog Filter <= 1.7.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-69033

Patch Status
Patched

Published
Dec 29, 2025

Affected Software
Blog Filter Post Filtering

Researcher

Muhammad Yudha – DJ

More Details >

Bold Timeline Lite <= 1.2.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-68513

Patch Status
Patched

Published
Dec 27, 2025

Affected Software
Bold Timeline Lite

Researcher

zaim

More Details >

Bootstrap Modals <= 1.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-62095

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Bootstrap Modals

Researcher

Muhammad Yudha – DJ

More Details >

BuddyPress Activity Shortcode <= 1.1.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-62760

Patch Status
Patched

Published
Dec 31, 2025

Affected Software
BuddyPress Activity Shortcode

Researcher

Muhammad Yudha – DJ

More Details >

BWL Knowledge Base Manager <= 1.6.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-68992

Patch Status
Unpatched

Published
Dec 22, 2025

Affected Software
BWL Knowledge Base Manager

Researcher

Phat RiO – BlueRock

More Details >

BWL Pro Voting Manager <= 1.4.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-68991

Patch Status
Unpatched

Published
Dec 22, 2025

Affected Software
BWL Pro Voting Manager

Researcher

Phat RiO – BlueRock

More Details >

Calendar <= 1.3.16 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘event_desc’

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-14548

Patch Status
Patched

Published
Dec 22, 2025

Affected Software
Calendar

Researcher

Hieus

More Details >

Calendar.online / Kalender.digital <= 1.0.11 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-62752

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Calendar.online / Kalender.digital – Plugin

Researcher

Muhammad Yudha – DJ

More Details >

CC Child Pages <= 2.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘child_pages’ Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13608

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
CC Child Pages

Researcher

Muhammad Yudha – DJ

More Details >

Colibri Page Builder <= 1.0.345 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-11747

Patch Status
Patched

Published
Dec 18, 2025

Affected Software
Colibri Page Builder

Researcher

Abu Hurayra (HurayraIIT)

More Details >

Combo Offers WooCommerce <= 4.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-69088

Patch Status
Patched

Published
Dec 30, 2025

Affected Software
Combo Offers WooCommerce

Researcher

Muhammad Yudha – DJ

More Details >

Consulting <= 1.5.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-63032

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Consulting

Researcher

Peter Thaleikis

More Details >

Content Fetcher <= 1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-49358

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Content Fetcher

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

Curator.io <= 1.9.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-62742

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Curator.io

Researcher

Jarno Vos (jarnovos)

More Details >

Custom Background Changer <= 3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-62125

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Custom Background Changer

Researcher

Muhammad Yudha – DJ

More Details >

Custom Field Template <= 2.7.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-68607

Patch Status
Unpatched

Published
Dec 24, 2025

Affected Software
Custom Field Template

Researcher

Muhammad Yudha – DJ

More Details >

DesignThemes Core <= 1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-68978

Patch Status
Unpatched

Published
Dec 17, 2025

Affected Software
DesignThemes Core

Researcher

Phat RiO – BlueRock

More Details >

DesignThemes Portfolio Addon <= 1.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-68977

Patch Status
Unpatched

Published
Dec 17, 2025

Affected Software
DesignThemes Portfolio Addon

Researcher

Phat RiO – BlueRock

More Details >

Elementor <= 3.33.3 – Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Text Path

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-11220

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Elementor Website Builder – More Than Just a Page Builder

Researcher

Asaf Mozes

More Details >

Embed Any Document <= 2.7.10 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-12885

Patch Status
Patched

Published
Dec 17, 2025

Affected Software
Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files

Researcher

Muhammad Yudha – DJ

More Details >

Essential Addons for Elementor – Popular Elementor Templates & Widgets <= 6.5.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13977

Patch Status
Patched

Published
Dec 16, 2025

Affected Software
Essential Addons for Elementor – Popular Elementor Templates & Widgets

Researcher

Webbernaut

More Details >

Events Manager <= 7.2.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘events_list_grouped’ Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-12976

Patch Status
Patched

Published
Dec 17, 2025

Affected Software
Events Manager – Calendar, Bookings, Tickets, and more!

Researcher

Muhammad Yudha – DJ

More Details >

Extra Shortcodes <= 2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-62111

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Extra Shortcodes

Researcher

Muhammad Yudha – DJ

More Details >

Featured Video for WordPress – VideographyWP <= 1.0.18 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-62746

Patch Status
Patched

Published
Dec 30, 2025

Affected Software
Featured Video for WordPress – VideographyWP

Researcher

Muhammad Yudha – DJ

More Details >

FlippingBook <= 2.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-69019

Patch Status
Unpatched

Published
Dec 28, 2025

Affected Software
FlippingBook

Researcher

Muhammad Yudha – DJ

More Details >

FluentAuth – Auth Security Plugin <= 2.0.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘fluent_auth_reset_password’ Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13728

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
FluentAuth – The Ultimate Authorization & Security Plugin for WordPress

Researcher

Muhammad Yudha – DJ

More Details >

Free Shipping Bar: Amount Left for Free Shipping for WooCommerce <= 2.4.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-68528

Patch Status
Patched

Published
Dec 30, 2025

Affected Software
Free Shipping Bar: Amount Left for Free Shipping for WooCommerce

Researcher

Muhammad Yudha – DJ

More Details >

Funnelforms Free <= 3.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-62758

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free

Researcher

Muhammad Yudha – DJ

More Details >

Genemy <= 1.6.6 – Authenticated (Subscriber+) Server-Side Request Forgery

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-59138

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Genemy – Creative Minimal Landing Page Builder for Digital Startup Design Studio Agency in Marketing

Researcher

Tran Nguyen Bao Khanh

More Details >

Happy Addons for Elementor <= 3.20.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Custom JS

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-14635

Patch Status
Patched

Published
Dec 22, 2025

Affected Software
Happy Addons for Elementor

Researcher

zer0gh0st

More Details >

Image Photo Gallery Final Tiles Grid <= 3.6.8 – Authenticated (Author+) Stored Cross-Site Scripting via ‘Custom Scripts’ Setting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13693

Patch Status
Patched

Published
Dec 20, 2025

Affected Software
Image Photo Gallery Final Tiles Grid

Researchers

Athiwat Tiprasaharn (Jitlada)

Itthidej Aramsri (Boeing777)

Powpy

Waris Damkham

Varakorn Chanthasri (iCreaM)

Peerapat Samatathanyakorn

More Details >

JetSearch <= 3.5.16 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-68504

Patch Status
Patched

Published
Dec 30, 2025

Affected Software
JetSearch

Researcher

Bonds

More Details >

JetTabs <= 2.2.12 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-68499

Patch Status
Patched

Published
Dec 30, 2025

Affected Software
JetTabs

Researcher

Bonds

More Details >

Jobs for WordPress <= 2.7.17 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-68597

Patch Status
Unpatched

Published
Dec 22, 2025

Affected Software
Job Postings

Researcher

Muhammad Yudha – DJ

More Details >

Knowledge Base documentation & wiki plugin – BasePress <= 2.17.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-62761

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Knowledge Base documentation & wiki plugin – BasePress Docs

Researcher

Muhammad Yudha – DJ

More Details >

LearnPress – WordPress LMS Plugin <= 4.3.1 – Authenticated (Subscriber+) Stored Cross-Site Scripting via get_profile_social

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-14387

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
LearnPress – WordPress LMS Plugin

Researcher

Arkadiusz Hydzik

More Details >

Link Library <= 7.8.5 – Authenticated (Contributor+) Server-Side Request Forgery

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-68600

Patch Status
Unpatched

Published
Dec 24, 2025

Affected Software
Link Library

Researcher

Krissaphat Jankaew

More Details >

Live Composer – Free WordPress Website Builder <= 2.0.2 – Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13537

Patch Status
Unpatched

Published
Dec 16, 2025

Affected Software
Live Composer – Free WordPress Website Builder

Researcher

Webbernaut

More Details >

Livemesh Addons for Beaver Builder <= 3.9.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-62990

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Livemesh Addons for Beaver Builder

Researcher

Peter Thaleikis

More Details >

Maximum Products per User for WooCommerce <= 4.4.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-62096

Patch Status
Patched

Published
Dec 31, 2025

Affected Software
Maximum Products per User for WooCommerce

Researcher

Muhammad Yudha – DJ

More Details >

Melos <= 1.6.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-62136

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Melos

Researcher

Peter Thaleikis

More Details >

Membership Plugin – Restrict Content <= 3.2.15 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-14000

Patch Status
Patched

Published
Dec 22, 2025

Affected Software
Membership Plugin – Restrict Content

Researcher

Muhammad Yudha – DJ

More Details >

Minamaze <= 1.10.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-62991

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Minamaze

Researcher

Peter Thaleikis

More Details >

ModelTheme Addons for WPBakery and Elementor < 1.5.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-68532

Patch Status
Patched

Published
Dec 17, 2025

Affected Software
ModelTheme Addons for WPBakery and Elementor

Researcher

Phat RiO – BlueRock

More Details >

MX Time Zone Clocks <= 5.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-62146

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
MX Time Zone Clocks

Researcher

Nabil Irawan

More Details >

MyBookTable Bookstore <= 3.5.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-62743

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
MyBookTable Bookstore by Stormhill Media

