Latest CVE Feed
-
6.4
MEDIUMCVE-2025-13989
The WP Dropzone plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'callback' shortcode attribute in all versions up to, and including, 1.1.1. This is due to insufficient input sanitization and output escaping on user-supplied 'call... Read more
Affected Products :- Published: Dec. 12, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Cross-Site Scripting
-
6.1
MEDIUMCVE-2025-14129
The Like DisLike Voting plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it poss... Read more
Affected Products :- Published: Dec. 12, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Cross-Site Scripting
-
4.3
MEDIUMCVE-2025-14162
The BMLT WordPress Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.11.4. This is due to missing nonce validation on the 'BMLTPlugin_create_option' and 'BMLTPlugin_delete_option ' action. This makes ... Read more
Affected Products : meeting_map- Published: Dec. 12, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Cross-Site Request Forgery
-
9.8
CRITICALCVE-2025-14344
The Multi Uploader for Gravity Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'plupload_ajax_delete_file' function in all versions up to, and including, 1.1.7. This makes it possible for... Read more
Affected Products :- Published: Dec. 12, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Path Traversal
-
5.3
MEDIUMCVE-2025-13440
The Premmerce Wishlist for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.1.10. This is due to a missing capability check on the deleteWishlist() function. This makes it possible for authent... Read more
Affected Products :- Published: Dec. 12, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Authorization
-
6.4
MEDIUMCVE-2025-13843
The VigLink SpotLight By ShortCode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'float' parameter of the 'spotlight' shortcode in all versions up to, and including, 1.0.a due to insufficient input sanitization and output escap... Read more
Affected Products :- Published: Dec. 12, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Cross-Site Scripting
-
6.4
MEDIUMCVE-2025-13904
The WPGancio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gancio-event' shortcode in all versions up to, and including, 1.12 due to insufficient input sanitization and output escaping on user supplied attributes. Thi... Read more
Affected Products :- Published: Dec. 12, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Cross-Site Scripting
-
6.4
MEDIUMCVE-2025-13969
The Reviews Sorted plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'space' parameter of the [reviews-slider] shortcode in all versions up to, and including, 2.4.2 due to insufficient input sanitization and output escaping. This m... Read more
Affected Products :- Published: Dec. 12, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Cross-Site Scripting
-
4.4
MEDIUMCVE-2025-13971
The TWW Protein Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Header' setting in all versions up to, and including, 1.0.24 due to insufficient input sanitization and output escaping. This makes it possible for authe... Read more
Affected Products :- Published: Dec. 12, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Cross-Site Scripting
-
8.1
HIGHCVE-2025-14044
The Visitor Logic Lite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.3 via deserialization of untrusted input from the `lpblocks` cookie. This is due to the `lp_track()` function passing unsanitized c... Read more
Affected Products :- Published: Dec. 12, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Injection
-
6.4
MEDIUMCVE-2025-14119
The App Landing Template Blocks for WPBakery (Visual Composer) Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'atvc_video_play' shortcode in all versions up to, and including, 2.0.2 due to insufficient input sanitiz... Read more
Affected Products :- Published: Dec. 12, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Cross-Site Scripting
-
4.3
MEDIUMCVE-2025-14165
The Kirim.Email WooCommerce Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9. This is due to missing nonce validation on the plugin's settings page. This makes it possible for unauthe... Read more
Affected Products :- Published: Dec. 12, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Cross-Site Request Forgery
-
8.8
HIGHCVE-2025-65271
Client-side template injection (CSTI) in Azuriom CMS admin dashboard allows a low-privilege user to execute arbitrary template code in the context of an administrator's session. This can occur via plugins or dashboard components that render untrusted user... Read more
Affected Products : azuriom- Published: Dec. 08, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Cross-Site Scripting
-
8.1
HIGHCVE-2025-61075
Multiple Incorrect Access Control vulnerabilities in adata Software GmbH Mitarbeiterportal 2.15.2.0 allow remote authenticated, low-privileged users to carry out administrative functions and manipulate data of other users via unauthorized API calls.... Read more
Affected Products : mitarbeiter_portal- Published: Dec. 09, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Authorization
-
6.5
MEDIUMCVE-2025-65288
A buffer overflow in the Mercury MR816v2 (081C3114 4.8.7 Build 110427 Rel 36550n) occurs when the device accepts and stores excessively long hostnames from LAN hosts without proper length validation. The affected code performs unchecked copies/concatenati... Read more
- Published: Dec. 09, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Memory Corruption
-
6.1
MEDIUMCVE-2025-65289
A stored Cross site scripting (XSS) vulnerability in the Mercury MR816v2 (081C3114 4.8.7 Build 110427 Rel 36550n) router allows a remote attacker on the LAN to inject JavaScript into the router's management UI by submitting a malicious hostname. The injec... Read more
- Published: Dec. 09, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Cross-Site Scripting
-
1.3
LOWCVE-2025-13751
Interactive service agent in OpenVPN version 2.5.0 through 2.6.16 and 2.7_alpha1 through 2.7_rc2 on Windows allows a local authenticated user to connect to the service and trigger an error causing a local denial of service.... Read more
Affected Products : openvpn- Published: Dec. 03, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Denial of Service
-
4.6
MEDIUMCVE-2025-13086
Improper validation of source IP addresses in OpenVPN version 2.6.0 through 2.6.15 and 2.7_alpha1 through 2.7_rc1 allows an attacker to open a session from a different IP address which did not initiate the connection resulting in a denial of service for t... Read more
Affected Products : openvpn- Published: Dec. 03, 2025
- Modified: Dec. 12, 2025
- Vuln Type: Denial of Service
-
8.4
HIGHCVE-2025-64671
Improper neutralization of special elements used in a command ('command injection') in Copilot allows an unauthorized attacker to execute code locally.... Read more
- Published: Dec. 09, 2025
- Modified: Dec. 12, 2025
-
9.0
CRITICALCVE-2025-64672
Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network.... Read more
Affected Products : sharepoint_server- Published: Dec. 09, 2025
- Modified: Dec. 12, 2025