Latest CVE Feed
-
4.5
MEDIUMCVE-2026-21883
Bokeh is an interactive visualization library written in Python. In versions 3.8.1 and below, if a server is configured with an allowlist (e.g., dashboard.corp), an attacker can register a domain like dashboard.corp.attacker.com (or use a subdomain if app... Read more
Affected Products :- Published: Jan. 08, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Misconfiguration
-
4.5
MEDIUMCVE-2026-22702
virtualenv is a tool for creating isolated virtual python environments. Prior to version 20.36.1, TOCTOU (Time-of-Check-Time-of-Use) vulnerabilities in virtualenv allow local attackers to perform symlink-based attacks on directory creation operations. An ... Read more
Affected Products :- Published: Jan. 10, 2026
- Modified: Jan. 10, 2026
- Vuln Type: Race Condition
-
4.5
MEDIUMCVE-2025-13698
Deciso OPNsense diag_backup.php filename Directory Traversal Arbitrary File Creation Vulnerability. This vulnerability allows network-adjacent attackers to create arbitrary files on affected installations of Deciso OPNsense. Authentication is required to ... Read more
Affected Products :- Published: Dec. 23, 2025
- Modified: Dec. 29, 2025
- Vuln Type: Path Traversal
-
4.4
MEDIUMCVE-2025-14735
The "Amazon affiliate lite Plugin" plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for auth... Read more
Affected Products :- Published: Dec. 20, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Cross-Site Scripting
-
4.4
MEDIUMCVE-2025-13974
The Email Customizer for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email template content in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possibl... Read more
Affected Products :- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Cross-Site Scripting
-
4.4
MEDIUMCVE-2025-14028
The Contact Us Simple Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it... Read more
Affected Products :- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Cross-Site Scripting
-
4.4
MEDIUMCVE-2025-14057
The Multi-column Tag Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 17.0.39 due to insufficient input sanitization and output escaping. This makes it possible for authenticate... Read more
Affected Products : multi-column_tag_map- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Cross-Site Scripting
-
4.4
MEDIUMCVE-2025-14887
The twinklesmtp – Email Service Provider For WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's sender settings in all versions up to, and including, 1.03 due to insufficient input sanitization and output escaping. Th... Read more
Affected Products :- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Cross-Site Scripting
-
4.4
MEDIUMCVE-2025-14792
The Key Figures plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the kf_field_figure_default_color_render function in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it pos... Read more
Affected Products :- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Cross-Site Scripting
-
4.4
MEDIUMCVE-2025-53594
A path traversal vulnerability has been reported to affect several product versions. If a local attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vuln... Read more
Affected Products :- Published: Jan. 02, 2026
- Modified: Jan. 02, 2026
- Vuln Type: Path Traversal
-
4.4
MEDIUMCVE-2025-14888
The Simple User Meta Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user meta value field in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for ... Read more
Affected Products :- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Cross-Site Scripting
-
4.4
MEDIUMCVE-2025-14378
The Quick Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated atta... Read more
Affected Products :- Published: Dec. 13, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Cross-Site Scripting
-
4.4
MEDIUMCVE-2025-14056
The Custom Post Type UI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'label' parameter during custom post type import in all versions up to, and including, 1.18.1 due to insufficient input sanitization and output escaping. Thi... Read more
Affected Products : custom_post_type_ui- Published: Dec. 13, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Cross-Site Scripting
-
4.4
MEDIUMCVE-2025-15000
The Page Keys plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘page_key’ parameter in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated a... Read more
Affected Products :- Published: Jan. 07, 2026
- Modified: Jan. 08, 2026
- Vuln Type: Cross-Site Scripting
-
4.4
MEDIUMCVE-2025-11970
The Emplibot – AI Content Writer with Keyword Research, Infographics, and Linking | SEO Optimized | Fully Automated plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.9 via the emplibot_call_webhook... Read more
Affected Products :- Published: Dec. 13, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Server-Side Request Forgery
-
4.4
MEDIUMCVE-2025-14054
The WC Builder – WooCommerce Page Builder for WPBakery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'heading_color' parameter (and multiple other styling parameters) of the `wpbforwpbakery_product_additional_information` short... Read more
Affected Products :- Published: Dec. 21, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Cross-Site Scripting
-
4.3
MEDIUMCVE-2025-11164
The Mavix Education theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mavix_education_activate_plugin' AJAX action in all versions up to, and including, 1.0. This makes it possible for authent... Read more
Affected Products :- Published: Dec. 13, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Authorization
-
4.3
MEDIUMCVE-2025-14454
The Image Slider by Ays- Responsive Slider and Carousel plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.0. This is due to missing or incorrect nonce validation on the bulk delete functionality. Th... Read more
Affected Products : image_slider- Published: Dec. 13, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Cross-Site Request Forgery
-
4.3
MEDIUMCVE-2025-12512
The GenerateBlocks plugin for WordPress is vulnerable to information exposure due to missing object-level authorization checks in versions up to, and including, 2.1.2. This is due to the plugin registering multiple REST API routes under `generateblocks/v1... Read more
Affected Products : generateblocks- Published: Dec. 13, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Authorization
-
4.3
MEDIUMCVE-2025-14288
The Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery plugin for WordPress is vulnerable to unauthorized modification of plugin settings in all versions up to, and including, 3.3.0. T... Read more
Affected Products : simply_gallery_blocks_with_lightbox- Published: Dec. 13, 2025
- Modified: Dec. 15, 2025
- Vuln Type: Authorization