Researcher

Muhammad Yudha – DJ

More Details >

Newsletters <= 4.12 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-69020

Patch Status
Unpatched

Published
Dec 28, 2025

Affected Software
Newsletters

Researcher

Muhammad Yudha – DJ

More Details >

OpenID Connect Generic Client <= 3.10.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13730

Patch Status
Patched

Published
Dec 17, 2025

Affected Software
OpenID Connect Generic Client

Researcher

Muhammad Yudha – DJ

More Details >

Page Builder: Live Composer <= 2.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-68598

Patch Status
Unpatched

Published
Dec 22, 2025

Affected Software
Live Composer – Free WordPress Website Builder

Researcher

Muhammad Yudha – DJ

More Details >

Page Title Splitter <= 2.5.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-62744

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Page Title Splitter

Researcher

Muhammad Yudha – DJ

More Details >

Post Grid and Gutenberg Blocks <= 2.3.21 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-68605

Patch Status
Unpatched

Published
Dec 21, 2025

Affected Software
Post Grid

Researcher

Muhammad Yudha – DJ

More Details >

Post Signature <= 0.4.1 – Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-62124

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
WP Post Signature

Researcher

Nabil Irawan

More Details >

Postie <= 1.9.73 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-63020

Patch Status
Patched

Published
Dec 31, 2025

Affected Software
Postie

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

Real 3D FlipBook <= 4.11.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-68512

Patch Status
Patched

Published
Dec 22, 2025

Affected Software
Real 3D Flipbook – 3D FlipBook, PDF FlipBook, PDF Viewer, PDF Embedder

Researcher

Muhammad Yudha – DJ

More Details >

RegistrationMagic <= 6.0.6.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘RM_Forms’ Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13610

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login

Researcher

Muhammad Yudha – DJ

More Details >

Responsive Block Control <= 1.2.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-62135

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Responsive Block Control – Hide blocks based on display width

Researcher

Peter Thaleikis

More Details >

Responsive Posts Carousel Pro <= 15.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-68548

Patch Status
Patched

Published
Dec 23, 2025

Affected Software
Responsive Posts Carousel WordPress Plugin

Researcher

Phat RiO – BlueRock

More Details >

RestroPress <= 3.2.4.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-69017

Patch Status
Unpatched

Published
Dec 27, 2025

Affected Software
RestroPress – Online Food Ordering System

Researcher

zaim

More Details >

SEO Slider <= 1.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-62097

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
SEO Slider

Researcher

Muhammad Yudha – DJ

More Details >

Series <= 2.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-62759

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Series

Researcher

Muhammad Yudha – DJ

More Details >

Sermon Manager <= 2.30.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-63000

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Sermon Manager

Researcher

zaim

More Details >

Shuttle <= 1.5.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-62137

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Shuttle

Researcher

Peter Thaleikis

More Details >

Text Slider Widget <= 1.0 – Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-68868

Patch Status
Unpatched

Published
Dec 25, 2025

Affected Software
Wp Text Slider Widget

Researcher

Nguyen Xuan Chien

More Details >

The Moneytizer <= 10.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-62756

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
The Moneytizer

Researcher

Muhammad Yudha – DJ

More Details >

Themify Portfolio Post <= 1.3.0 – Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-67533

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Themify Portfolio Post

Researcher

Muhammad Yudha – DJ

More Details >

ThirstyAffiliates <= 3.11.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-67537

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
ThirstyAffiliates – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin

Researcher

Muhammad Yudha – DJ

More Details >

Tooltips <= 10.8.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-63005

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Tooltips for WordPress

Researcher

zaim

More Details >

Ultimate Member <= 2.11.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13220

Patch Status
Patched

Published
Dec 20, 2025

Affected Software
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Researcher

Muhammad Yudha – DJ

More Details >

Ultimate Member <= 2.11.0 – Authenticated (Subscriber+) Stored Cross-Site Scripting via ‘value’

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13217

Patch Status
Patched

Published
Dec 16, 2025

Affected Software
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Researcher

tiborisaak

More Details >

User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin <= 4.4.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13367

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin

Researcher

Muhammad Yudha – DJ

More Details >

User Specific Content <= 1.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-62749

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
User Specific Content

Researcher

Muhammad Yudha – DJ

More Details >

UseStrict’s Calendly Embedder <= 1.1.7.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-67555

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
UseStrict’s Calendly Embedder

Researcher

Nabil Irawan

More Details >

Valenti Engine <= 1.0.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-63021

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Valenti Engine

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Visitor Statistics (Real Time Traffic) <= 8.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-67983

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
WP Visitor Statistics (Real Time Traffic)

Researcher

Muhammad Yudha – DJ

More Details >

VK Google Job Posting Manager <= 1.2.22 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-68070

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
VK Google Job Posting Manager

Researcher

Nabil Irawan

More Details >

WBC907 Core <= 3.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-63027

Patch Status
Patched

Published
Dec 30, 2025

Affected Software
907 – Responsive Multi-Purpose WordPress Theme

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

WC Builder <= 1.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-68533

Patch Status
Patched

Published
Dec 27, 2025

Affected Software
WC Builder – WooCommerce Page Builder for WPBakery

Researcher

zaim

More Details >

Web and WooCommerce Addons for WPBakery Builder <= 1.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-62748

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Web and WooCommerce Addons for WPBakery Builder

Researcher

Muhammad Yudha – DJ

More Details >

Web Directory Free <= 1.7.12 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-69018

Patch Status
Patched

Published
Dec 28, 2025

Affected Software
Web Directory Free

Researcher

Muhammad Yudha – DJ

More Details >

WebMan Amplifier <= 1.5.12 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-62757

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
WebMan Amplifier

Researcher

Muhammad Yudha – DJ

More Details >

WishSuite <= 1.5.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘button_text’ Shortcode Attribute

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13838

Patch Status
Patched

Published
Dec 20, 2025

Affected Software
WishSuite – Wishlist for WooCommerce

Researcher

zaim

More Details >

WP Import – Ultimate CSV XML Importer for WordPress <= 7.35 – Authenticated (Contributor+) Server-Side Request Forgery via Bitly Shortlink Bypass

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-14627

Patch Status
Patched

Published
Jan 1, 2026

Affected Software
WP Import – Ultimate CSV XML Importer for WordPress

Researchers

Dieu Link

GCSC Vietnam

More Details >

WP Recipe Maker <= 10.2.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-14385

Patch Status
Patched

Published
Dec 16, 2025

Affected Software
WP Recipe Maker

Researcher

Abhinav Jaswal (wrath_exe)

More Details >

WP-ShowHide <= 1.05 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-67541

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
WP-ShowHide

Researcher

Muhammad Yudha – DJ

More Details >

WPBakery Visual Composer WHMCS Elements <= 1.0.4.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-68574

Patch Status
Unpatched

Published
Dec 17, 2025

Affected Software
Innovs WPBakery Visual Composer WHMCS Elements

Researcher

Nabil Irawan

More Details >

WPCal.io <= 0.9.5.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-66103

Patch Status
Patched

Published
Dec 30, 2025

Affected Software
WPCal.io – Easy Meeting Scheduler

Researcher

Peter Thaleikis

More Details >

XStore Core < 5.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-64190

Patch Status
Patched

Published
Dec 30, 2025

Affected Software
XStore Core

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Yada Wiki <= 3.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-66094

Patch Status
Patched

Published
Dec 30, 2025

Affected Software
Yada Wiki

Researcher

Muhammad Yudha – DJ

More Details >

YouTube Embed <= 5.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-68599

Patch Status
Unpatched

Published
Dec 22, 2025

Affected Software
Embeds for YouTube

Researcher

Muhammad Yudha – DJ

More Details >

Advanced Custom CSS <= 1.1.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-68878

Patch Status
Unpatched

Published
Dec 26, 2025

Affected Software
Advanced Custom CSS

Researcher

Nguyen Xuan Chien

More Details >

Attachments Handler <= 1.1.7 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-12581

Patch Status
Unpatched

Published
Dec 19, 2025

Affected Software
Attachments Handler

Researcher

johska

More Details >

Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss <= 2.10.2 – Unauthenticated Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-14154

Patch Status
Patched

Published
Dec 16, 2025

Affected Software
Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss

Researcher

zer0gh0st

More Details >

Content Grid Slider <= 1.5 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-68879

Patch Status
Unpatched

Published
Dec 25, 2025

Affected Software
Content Grid Slider

Researcher

Nguyen Xuan Chien

More Details >

Five Star Restaurant Reservations – WordPress Booking Plugin <= 2.7.5 – Unauthenticated Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-11496

Patch Status
Patched

Published
Dec 20, 2025

Affected Software
Five Star Restaurant Reservations – WordPress Booking Plugin

Researcher

zer0gh0st

More Details >

HTML Forms – Simple WordPress Forms Plugin <= 1.6.0 – Unauthenticated Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-13861

Patch Status
Patched

Published
Dec 16, 2025

Affected Software
HTML Forms – Simple WordPress Forms Plugin

Researcher

Itthidej Aramsri (Boeing777)

More Details >

Invelity SPS connect <= 1.0.8 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-68876

Patch Status
Unpatched

Published
Dec 26, 2025

Affected Software
Invelity SPS connect

Researcher

Nguyen Xuan Chien

More Details >

Overstock Affiliate Links <= 1.1 – Reflected Cross-Site Scripting via $_SERVER[‘PHP_SELF’]

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-13624

Patch Status
Unpatched

Published
Dec 19, 2025

Affected Software
Overstock Affiliate Links

Researcher

Abdulsamad Yusuf (0xVenus)

More Details >

Product Table for WooCommerce <= 5.0.8 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-12398

Patch Status
Patched

Published
Dec 20, 2025

Affected Software
Product Table for WooCommerce

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

WP Hallo Welt <= 1.4. – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-13365

Patch Status
Unpatched

Published
Dec 19, 2025

Affected Software
WP Hallo Welt

Researcher

johska

More Details >

Fancy Product Designer | WooCommerce WordPress <= 6.4.8 – Unauthenticated Information Disclosure via ‘url’ Parameter

5.9

CVSS Rating
Medium (5.9)

CVE-ID
CVE-2025-13439

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Fancy Product Designer

Researcher

Muhammad Zeeshan (Xib3rR4dAr)

More Details >

Directorist <= 8.5.6 – Unauthenticated Open Redirect

5.8

CVSS Rating
Medium (5.8)

CVE-ID
CVE-2025-64250

Patch Status
Unpatched

Published
Dec 15, 2025

Affected Software
Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings

Researcher

daroo

More Details >

Responsive and Swipe slider <= 1.0.2 – Authenticated (Editor+) Stored Cross-Site Scripting via Shortcode

5.5

CVSS Rating
Medium (5.5)

CVE-ID
CVE-2025-14721

Patch Status
Unpatched

Published
Dec 19, 2025

Affected Software
RESPONSIVE AND SWIPE SLIDER!

