• New Page 1

    RSSFacebookInstagramTwitterYouTubeYouTubeYouTubeYouTubeYouTubeYouTubeYouTube  

    AGÊNCIA JF | Social - Repositório

Wordfence Intelligence Weekly WordPress Vulnerability Report (February 3, 2025 to February 9, 2025)

por | |

📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugins and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest.

Last week, there were 141 vulnerabilities disclosed in 132 WordPress Plugins and 3 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 45 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 22,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Patched 47
Unpatched 94

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Medium Severity 126
High Severity 12
Critical Severity 3

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 62
Cross-Site Request Forgery (CSRF) 42
Missing Authorization 13
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 6
Improper Control of Generation of Code (‘Code Injection’) 4
Authorization Bypass Through User-Controlled Key 3
Authentication Bypass Using an Alternate Path or Channel 2
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) 2
Deserialization of Untrusted Data 1
Exposure of Sensitive Information to an Unauthorized Actor 1
Improper Access Control 1
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 1
Incorrect Privilege Assignment 1
Server-Side Request Forgery (SSRF) 1
Unrestricted Upload of File with Dangerous Type 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities

Abdi Pranata

27

yudha

15

Hassan Khan Yusufzai – Splint3r7

13

István Márton

7

Francesco Carlucci

6

SOPROBRO

6

Kévin Mosbahi (Mika)

5

Pham Van Tam

5

0xd4rk5id3

5

Khang Duong

3

Dimas Maulana

3

Phat RiO

3

Peter Thaleikis

3

Trương Hữu Phúc (truonghuuphuc)

2

Tim Coen

2

mikemyers

2

Webula

2

Michael

2

Bob Matyas

2

zaim

2

theviper17y

2

Nguyen Khanh Hao

1

Dhabaleshwar Das

1

Sean Murphy

1

Joshua Chan

1

ardias

1

shaman0x01

1

ghsinfosec

1

Manab Jyoti Dowarah

1

Gab

1

Prissy

1

Rafie Muhammad

1

Tri Doan

1

thiennv

1

Hakiduck

1

Asaf Mozes

1

astra.r3verii

1

zer0gh0st

1

Nishiv

1

Keshav verma

1

Aiden (Thái An)

1

Lucio Sá

1

Muhammad Zeeshan (Xib3rR4dAr)

1

Fariq Fadillah Gusti Insani (fariqfgi)

1

Jorge Diaz (ddiax)