Researcher

Bhumividh Treloges

More Details >

Amazon affiliate lite Plugin <= 1.0.0 – Cross-Site Request Forgery to Plugin Settings Update

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2025-14734

Patch Status
Unpatched

Published
Dec 19, 2025

Affected Software
Amazon affiliate lite Plugin

Researcher

afnaan

More Details >

FiboSearch – Ajax Search for WooCommerce <= 1.32.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via thegem_te_search Shortcode

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2025-14298

Patch Status
Patched

Published
Dec 19, 2025

Affected Software
FiboSearch – Ajax Search for WooCommerce

Researcher

zaim

More Details >

Image Photo Gallery Final Tiles Grid <= 3.6.7 – Missing Authorization to Authenticated (Contributor+) Gallery Management

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2025-14455

Patch Status
Patched

Published
Dec 18, 2025

Affected Software
Image Photo Gallery Final Tiles Grid

Researcher

JongHwan Shin (zzzsleep)

More Details >

Addonify <= 2.0.4 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68578

Patch Status
Unpatched

Published
Dec 22, 2025

Affected Software
Addonify – Quick View For WooCommerce

Researcher

Legion Hunter

More Details >

Advanced PDF <= 1.1.7 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-62138

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
WP Advanced PDF

Researcher

NumeX

More Details >

AI Copilot <= 1.4.7 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-62116

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
AI Copilot – ChatGPT Chatbot & AI Engine for Post Automation

Researcher

Nabil Irawan

More Details >

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.9.16 – Missing Authorization to Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-13754

Patch Status
Patched

Published
Dec 18, 2025

Affected Software
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

Researcher

Marcin Dudek (dudekmar)

More Details >

Arcane <= 3.6.6 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-69031

Patch Status
Unpatched

Published
Dec 29, 2025

Affected Software
Arcane – The Gaming Community Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

BBP Core <= 1.4.1 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68572

Patch Status
Patched

Published
Dec 24, 2025

Affected Software
Forumax – Advanced Community Forum Plugin

Researcher

daroo

More Details >

Bit Assist <= 1.5.11 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68596

Patch Status
Patched

Published
Dec 19, 2025

Affected Software
Chat Widget: Floating Customer Support Button for 30+ Channels, Supporting SMS, Calls, and Chat – Bit Assist

Researcher

NumeX

More Details >

Booking calendar, Appointment Booking System <= 3.2.30 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-67574

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Booking calendar, Appointment Booking System

Researcher

Legion Hunter

More Details >

BoomDevs WordPress Coming Soon <= 1.0.4 – Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-62083

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
BoomDevs WordPress Coming Soon Plugin

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

Brave <= 0.8.3 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68508

Patch Status
Patched

Published
Dec 23, 2025

Affected Software
Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content

Researcher

daroo

More Details >

Claspo – Popups, Spin the Wheel & Email Capture <= 1.0.7 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68568

Patch Status
Unpatched

Published
Dec 17, 2025

Affected Software
Claspo – Popups, Spin the Wheel & Email Capture

Researcher

Legion Hunter

More Details >

Cooked <= 1.11.2 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68586

Patch Status
Unpatched

Published
Dec 24, 2025

Affected Software
Cooked – Recipe Management

Researcher

Legion Hunter

More Details >

Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent <= 4.0.7 – Missing Authorization to Unauthenticated Arbitrary Post Deletion

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14061

Patch Status
Patched

Published
Dec 16, 2025

Affected Software
Cookie Banner for GDPR / CCPA – WPLP Cookie Consent

Researcher

shark3y

More Details >

Cookie Notice for GDPR, CCPA & ePrivacy Consent <= 4.0.3 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-66080

Patch Status
Patched

Published
Dec 30, 2025

Affected Software
Cookie Banner for GDPR / CCPA – WPLP Cookie Consent

Researcher

Legion Hunter

More Details >

Cookie Notice for GDPR, CCPA & ePrivacy Consent <= 4.0.7 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-66133

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Cookie Banner for GDPR / CCPA – WPLP Cookie Consent

Researcher

Legion Hunter

More Details >

CubeWP <= 1.1.27 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68036

Patch Status
Patched

Published
Dec 26, 2025

Affected Software
CubeWP Framework

Researcher

MD ISMAIL

More Details >

DesignThemes LMS Addon <= 2.6 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68982

Patch Status
Unpatched

Published
Dec 18, 2025

Affected Software
DesignThemes LMS Addon

Researcher

Phat RiO – BlueRock

More Details >

DMCA Protection Badge <= 2.2.0 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-62145

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
DMCA Protection Badge

Researcher

Nabil Irawan

More Details >

Document Library Lite <= 1.1.7 – Unauthenticated Insecure Direct Object Reference

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-67985

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Document Library Lite

Researcher

Zeeshan Haider

More Details >

dokan pro <= 4.1.3 – Missing Authorization to Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-12809

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Dokan Pro

Researcher

Ahmed Rayen Ayari

More Details >

E-Invoice App Malaysia <= 1.3.0 – Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68988

Patch Status
Unpatched

Published
Dec 21, 2025

Affected Software
EInvoice App Malaysia

Researcher

Rapid0nion

More Details >

Easy Form Builder <= 3.8.20 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-67577

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Easy Form Builder by WhiteStudio — Drag & Drop Form Builder

Researcher

daroo

More Details >

EasyTest <= 1.0.1 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-63031

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
EasyTest – Simplify A/B Testing

Researcher

Legion Hunter

More Details >

Export Categories & Taxonomies <= 1.0.3 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-62079

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
WP Export Categories & Taxonomies

Researcher

Legion Hunter

More Details >

F70 Lead Document Download <= 1.4.4 – Missing Authorization to Unauthenticated Arbitrary Media File Download

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14633

Patch Status
Unpatched

Published
Dec 19, 2025

Affected Software
F70 Lead Document Download

Researcher

ChamlaVic

More Details >

Fancy Product Designer | WooCommerce WordPress <= 6.4.8 – Unauthenticated Full Path Disclosure via ‘pdf’ Parameter

5.3

CVSS Rating
Medium (5.3)

CVE-ID
Unknown

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Fancy Product Designer

Researcher

Muhammad Zeeshan (Xib3rR4dAr)

More Details >

FAPI Member <= 2.2.29 – Unauthenticated Insecure Direct Object Reference

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-66132

Patch Status
Unpatched

Published
Dec 15, 2025

Affected Software
FAPI Member

Researcher

NumeX

More Details >

Featured Image Generator <= 1.3.3 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-62747

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Featured Image Generator

Researcher

Legion Hunter

More Details >

Flowbox <= 1.1.5 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-49338

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Flowbox

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

Frontend Post Submission Manager Lite <= 1.2.5 – Missing Authorization to Unauthenticated Arbitrary Post Modification

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14080

Patch Status
Patched

Published
Dec 20, 2025

Affected Software
Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin

Researcher

Md. Moniruzzaman Prodhan (NomanProdhan)

More Details >

Frontend Post Submission Manager Lite <= 1.2.6 – Incorrect Authorization to Unauthenticated Arbitrary Attachment Deletion

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14913

Patch Status
Patched

Published
Dec 25, 2025

Affected Software
Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin

Researcher

Md. Moniruzzaman Prodhan (NomanProdhan)

More Details >

Funnelforms Free <= 3.8 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68582

Patch Status
Unpatched

Published
Dec 25, 2025

Affected Software
Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free

Researcher

Legion Hunter

More Details >

FV Simpler SEO <= 1.9.6 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68579

Patch Status
Patched

Published
Dec 22, 2025

Affected Software
FV Simpler SEO

Researcher

Legion Hunter

More Details >

Gerencianet Oficial <= 3.1.3 – Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-59136

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Efí Bank

Researcher

Legion Hunter

More Details >

Google Calendar Events <= 3.5.9 – Unauthenticated Insecure Direct Object Reference

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68979

Patch Status
Unpatched

Published
Dec 18, 2025

Affected Software
Simple Calendar – Google Calendar Plugin

Researcher

Doan Dinh Van (DinhVan52)

More Details >

GS Portfolio for Envato <= 1.4.2 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-62755

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
GS Portfolio for Envato

Researcher

Legion Hunter

More Details >

H5P <= 1.16.1 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68505

Patch Status
Patched

Published
Dec 28, 2025

Affected Software
Interactive Content – H5P

Researcher

Bao – BlueRock

More Details >

HAPPY <= 1.0.9 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68556

Patch Status
Patched

Published
Dec 23, 2025

Affected Software
HAPPY – Helpdesk Support Ticket System

Researcher

benzdeus

More Details >

Highlight and Share <= 5.2.0 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-67586

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Highlight and Share – Social Text and Image Sharing

Researcher

Zeeshan Haider

More Details >

HomeFix Elementor Portfolio <= 1.0.1 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68981

Patch Status
Unpatched

Published
Dec 18, 2025

Affected Software
HomeFix Elementor Portfolio

Researcher

Phat RiO – BlueRock

More Details >

Hotel Booking <= 3.8 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-63001

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Hotel Booking

Researcher

benzdeus

More Details >

JetFormBuilder <= 3.5.3 – Missing Authorization to Unauthenticated Form Generation

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-11991

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
JetFormBuilder — Dynamic Blocks Form Builder

Researcher

Tri Firdyanto (Firdy)

More Details >

LearnPress – WordPress LMS Plugin <= 4.3.1 – Missing Authorization to Unauthenticated Orders Statistics Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-13956

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
LearnPress – WordPress LMS Plugin

Researcher

Sarawut Poolkhet (MisterHelloz)

More Details >

Live Shopping & Shoppable Videos For WooCommerce <= 2.2.0 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-62081

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Live Shopping & Shoppable Videos For WooCommerce

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

Master Addons for Elementor <= 2.0.9.9.4 – Unauthenticated Insecure Direct Object Reference

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-63053

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Master Addons For Elementor – White Label, Free Widgets, Hover Effects, Conditions, & Animations

Researcher

Mdr

More Details >

Medical Equipment eCommerce WordPress Theme <= 1.0.9 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-69009

Patch Status
Unpatched

Published
Dec 26, 2025

Affected Software
Medical Equipment eCommerce WordPress Theme

Researcher

Phat RiO – BlueRock

More Details >

Membership For WooCommerce <= 3.0.3 – Unauthenticated Insecure Direct Object Reference

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-67909

Patch Status
Patched

Published
Dec 24, 2025

Affected Software
Membership For WooCommerce – WordPress Membership Plugin, Restrict Content, Build Online Communities, Paywall & Content Dripping

Researcher

timomangcut

More Details >

MyD Delivery <= 1.3.7 – Unauthenticated Insecure Direct Object Reference

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-49334

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
MyD Delivery

Researcher

Powpy

More Details >

OneSignal – Web Push Notifications <= 3.6.1 – Missing Authorization to Unauthenticated Plugin Settings Update

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-13950

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
OneSignal – Web Push Notifications

Researcher

Marcin Dudek (dudekmar)

More Details >

Pixel Manager for WooCommerce <= 1.51.1 – Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-67564

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more

Researcher

Bao – BlueRock

More Details >

PixelYourSite <= 11.1.5 – Sensitive Information Exposure via Log File

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14280

Patch Status
Patched

Published
Dec 29, 2025

Affected Software
PixelYourSite – Your smart PIXEL (TAG) & API Manager

Researcher

Marcin Dudek (dudekmar)

More Details >

Poll, Survey & Quiz Maker Plugin by Opinion Stage <= 19.12.2 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68594

Patch Status
Unpatched

Published
Dec 22, 2025

Affected Software
Poll, Survey & Quiz Maker Plugin by Opinion Stage

Researcher

daroo

More Details >

PostX <= 5.0.3 – Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68606

Patch Status
Patched

Published
Dec 21, 2025

Affected Software
Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX

Researcher

Doan Dinh Van (DinhVan52)

More Details >

Premium Addons for Elementor <= 4.11.53 – Missing Authorization to Unauthenticated Sensitive Information Exposure via ‘get_template_content’

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14155

Patch Status
Patched

Published
Dec 22, 2025

Affected Software
Premium Addons for Elementor – Powerful Elementor Templates & Widgets

Researcher

Dmitrii Ignatyev

More Details >

Pretty Google Calendar <= 2.0.0 – Missing Authorization to Unauthenticated Google API Key Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-12898

Patch Status
Patched

Published
Dec 19, 2025

Affected Software
Pretty Google Calendar

Researcher

Ahmad Salem (a7mad.cc)

More Details >

Product Loops for WooCommerce <= 2.1.2 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68994

Patch Status
Unpatched

Published
Dec 23, 2025

Affected Software
Product Loops for WooCommerce

Researcher

Phat RiO – BlueRock

More Details >

Protect WP Admin <= 4.1 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-64249

Patch Status
Unpatched

Published
Dec 15, 2025

Affected Software
Protect WP Admin

Researcher

Legion Hunter

More Details >

QuadLayers TikTok Feed <= 4.6.4 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-63016

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
QuadLayers TikTok Feed

Researcher

Legion Hunter

More Details >

Realbig <= 1.1.3 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-62147

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Realbig For WordPress

Researcher

Nabil Irawan

More Details >

RestroPress <= 3.2.4.2 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-62129

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
RestroPress – Online Food Ordering System

Researcher

daroo

More Details >

Reuters Direct <= 3.0.0 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-49349

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Reuters Direct

Researcher

Nabil Irawan

More Details >

Sailing < 4.4.6 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-67573

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Sailing

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

SALESmanago <= 3.9.0 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68571

Patch Status
Patched

Published
Dec 24, 2025

Affected Software
SALESmanago & Leadoo

Researcher

Legion Hunter

More Details >

Share, Print and PDF Products for WooCommerce <= 3.1.2 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68993

Patch Status
Unpatched

Published
Dec 23, 2025

Affected Software
Share, Print and PDF Products for WooCommerce

Researcher

Phat RiO – BlueRock

More Details >

Simple Like Page <= 1.5.3 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-63022

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Simple Like Page Plugin

Researcher

Legion Hunter

More Details >

Simple Link Directory <= 8.8.3 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-67576

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Simple Link Directory

Researcher

daroo

More Details >

Sitewide Notice WP <= 2.4.1 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-67575

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Sitewide Notice WP

Researcher

Legion Hunter

More Details >

Sober <= 3.5.11 – Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-67567

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Sober

Researcher

Phat RiO – BlueRock

More Details >

Tainacan <= 1.0.1 – Missing Authorization to Unauthenticated Arbitrary Metadata Section Creation

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14043

Patch Status
Patched

Published
Dec 20, 2025

Affected Software
Tainacan

Researcher

Deadbee

More Details >

Telegram Widget and Join Link <= 2.2.12 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68589

Patch Status
Unpatched

Published
Dec 22, 2025

Affected Software
WP Telegram Widget and Join Link

Researcher

Legion Hunter

More Details >

Themebeez Toolkit <= 1.3.5 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-69010

Patch Status
Unpatched

Published
Dec 26, 2025

Affected Software
Themebeez Toolkit

Researcher

Legion Hunter

More Details >

Trash Duplicate and 301 Redirect <= 1.9.1 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-62122

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Trash Duplicate and 301 Redirect

Researcher

Nabil Irawan

More Details >

TrueBooker <= 1.1.0 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-67581

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Appointment Booking and Scheduler Plugin – Truebooker

Researcher

daroo

More Details >

Twitch Player <= 2.1.3 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68565

Patch Status
Unpatched

Published
Dec 19, 2025

Affected Software
Twitch Player

Researcher

Legion Hunter

More Details >

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin <= 2.11.0 – Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-12492

Patch Status
Patched

Published
Dec 19, 2025

Affected Software
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

User Extra Fields <= 16.8 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-67579

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
WordPress User Extra Fields

Researcher

Phat RiO – BlueRock

More Details >

User Submitted Posts <= 20251121 – Unauthenticated Open Redirect

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68509

Patch Status
Patched

Published
Jan 1, 2026

Affected Software
User Submitted Posts – Enable Users to Submit Posts from the Front End

Researcher

benzdeus

More Details >

Userpro <= 5.1.9 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68608

Patch Status
Unpatched

Published
Dec 25, 2025

Affected Software
UserPro – Community and User Profile WordPress Plugin

Researcher

Ananda Dhakal

More Details >

Wappointment <=2.7.2 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68575

Patch Status
Unpatched

Published
Dec 21, 2025

Affected Software
Appointment Bookings for Zoom GoogleMeet and more – Wappointment

Researcher

daroo

More Details >

Wawp <= 4.0.5 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-62141

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Wawp – Order Notifications, OTP Login, Checkout Verifications and Country Code

Researcher

Legion Hunter

More Details >

Wbcom Designs <= 2.1.1 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-67582

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Wbcom Designs – Private Community for BuddyPress

Researcher

NumeX

More Details >

WeDesignTech Portfolio <= 1.0.2 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68980

Patch Status
Unpatched

Published
Dec 18, 2025

Affected Software
WeDesignTech Portfolio

Researcher

Phat RiO – BlueRock

More Details >

weForms <= 1.6.25 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-69028

Patch Status
Patched

Published
Dec 29, 2025

Affected Software
weForms – Easy Drag & Drop Contact Form Builder For WordPress

Researcher

Doan Dinh Van (DinhVan52)