1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
Admin and Site Enhancements (ASE) admin-site-enhancements
Admin and Site Enhancements (ASE) Pro admin-site-enhancements-pro
AIO Performance Profiler, Monitor, Optimize, Compress & Debug all-in-one-performance-accelerator
Alert Box Block – Display notice/alerts in the front end. alert-box-block
All push notification for WP all-push-notification
Appointment Buddy Widget By Accrete appointment-buddy-online-appointment-booking-by-accrete
aThemes Addons for Elementor athemes-addons-for-elementor-lite
Auto SEO auto-seo
Awesome Event Booking awesome-event-booking
B Slider- Gutenberg Slider Block for WP b-slider
Blog, Posts and Category Filter for Elementor blog-posts-and-category-for-elementor
BookPress – For Book Authors book-press
BoomBox Theme Extensions boombox-theme-extensions
Breaking News Ticker breaking-news-ticker
Builder Shortcode Extras – WordPress Shortcodes Collection to Save You Time builder-shortcode-extras
CalendApp calendapp
Child Themes Helper child-themes-helper
Contact Manager contact-manager
CURCY – Multi Currency for WooCommerce – The best free currency exchange plugin – Run smoothly on WooCommerce 9.x woo-multi-currency
Custom Block Builder – Lazy Blocks lazy-blocks
Custom Comment Notifications custom-comment-notifications
Custom Links On Admin Dashboard Toolbar customize-wpadmin
CWD – Stealth Links cwd-stealth-links
Directory Listings WordPress plugin – uListing ulisting
Disable Elementor Editor Translation disable-elementor-editor-translation
DSGVO All in one for WP dsgvo-all-in-one-for-wp
Dynamic Conditions dynamicconditions
Dynamic URL SEO dynamic-url-seo
EAN Barcode Generator for WooCommerce: UPC, ISBN & GTIN Inventory ean-for-woocommerce
Easy Chart Builder for WordPress easy-chart-builder
Easy Related Posts easy-related-posts
Easy WP Tiles easy-wp-tiles
Embed RSS embed-rss
Eventer – WordPress Event & Booking Manager Plugin eventer
Events, Calendars & Tickets – Event Kikfyre kikfyre-events-calendar-tickets
Export Order, Product, Customer & Coupon for WooCommerce to Google Sheets wpsyncsheets-woocommerce
External “Video for Everybody” external-video-for-everybody
Facilita Form Tracker facilita-form-tracker
FlexIDX Home Search flexidx-home-search
Fyrebox Quizzes fyrebox-shortcode
GlobalQuran globalquran
Google Earth Embed google-earth-tours
Graceful Email Obfuscation graceful-email-obfuscation
HT Mega – Absolute Addons For Elementor ht-mega-for-elementor
Image Rotator appten-image-rotator
Include Mastodon Feed include-mastodon-feed
Indeed API indeed-api
Infusionsoft Analytics for WordPress infusionsoft-web-tracker
InLocation inlocation
Job Board Manager job-board-manager
JS Help Desk – The Ultimate Help Desk & Support Plugin js-support-ticket
Kona Gallery Block kona-instagram-feed-for-gutenberg
Link to URL / Post link-to-url-post
Links in Captions links-in-captions
Listings for Appfolio listings-for-appfolio
Login-box login-box
Medical Addon for Elementor medical-addon-for-elementor
Music Press Pro music-press-pro
Nextend Social Login Pro nextend-social-login-pro
NextGen Cooliris Gallery nextgen-cooliris-gallery
Notification Bar – Top Bar – Easy Sticky Notification Bar | FM Notification Bar fm-notification-bar
On Page SEO + Social Live Chat (Formerly OPS) ops-robots-txt
OneStore Sites onestore-sites
Optimate Ads – Advance Ad Inserter AdSense & Ad Manager optimate-ads
Orbit Fox by ThemeIsle themeisle-companion
Payment Forms for Paystack payment-forms-for-paystack
Paytm Payment Donation paytm-donation
Photo Contest | Competition | Video Contest totalcontest-lite
Pop Up popup-seo-optimized
Post and Page Builder by BoldGrid – Visual Drag and Drop Editor post-and-page-builder
Post Sync post-sync
Print PDF Generator and Publisher nopeamedia
Product Blocks for WooCommerce product-blocks-for-woocommerce
Product Table For WooCommerce product-table-for-woocommerce
pushBIZ – Push Notification pushbiz
Qi Addons For Elementor qi-addons-for-elementor
Quote Comments quote-comments
R3W InstaFeed r3w-instafeed
RapidLoad AI – Optimize Web Vitals Automatically unusedcss
Read More Copy Link read-more-copy-link
Ready to use Gutenberg and Elementor Templates – Munk Sites munk-sites
ReverbNation Widgets reverbnation-widgets
RSS in Page rss-in-page
SendPulse Email Marketing Newsletter sendpulse-email-marketing-newsletter
ShopSite shopsite-plugin
Show notice or message on admin area show-notice-or-message-on-admin-area
Simple add pages or posts simple-add-pages-or-posts
Simple Auto Tag simple-auto-tag
Simple catalogue simple-catalogue
Simple Certain Time to Show Content simple-certain-time-to-show-content
Simple Select All Text Box simple-select-all-text-box
Simple User Profile simple-user-profile
SKT Blocks – Gutenberg based Page Builder skt-blocks
Slide Banners slide-banners
Smart Countdown FX smart-countdown-fx
Smart DoFollow smart-dofollow
Songkick Concerts and Festivals songkick-concerts-and-festivals
Spiritual Gifts Survey (and optional S.H.A.P.E survey) spiritual-gifts-survey
Starter Templates by FancyWP starter-templates
Status Updater fb-status-updater
Style Tweaker style-tweaker
Stylish Google Sheet Reader 4.0 – Seamlessly Embed Google Sheets as Responsive Data Tables stylish-google-sheet-reader
Super Store Finder superstorefinder-wp
Survey Maker survey-maker
Theasys theasys
Theme Options Z theme-options-z
Uix Shortcodes uix-shortcodes
URL-Preview-Box good-url-preview-box
Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce vayu-blocks
Video & Photo Gallery for Ultimate Member gallery-for-ultimate-member
Vignette Ads vignete-ads
VikBooking Hotel Booking Engine & PMS vikbooking
WizShop wizshop
WooCommerce Cart Count Shortcode woo-cart-count-shortcode
WordPress Activity-o-meter wordpress-activity-o-meter
WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto tripetto
WP Admin Custom Page wp-admin-custom-page
WP All Export Pro wp-all-export-pro
WP All Import Pro wp-all-import-pro
WP Custom Post RSS Feed wp-custom-post-rss-feed
WP Directorybox Manager wp-directorybox-manager
WP doodlez wpdoodlez
WP Extra Fields wp-extra-fields
WP Keyword Monitor wp-keyword-monitor
WP Pricing Table wp-pricing-table
WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts wedevs-project-manager
WP SimpleWeather wp-simpleweather
WP Social Stream wp-social-stream
WP Spell Check wp-spell-check
WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More wpforms-lite
WPMovieLibrary wpmovielibrary
ZMSEO zmseo