More Details >

Widgets for Social Photo Feed <= 1.7.7 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68595

Patch Status
Unpatched

Published
Dec 23, 2025

Affected Software
Widgets for Social Photo Feed

Researcher

NumeX

More Details >

Wiremo <= 1.4.99 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-62092

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Wiremo – Product Reviews for WooCommerce

Researcher

Legion Hunter

More Details >

WP User Frontend <= 4.2.4 – Missing Authorization to Unauthenticated Arbitrary Attachment Deletion

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14047

Patch Status
Patched

Published
Jan 1, 2026

Affected Software
User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration

Researcher

shark3y

More Details >

wpDiscuz <= 7.6.42 – Unauthenticated Insecure Direct Object Reference

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68997

Patch Status
Unpatched

Published
Dec 25, 2025

Affected Software
Comments – wpDiscuz

Researcher

Doan Dinh Van (DinhVan52)

More Details >

WpStream <= 4.9.5 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68521

Patch Status
Patched

Published
Dec 29, 2025

Affected Software
WpStream – Live Streaming, Video on Demand, Pay Per View

Researcher

Que Thanh Tuan – Blue Rock

More Details >

Yaad Sarig Payment Gateway For WC <= 2.2.10 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-66131

Patch Status
Unpatched

Published
Dec 15, 2025

Affected Software
Yaad Sarig Payment Gateway For WC

Researcher

Nabil Irawan

More Details >

Appointify <= 1.0.8 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-59129

Patch Status
Unpatched

Published
Dec 30, 2025

Affected Software
Appointify

Researcher

Abdulsamad Yusuf (0xVenus)

More Details >

Captivate Sync <= 3.2.2 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-68570

Patch Status
Unpatched

Published
Dec 21, 2025

Affected Software
Captivate Sync

Researcher

w41bu1

More Details >

Integration for Contact Form 7 HubSpot <= 1.4.2 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-68590

Patch Status
Patched

Published
Dec 25, 2025

Affected Software
Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms

Researcher

Offensive Labs

More Details >

Newsletter <= 9.0.9 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-67999

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Newsletter – Send awesome emails from WordPress

Researcher

Doan Dinh Van (DinhVan52)

More Details >

Ninja Tables <= 5.2.3 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-67519

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Ninja Tables – Easy Data Table Builder

Researcher

w41bu1

More Details >

User Feedback <= 1.10.0 – Authenticated (Editor+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-68496

Patch Status
Patched

Published
Dec 22, 2025

Affected Software
User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds

Researcher

daroo

More Details >

Zephyr Project Manager <= 3.3.203 – Authenticated (Custom+) Arbitrary File Read And Server-Side Request Forgery

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-12496

Patch Status
Patched

Published
Dec 16, 2025

Affected Software
Zephyr Project Manager

Researcher

type5afe

More Details >

Accept Donations with PayPal <= 1.5.2 – Unauthenticated Open Redirect

4.7

CVSS Rating
Medium (4.7)

CVE-ID
CVE-2025-68602

Patch Status
Unpatched

Published
Dec 25, 2025

Affected Software
Accept Donations with PayPal & Stripe

Researcher

Legion Hunter

More Details >

Accessibility Press <= 1.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-49355

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Accessibility Press

Researcher

HunSec

More Details >

AM Events <= 1.13.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-69006

Patch Status
Unpatched

Published
Dec 26, 2025

Affected Software
AM Events

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

Amazon affiliate lite Plugin <= 1.0.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-14735

Patch Status
Unpatched

Published
Dec 19, 2025

Affected Software
Amazon affiliate lite Plugin

Researcher

afnaan

More Details >

Astra Widgets <= 1.2.16 – Authenticated (Editor+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-68497

Patch Status
Patched

Published
Dec 28, 2025

Affected Software
Astra Widgets

Researcher

benzdeus

More Details >

Basticom Framework <= 1.5.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-67629

Patch Status
Unpatched

Published
Dec 21, 2025

Affected Software
Basticom Framework

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

Behance Portfolio Manager <= 1.7.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-59135

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Behance Portfolio Manager

Researcher

Nguyen Tran Tuan Dung (domiee13)

More Details >

Category Icon <= 1.0.2 – Authenticated (Editor+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-68525

Patch Status
Patched

Published
Dec 25, 2025

Affected Software
Category Icon

Researcher

Nabil Irawan

More Details >

Cooked <= 1.11.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-62989

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Cooked – Recipe Management

Researcher

ch1mk

More Details >

Dashboard Beacon <= 1.2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-49337

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Dashboard Beacon

Researcher

HunSec

More Details >

Document Library Lite <= 1.1.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-67986

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Document Library Lite

Researcher

Zeeshan Haider

More Details >

Draft Notify <= 1.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-67627

Patch Status
Unpatched

Published
Dec 21, 2025

Affected Software
Draft Notify

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

eBay Product Feeds <= 3.4.9 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-67557

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
WP eBay Product Feeds

Researcher

Tarcísio Luchesi(Poystick)

More Details >

Gift Hunt <= 2.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-67631

Patch Status
Unpatched

Published
Dec 24, 2025

Affected Software
Gift Hunt

Researcher

LIM MINHYEOK

More Details >

Google AdSense for Responsive Design – GARD <= 2.23 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-67632

Patch Status
Unpatched

Published
Dec 21, 2025

Affected Software
Google AdSense for Responsive Design – GARD

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

Greenhouse Job Board <= 2.7.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-67633

Patch Status
Unpatched

Published
Dec 21, 2025

Affected Software
Greenhouse Job Board

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

Inboxify Sign Up Form <= 1.0.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-69008

Patch Status
Unpatched

Published
Dec 26, 2025

Affected Software
Inboxify Sign Up Form

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

Locatoraid Store Locator <= 3.9.65 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-62140

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Locatoraid Store Locator

Researcher

Zeeshan Haider

More Details >

Logo Slider , Logo Carousel , Logo showcase , Client Logo <= 1.8.1 – Authenticated (Editor+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-62121

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Logo Slider , Logo Carousel , Logo showcase , Client Logo

Researcher

Nabil Irawan

More Details >

Multi-Step Checkout for WooCommerce <= 2.33 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-67542

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Multi-Step Checkout for WooCommerce

Researcher

benzdeus

More Details >

My auctions allegro <= 3.6.33 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-68566

Patch Status
Unpatched

Published
Dec 17, 2025

Affected Software
My auctions allegro

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

Popping Sidebars and Widgets Light <= 1.27 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-69007

Patch Status
Unpatched

Published
Dec 26, 2025

Affected Software
Popping Sidebars and Widgets Light

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

Post Video Players <= 1.163 – Authenticated (Editor+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-62142

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Cincopa video and media plug-in

Researcher

Nabil Irawan

More Details >

Rencontre <= 3.13.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-67558

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Rencontre – Dating Site

Researcher

Myungju Kim

More Details >

Review Disclaimer <= 2.0.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-67628

Patch Status
Unpatched

Published
Dec 21, 2025

Affected Software
Review Disclaimer

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

WC Builder <= 1.2.0 – Authenticated (Shop Manager+) Stored Cross-Site Scripting via ‘heading_color’ Shortcode Attribute

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-14054

Patch Status
Patched

Published
Dec 20, 2025

Affected Software
WC Builder – WooCommerce Page Builder for WPBakery

Researcher

zaim

More Details >

WH Tweaks <= 1.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-67630

Patch Status
Patched

Published
Dec 21, 2025

Affected Software
WH Tweaks

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

WooCommerce Parcelas <= 1.3.5 – Authenticated (Shop manager+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-62750

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
WooCommerce Parcelas

Researcher

Muhammad Yudha – DJ

More Details >

Accordion Slider Gallery <= 2.7 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62130

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Accordion Slider Gallery

Researcher

Nabil Irawan

More Details >

Add Custom Codes <= 4.80 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62108

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Add Custom Codes – Insert Header, Footer, Custom PHP Snippets, CSS, Javascript

Researcher

Nabil Irawan

More Details >

Admin and Site Enhancements (ASE) <= 8.0.8 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-64255

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Admin and Site Enhancements (ASE)

Researcher

daroo

More Details >

Adminify <= 4.0.6.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68593

Patch Status
Patched

Published
Dec 18, 2025

Affected Software
WP Adminify – White Label WordPress, Admin Menu Editor, Login Customizer

Researcher

daroo

More Details >

Adminify <= 4.0.6.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68592

Patch Status
Patched

Published
Dec 18, 2025

Affected Software
WP Adminify – White Label WordPress, Admin Menu Editor, Login Customizer

Researcher

daroo

More Details >

Advanced Classifieds & Directory Pro <= 3.2.9 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68580

Patch Status
Patched

Published
Dec 24, 2025

Affected Software
Advanced Classifieds & Directory Pro

Researcher

Nabil Irawan

More Details >

AI Content Writing Assistant (Content Writer, ChatGPT, Image Generator) All in One <= 1.1.7 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62154

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
AI Content Writing Assistant

Researcher

NumeX

More Details >

All in One Accessibility <= 1.14 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-63004

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
All in One Accessibility

Researcher

Legion Hunter

More Details >

Animation Addons for Elementor <= 2.4.5 – Authenticated (Contributor+) Arbitrary Content Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-67540

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates

Researcher

Denver Jackson

More Details >

AnyComment <= 0.3.6 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62874

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
AnyComment

Researcher

Rooting

More Details >

Appender <= 1.1.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-66150

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Appender – Copycat Content Protection for WordPress

Researcher

Phat RiO – BlueRock

More Details >

Appointify <= 1.0.8 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-59130

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Appointify

Researcher

Abdulsamad Yusuf (0xVenus)

More Details >

Attachments <= 5.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62888

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
WP Attachments

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

Auto Featured Image <= 4.2.1 – Missing Authorization to Authenticated (Contributor+) Post Thumbnail Modification

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-13794

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Auto Featured Image (Auto Post Thumbnail)

Researcher

Dmitrii Ignatyev

More Details >

Backpack Traveler <= 2.10.3 – Authenticated (Subscriber+) Insecure Direct Object Reference

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-69030

Patch Status
Unpatched

Published
Dec 29, 2025

Affected Software
Backpack Traveler – Modern Travel Blog WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Behance Portfolio Manager <= 1.7.5 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-59137

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Behance Portfolio Manager

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

BizPrint <= 4.6.7 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-69024

Patch Status
Patched

Published
Dec 29, 2025

Affected Software
Print Anywhere & Create PDFs of Order Receipts, Invoices, Labels & More.

Researcher

daroo

More Details >

Business Directory <= 6.4.19 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-64630

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Business Directory Plugin – Easy Listing Directories for WordPress

Researcher

daroo

More Details >

Chakra test <= 1.0.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68557

Patch Status
Patched

Published
Dec 23, 2025

Affected Software
Chakra test

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

Co-marquage service-public.fr <= 0.5.77 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62113

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Co-marquage service-public.fr

Researcher

Nabil Irawan

More Details >

Conformer for Elementor <= 1.0.7 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-66148

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Contact Form 7 styler for Elementor – Conformer

Researcher

Phat RiO – BlueRock

More Details >

Contact Form 7 Extension For Mailchimp <= 0.9.54 – Authenticated (Contributor+) Information Exposure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68989

Patch Status
Unpatched

Published
Dec 21, 2025

Affected Software
Connect Contact Form 7 and Mailchimp

Researcher

Bao – BlueRock

More Details >

Contact Form Widget <= 1.5.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62134

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Contact Form Widget

Researcher

Nabil Irawan

More Details >

Converter for Media <= 6.3.2 – Missing Authorization to Authenticated (Subscriber+) Optimized Image Deletion via regenerate-attachment REST Endpoint

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-13750

Patch Status
Patched

Published
Dec 16, 2025

Affected Software
Converter for Media – Optimize images | Convert WebP & AVIF

Researcher

Marcin Dudek (dudekmar)

More Details >

Core Web Vitals & PageSpeed Booster <= 1.0.27 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62144

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Core Web Vitals & PageSpeed Booster

Researcher

Nabil Irawan

More Details >

Countdowner for Elementor <= 1.0.4 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-66151

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Countdowner – Countdown Timer for Elementor

Researcher

Phat RiO – BlueRock

More Details >

Couponer for Elementor <= 1.1.7 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-66154

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Couponer – Discount Coupons for Elementor

Researcher

Phat RiO – BlueRock

More Details >

Criptopayer for Elementor <= 1.0.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-66152

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Criptopayer – Crypto Payment Button for Elementor

Researcher

Phat RiO – BlueRock

More Details >

Crowdsignal Forms <= 1.7.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-69015

Patch Status
Unpatched

Published
Dec 27, 2025

Affected Software
Crowdsignal Forms

Researcher

Doan Dinh Van (DinhVan52)

More Details >

Custom Admin Interface <= 7.40 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-63038

Patch Status
Patched

Published
Dec 31, 2025

Affected Software
WP Custom Admin Interface

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

Custom Post Status <= 1.1.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68885

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Custom Post Status

Researcher

Skalucy

More Details >

Custom Style <= 1.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49342

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Custom Style

Researcher

Skalucy

More Details >

CWW Companion <= 1.3.2 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-67473

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
CWW Companion

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Direct Payments WP <= 1.3.0 – Authenticated (Subscriber+) Sensitive Information Exposure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49340

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Direct Payments WP

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

Direct Payments WP <= 1.3.0 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49339

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Direct Payments WP

Researcher

Powpy

More Details >

Discussion Board <= 2.5.7 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-69023

Patch Status
Unpatched

Published
Dec 28, 2025

Affected Software
Discussion Board – WordPress Forum Plugin

Researcher

Nabil Irawan

More Details >

Document Revisions <= 3.7.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68585

Patch Status
Patched

Published
Dec 25, 2025

Affected Software
WP Document Revisions

Researcher

Nabil Irawan

More Details >

Download Manager <= 3.3.32 – Missing Authorization to Authenticated (Subscriber+) Media Attachment Password Disclosure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-13498

Patch Status
Patched

Published
Dec 17, 2025

Affected Software
Download Manager

Researcher

type5afe

More Details >

Download Plugins and Themes from Dashboard <= 1.9.6 – Cross-Site Request Forgery to Bulk Plugin/Theme Archival

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-14399

Patch Status
Patched

Published
Dec 16, 2025

Affected Software
Download Plugins and Themes in ZIP from Dashboard

Researcher

bosz

More Details >

Easy Digital Downloads <= 3.6.2 – Unvalidated Redirect in Password Reset Flow via edd_redirect

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-14783

Patch Status
Patched

Published
Dec 30, 2025

Affected Software
Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Researcher

shark3y

More Details >

Easy Upload Files During Checkout <= 3.0.0 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62078

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Easy Upload Files During Checkout

Researcher

Legion Hunter

More Details >

EasyIndex <= 1.1.1704 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62117

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
EasyIndex

Researcher

Nabil Irawan

More Details >

Editorial Calendar <= 3.8.8 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68603

Patch Status
Unpatched

Published
Dec 20, 2025

Affected Software
Editorial Calendar

Researcher

Doan Dinh Van (DinhVan52)

More Details >

Eight Day Week Print Workflow <= 1.2.5 – Authenticated (Custom+) Information Exposure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-67621

Patch Status
Patched

Published
Dec 21, 2025

Affected Software
Eight Day Week Print Workflow

Researcher

PPzzAArr

More Details >

Email Capture <= 3.12.5 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68529

Patch Status
Patched

Published
Dec 31, 2025

Affected Software
Email Marketing Plugin – WP Email Capture

Researcher

Arif Shaikh

More Details >

Essential Blocks <= 5.7.2 – Missing Authorization To Authenticated (Author+) Information Disclosure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-11369

Patch Status
Patched

Published
Dec 16, 2025

Affected Software
Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns

Researcher

Dmitrii Ignatyev

More Details >

Event Organiser <= 3.12.8 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-69012

Patch Status
Unpatched

Published
Dec 27, 2025

Affected Software
Event Organiser

Researcher

Doan Dinh Van (DinhVan52)

More Details >

Everest Backup <= 2.3.9 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62992

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin

Researcher

0xd4rk5id3

More Details >

Evergreen Post Tweeter <= 1.8.9 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-67622

Patch Status
Unpatched

Published
Dec 18, 2025

Affected Software
Evergreen Post Tweeter

Researcher

Skalucy

More Details >

Fast User Switching <= 1.4.10 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68583

Patch Status
Unpatched

Published
Dec 25, 2025

Affected Software
Fast User Switching

Researcher

Nabil Irawan

More Details >

FileBird – WordPress Media Library Folders & File Manager <= 6.5.1 – Missing Authorization to Authenticated (Author+) Global Folders Tampering

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-12900

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
FileBird – WordPress Media Library Folders & File Manager

Researcher

type5afe

More Details >

Five Star Restaurant Reservations <= 2.7.8 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68601

Patch Status
Patched

Published
Dec 24, 2025

Affected Software
Five Star Restaurant Reservations – WordPress Booking Plugin

Researcher

benzdeus

More Details >

FiveStar <= 1.7 – Authenticated (Subscriber+) Insecure Direct Object Reference

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-69032

Patch Status
Unpatched

Published
Dec 29, 2025

Affected Software
FiveStar – Hotel Booking WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

FormFacade <= 1.4.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62133

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
FormFacade – Embed Google Forms in your website

Researcher

Nabil Irawan

More Details >

GiveWP <= 4.13.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-67467

Patch Status
Patched

Published
Dec 23, 2025

Affected Software
GiveWP – Donation Plugin and Fundraising Platform

Researcher

Drew Webber (mcdruid)

More Details >

Gmail SMTP <= 1.0.7 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62123

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
WP Gmail SMTP

Researcher

Nabil Irawan

More Details >

Gmaper for Elementor <= 1.0.9 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-66158

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Google Maps for Elementor

Researcher

Phat RiO – BlueRock

More Details >

Gmedia Photo Gallery <= 1.24.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-63014

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Gmedia Photo Gallery

Researcher

daroo

More Details >

Graphist <= 1.2.10 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-66160

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Graphist – Graphs & Charts for Elementor

Researcher

Phat RiO – BlueRock

More Details >

Gutenverse Form <= 2.3.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68511

Patch Status
Patched

Published
Dec 20, 2025

Affected Software
Gutenverse Form – Contact Form Builder, Booking, Reservation, Subscribe for Block Editor

Researcher

daroo

More Details >

Headinger for Elementor <= 1.1.4 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-66153

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Customizable heading for Elementor

Researcher

Phat RiO – BlueRock

More Details >

Heateor Social Login <= 1.1.39 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68998

Patch Status
Unpatched

Published
Dec 26, 2025

Affected Software
Heateor Social Login WordPress

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Hide Plugins <= 1.0.4 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62115

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Hide Plugins

Researcher

Nabil Irawan

More Details >

History Timeline <= 1.0.6 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62150

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
History Timeline for Biography, Company History & Event Timeline

Researcher

Legion Hunter

More Details >

HR Management Lite <= 3.5 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-69022

Patch Status
Unpatched

Published
Dec 28, 2025

Affected Software
HR Management Lite

Researcher

benzdeus

More Details >

HUSKY – Products Filter Professional for WooCommerce <= 1.3.7.3 – Authenticated (Subscriber+) Insecure Direct Object Reference via ‘woof_add_subscr’

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-13110

Patch Status
Patched

Published
Dec 17, 2025

Affected Software
HUSKY – Products Filter Professional for WooCommerce

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

Image Caption Hover Pro < 20.0 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-67562

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Image Caption Hover Pro

Researcher

Phat RiO – BlueRock

More Details >

Image Gallery – Photo Grid & Video Gallery <= 2.13.3 – Missing Authorization to Authenticated (Author+) Arbitrary Gallery Modification

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-14003

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Modula Image Gallery – Photo Grid & Video Gallery

Researchers

Athiwat Tiprasaharn (Jitlada)

Itthidej Aramsri (Boeing777)

Powpy

Waris Damkham

Varakorn Chanthasri (iCreaM)

Peerapat Samatathanyakorn

Sopon Tangpathum (SoNaJaa)

More Details >

Import into Easy Property Listings <= 2.2.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62112

Patch Status
Patched

Published
Dec 30, 2025

Affected Software
Import into Easy Property Listings

Researcher

Nabil Irawan

More Details >

iNext Woo Pincode Checker <= 2.3.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62084

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
iNext Woo Pincode Checker

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

JetBlog <= 2.4.7 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68503

Patch Status
Patched

Published
Dec 30, 2025

Affected Software
JetBlog

Researcher

Bonds

More Details >

JetPopup <= 2.0.20.1 – Authenticated (Contributor+) Insecure Direct Object Reference

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68502

Patch Status
Patched

Published
Dec 30, 2025

Affected Software
JetPopup

Researcher

Bonds

More Details >

JetTabs <= 2.2.12 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68498

Patch Status
Patched

Published
Dec 30, 2025

Affected Software
JetTabs

Researcher

Bonds

More Details >

Listdom <= 5.0.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-67560

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
AI-Powered Business Directory and Classified Ads Listings – Listdom

Researcher

daroo

More Details >

Live Shopping & Shoppable Videos For WooCommerce <= 2.2.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62080

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Live Shopping & Shoppable Videos For WooCommerce

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

Logger for Elementor <= 1.0.9 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-66146

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Changelog & Custom List for Elementor

Researcher

Phat RiO – BlueRock

More Details >

Meks Quick Plugin Disabler <= 1.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68083

Patch Status
Unpatched

Published
Dec 15, 2025

Affected Software
Meks Quick Plugin Disabler

Researcher

Nabil Irawan

More Details >

Mergado Pack <= 4.2.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62089

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Mergado Pack

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

My auctions allegro <= 3.6.33 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68567

Patch Status
Unpatched

Published
Dec 17, 2025

Affected Software
My auctions allegro

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

My Calendar <= 3.6.16 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-67592

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
My Calendar – Accessible Event Manager

Researcher

Doan Dinh Van (DinhVan52)

More Details >

My Sticky Elements <= 2.3.3 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68995

Patch Status
Patched

Published
Dec 25, 2025

Affected Software
All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs – My Sticky Elements

Researcher

daroo

More Details >

My Sticky Elements <= 2.3.3 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Bulk Lead Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-14428

Patch Status
Patched

Published
Dec 31, 2025

Affected Software
All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs – My Sticky Elements

Researcher

shark3y

More Details >

myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program <= 2.9.7.1 – Missing Authorization to Sensitive Information Exposure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-12361

Patch Status
Patched

Published
Dec 18, 2025

Affected Software
myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program.

Researcher

Rafshanzani Suhada

More Details >

Noindex by Path <= 1.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49353

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Noindex by Path

Researcher

Skalucy

More Details >

OpenHook <= 4.3.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62120

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
OpenHook

Researcher

Nabil Irawan

More Details >

Order Cancellation & Returns for WooCommerce <= 1.1.10 – Authenticated (Subscriber+) Insecure Direct Object Reference

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49352

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Order Cancellation & Returns for WooCommerce

Researcher

Powpy

More Details >

Orders Chat for WooCommerce <= 1.2.0 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49356

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Orders Chat for WooCommerce

Researcher

Powpy

More Details >

Pardakht Delkhah <= 3.0.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62101

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
پلاگین پرداخت دلخواه

Researcher

Nabil Irawan

More Details >

Photo Block <= 1.5.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-64254

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Photo Block – A Modern Image Block With Lightbox and Caption Support

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

Plugin Optimizer <= 1.3.7 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68861

Patch Status
Unpatched

Published
Dec 25, 2025

Affected Software
Plugin Optimizer – Speed Up Your WordPress Like Never Before

Researcher

Legion Hunter

More Details >

Poptics <= 1.0.20 – Authenticated (Contributor+) Information Exposure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-69025

Patch Status
Patched

Published
Dec 29, 2025

Affected Software
Poptics – Popup Builder, Email Opt-ins, Exit-Intent & WooCommerce Popups Sales

Researcher

daroo

More Details >

Popup box <= 6.0.7 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-69021

Patch Status
Patched

Published
Dec 28, 2025

Affected Software
Popup Box – Create Countdown, Coupon, Video, Contact Form Popups

Researcher

Doan Dinh Van (DinhVan52)

More Details >

PopupKit <= 2.2.1 – Authenticated (Subscriber+) Information Exposure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-69026

Patch Status
Unpatched

Published
Dec 29, 2025

Affected Software
Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers

Researcher

daroo

More Details >

Portfolio Gallery <= 1.4.8 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62098

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Portfolio Gallery – Responsive Image Gallery

Researcher

Nabil Irawan

More Details >

Post Snippets <= 4.0.11 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-63040

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Post Snippets – Custom WordPress Code Snippets Customizer

Researcher

Nabil Irawan

More Details >

Post Video Players <= 1.163 – Authenticated (Contributor+) Information Exposure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62143

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Cincopa video and media plug-in

Researcher

Nabil Irawan

More Details >

Premium Addons for Elementor <= 4.11.53 – Cross-Site Request Forgery via ‘insert_inner_template’

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-14163

Patch Status
Patched

Published
Dec 22, 2025

Affected Software
Premium Addons for Elementor – Powerful Elementor Templates & Widgets

Researcher

Dmitrii Ignatyev

More Details >

Prime Slider – Addons for Elementor <= 4.0.9 – Authenticated (Subscriber+) Server-Side Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-14277

Patch Status
Patched

Published
Dec 17, 2025

Affected Software
Prime Slider – Addons for Elementor

Researcher

Deadbee

More Details >

Product Delivery Date for WooCommerce – Lite <= 3.2.0 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-69027

Patch Status
Unpatched

Published
Dec 29, 2025

Affected Software
Product Delivery Date for WooCommerce – Lite

Researcher

Legion Hunter

More Details >

Project Manager <= 3.0.1 – Authenticated (Subscriber+) Information Exposure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68040

Patch Status
Unpatched

Published
Dec 26, 2025

Affected Software
Project Manager – AI-Powered Project & Task Manager with Kanban Board & Gantt Chart

Researcher

MD ISMAIL

More Details >

Questionar for Elementor <= 1.1.7 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-66155

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Questionar – FAQ Accordions for Elementor

Researcher

Phat RiO – BlueRock

More Details >

Quran Gateway <= 1.5 – Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-14164

Patch Status
Unpatched

Published
Dec 19, 2025

Affected Software
Quran Gateway

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

Read More & Accordion <= 3.5.5.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-64247

Patch Status
Unpatched

Published
Dec 15, 2025

Affected Software
Read More & Accordion

Researcher

Legion Hunter

More Details >

Recent Posts From Each Category <= 1.4 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49354

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Recent Posts From Each Category

Researcher

Skalucy

More Details >

Request a Quote <= 2.5.3 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-64248

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Request a Quote Form Plugin – Price Quote Request Management Made Easy

Researcher

Legion Hunter

More Details >

Robots.txt rewrite <= 1.6.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62148

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Robots.txt rewrite

Researcher

Nabil Irawan

More Details >

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.9.2 – Missing Authorization to Authenticated (Contributor+) Authors’ Emails Exposure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-13741

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

Semrush Content Toolkit <= 1.1.32 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68082

Patch Status
Unpatched

Published
Dec 15, 2025

Affected Software
Semrush Content Toolkit

Researcher

Nabil Irawan

More Details >

SensitiveTagCloud <= 1.4.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49344

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
SensitiveTagCloud

Researcher

Skalucy

More Details >

Serial Codes Generator and Validator with WooCommerce Support <= 2.8.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62091

Patch Status
Patched

Published
Dec 31, 2025

Affected Software
Serial Codes Generator and Validator with WooCommerce Support

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

Shortcodes and extra features for Phlox <= 2.17.14 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-69016

Patch Status
Unpatched

Published
Dec 27, 2025

Affected Software
Shortcodes and extra features for Phlox theme

Researcher

Legion Hunter

More Details >

Signature Add-On for Gravity Forms <= 1.8.6 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62099

Patch Status
Patched

Published
Dec 31, 2025

Affected Software
Signature Add-On for Gravity Forms

Researcher

Nabil Irawan

More Details >

Simple Archive Generator <= 5.2 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49346

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Simple Archive Generator

Researcher

Skalucy

More Details >

Simple File List <= 6.1.16 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68591

Patch Status
Unpatched

Published
Dec 25, 2025

Affected Software
Simple File List

Researcher

daroo

More Details >

Simple Folio <= 1.1.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-64256

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Simple Folio

Researcher

Skalucy

More Details >

Simple Keyword to Link <= 1.5 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68573

Patch Status
Unpatched

Published
Dec 17, 2025

Affected Software
Simple Keyword to Link

Researcher

Nabil Irawan

More Details >

Simple Link Directory <= 8.8.3 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-67465

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Simple Link Directory

Researcher

daroo

More Details >

SiteLock Security <= 5.0.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62128

Patch Status
Patched

Published
Dec 30, 2025

Affected Software
SiteLock Security – WP Hardening, Login Security & Malware Scans

Researcher

Legion Hunter

More Details >

Sliper for Elementor <= 1.0.10 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-66157

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Sliper – Full-screen Slider for Elementor

Researcher

Phat RiO – BlueRock

More Details >

Social Profilr <= 1.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49343

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Social Profilr

Researcher

Skalucy

More Details >

Sticky Notes for WP Dashboard <= 1.2.4 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62087

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Sticky Notes for WP Dashboard

Researcher

Legion Hunter

More Details >

Stratum Widgets for Elementor <= 1.6.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-69013

Patch Status
Patched

Published
Dec 27, 2025

Affected Software
Stratum Widgets for Elementor

Researcher

benzdeus

More Details >

Strong Testimonials <= 3.2.18 – Missing Authorization to Authenticated (Contributor+) Rating Meta Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-14426

Patch Status
Patched

Published
Dec 29, 2025

Affected Software
Strong Testimonials

Researcher

type5afe

More Details >

Struktur <= 2.5.1 – Authenticated (Subscriber+) Insecure Direct Object Reference

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-69029

Patch Status
Unpatched

Published
Dec 29, 2025

Affected Software
Struktur – Creative Agency WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Sunshine Photo Cart <= 3.5.7.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68535

Patch Status
Patched

Published
Dec 30, 2025

Affected Software
Sunshine Photo Cart: Free Client Photo Galleries for Photographers

Researcher

Que Thanh Tuan – Blue Rock

More Details >

Sweet Energy Efficiency <= 1.0.6 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Graph Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-14618

Patch Status
Patched

Published
Dec 17, 2025

Affected Software
Sweet Energy Efficiency

Researcher

Paolo Tresso

More Details >

Tablesome <= 1.1.35.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68517

Patch Status
Patched

Published
Dec 22, 2025

Affected Software
Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent

Researcher

daroo

More Details >

Tasty Recipes Lite <= 1.1.5 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62132

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Tasty Recipes Lite

Researcher

daroo

More Details >

Tasty Recipes Lite <= 1.1.5 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62131

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Tasty Recipes Lite

Researcher

daroo

More Details >

Time Slots Booking Form <= 1.2.39 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68569

Patch Status
Patched

Published
Dec 20, 2025

Affected Software
WP Time Slots Booking Form

Researcher

daroo

More Details >

TS Poll <= 2.5.3 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68588

Patch Status
Unpatched

Published
Dec 22, 2025

Affected Software
TS Poll – Survey, Versus Poll, Image Poll, Video Poll

Researcher

daroo

More Details >

Ultimate Member <= 2.11.0 – Authenticated (Subscriber+) Profile Privacy Setting Bypass

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-14081

Patch Status
Patched

Published
Dec 16, 2025

Affected Software
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Researcher

Boris Bogosavac

More Details >

UnGrabber <= 3.1.3 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-66149

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
UnGrabber

Researcher

Phat RiO – BlueRock

More Details >

UsersWP <= 1.2.48 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-67593

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP

Researcher

daroo

More Details >

Vimeotheque <= 2.3.5.2 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68584

Patch Status
Patched

Published
Dec 25, 2025

Affected Software
Vimeotheque – Vimeo WordPress Plugin & Video Gallery

Researcher

Nabil Irawan

More Details >

Vireo <= 1.0.24 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62751

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Vireo

Researcher

Rooting

More Details >

Virusdie <= 1.1.6 – Authenticated (Subscriber+) Information Exposure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68576

Patch Status
Patched

Published
Dec 21, 2025

Affected Software
Virusdie – One-click website security

Researcher

Nabil Irawan

More Details >

Virusdie <= 1.1.6 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68577

Patch Status
Patched

Published
Dec 21, 2025

Affected Software
Virusdie – One-click website security

Researcher

Nabil Irawan

More Details >

VPSUForm <= 3.2.24 – Authenticated (Contributor+) Information Exposure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68551

Patch Status
Patched

Published
Dec 23, 2025

Affected Software
VPSUForm – Drag & Drop Contact Form Builder with Email Automation

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

Walker for Elementor <= 1.1.6 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-66159

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Google Street View for Elementor – Walker

Researcher

Phat RiO – BlueRock

More Details >

Watcher for Elementor <= 1.0.9 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-66156

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Watcher – Flexible Video Player for Elementor

Researcher

Phat RiO – BlueRock

More Details >

Watu Quiz <= 3.4.5 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68587

Patch Status
Patched

Published
Dec 17, 2025

Affected Software
Watu Quiz

Researcher

daroo

More Details >

Watu Quiz <= 3.4.5 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-67976

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Watu Quiz

Researcher

daroo

More Details >

WCFM – Frontend Manager for WooCommerce <= 6.7.21 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-54004

Patch Status
Unpatched

Published
Dec 15, 2025

Affected Software
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible

Researcher

benzdeus

More Details >

WCFM Marketplace <= 3.6.17 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-64631

Patch Status
Unpatched

Published
Dec 15, 2025

Affected Software
WCFM Marketplace – Multivendor Marketplace for WooCommerce

Researcher

benzdeus

More Details >

Web to SugarCRM Lead <= 1.0.0 – Cross-Site Request Forgery to Custom Field Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-13361

Patch Status
Patched

Published
Dec 20, 2025

Affected Software
Web to SugarCRM Lead

Researcher

dayea song

More Details >

Webba Booking <= 6.2.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-66530

Patch Status
Patched

Published
Dec 15, 2025

Affected Software
Easy Appointment Booking & Scheduling System – Webba Booking Calendar

Researcher

daroo

More Details >

WING WordPress Migrator <= 1.1.9 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-52835

Patch Status
Unpatched

Published
Dec 30, 2025

Affected Software
WING WordPress Migrator

Researcher

Nguyen Tran Tuan Dung (domiee13)

More Details >

Worker for Elementor <= 1.0.10 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-66144

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Business hours widget for Elementor – Worker

Researcher

Phat RiO – BlueRock

More Details >

Worker for WPBakery <= 1.1.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-66145

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Business Hours for WPBakery – Worker

Researcher

Phat RiO – BlueRock

More Details >

WP DB Booster <= 1.0.1 – Cross-Site Request Forgery to Database Cleanup

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-14168

Patch Status
Unpatched

Published
Dec 19, 2025

Affected Software
WP DB Booster

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

WP JobHunt <= 7.7 – Authenticated (Candidate+) Insecure Direct Object Reference

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-7733

Patch Status
Unpatched

Published
Dec 20, 2025

Affected Software
WP JobHunt

Researcher

meghnine islem

More Details >

WP-CalDav2ICS <= 1.3.4 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-59131

Patch Status
Unpatched

Published
Dec 30, 2025

Affected Software
WP-CalDav2ICS

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

WP-EasyArchives <= 3.1.2 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49345

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
WP-EasyArchives

Researcher

Skalucy

More Details >

WpStream <= 4.9.5 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68522

Patch Status
Patched

Published
Dec 30, 2025

Affected Software
WpStream – Live Streaming, Video on Demand, Pay Per View

Researcher

Que Thanh Tuan – Blue Rock

More Details >

YITH Slider for page builders <= 1.0.11 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68581

Patch Status
Unpatched

Published
Dec 24, 2025

Affected Software
YITH Slider for page builders

Researcher

Nabil Irawan

More Details >

Zoho ZeptoMail <= 3.3.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49028

Patch Status
Unpatched

Published
Dec 31, 2025

Affected Software
Zoho ZeptoMail

Researcher

Nguyen Xuan Chien

More Details >

Health Check & Troubleshooting <= 1.7.1 – Authenticated (Admin+) Path Traversal

2.7

CVSS Rating
Low (2.7)

CVE-ID
CVE-2025-64253

Patch Status
Unpatched

Published
Dec 15, 2025

Affected Software
Health Check & Troubleshooting

Researcher

PPzzAArr

More Details >

Migration, Backup, Staging – WPvivid Backup & Migration <= 0.9.120 – Authenticated (Admin+) Arbitrary Directory Creation

2.7

CVSS Rating
Low (2.7)

CVE-ID
CVE-2025-12654

Patch Status
Patched

Published
Dec 20, 2025

Affected Software
Migration, Backup, Staging – WPvivid Backup & Migration

Researcher

blue0x1

More Details >