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
DWT – Directory & Listing WordPress Theme dwt-listing
OnePress onepress
SocialV – Social Network and Community BuddyPress Theme socialv

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Nextend Social Login Pro <= 3.1.16 – Authentication Bypass via Apple OAuth provider

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-1061
Patch Status
Patched
Published
Feb 6, 2025

Affected Software
Nextend Social Login Pro
Researcher

István Márton

More Details >

WizShop <= 3.0.2 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-25122
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
WizShop
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

WP Directorybox Manager <= 2.5 – Authentication Bypass

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-0316
Patch Status
Unpatched
Published
Feb 8, 2025

Affected Software
WP Directorybox Manager
Researcher

István Márton

More Details >

BoomBox Theme Extensions <= 1.8.0 – Authenticated (Contributor+) Local File Inclusion via Shortcode

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2024-12859
Patch Status
Patched
Published
Feb 3, 2025

Affected Software
BoomBox Theme Extensions
Researcher

István Márton

More Details >

WP All Export Pro <= 1.9.1 – Unauthenticated Remote Code Execution via Custom Export Fields

8.3

CVSS Rating
High (8.3)
CVE-ID
CVE-2024-7419
Patch Status
Patched
Published
Feb 7, 2025

Affected Software
WP All Export Pro
Researcher

Francesco Carlucci

More Details >

Child Themes Helper <= 2.2.7 – Cross-Site Request Forgery to Arbitrary File Deletion

8.1

CVSS Rating
High (8.1)
CVE-ID
CVE-2025-25093
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Child Themes Helper
Researcher

ardias

More Details >

Contact Manager <= 8.6.4 – Unauthenticated Arbitrary Double File Extension Upload

8.1

CVSS Rating
High (8.1)
CVE-ID
CVE-2025-1028
Patch Status
Patched
Published
Feb 4, 2025

Affected Software
Contact Manager
Researcher

Keshav verma

More Details >

Admin and Site Enhancements (ASE) Pro <= 7.6.2.1 – Authenticated (Subscriber+) Privilege Escalation

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-43333
Patch Status
Patched
Published
Feb 3, 2025

Affected Software
Admin and Site Enhancements (ASE)
Admin and Site Enhancements (ASE) Pro
Researcher

Rafie Muhammad

More Details >

CWD – Stealth Links <= 1.3 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2025-22655
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
CWD – Stealth Links
Researcher

Aiden (Thái An)

More Details >

Super Store Finder <= 7.0 – Unauthenticated SQL Injection to Stored Cross-Site Scripting

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2024-13440
Patch Status
Patched
Published
Feb 8, 2025

Affected Software
Super Store Finder
Researcher

Muhammad Zeeshan (Xib3rR4dAr)

More Details >

uListing <= 2.1.6 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2025-25150
Patch Status
Patched
Published
Feb 3, 2025

Affected Software
Directory Listings WordPress plugin – uListing
Researcher

Phat RiO

More Details >

CURCY – Multi Currency for WooCommerce <= 2.2.5 – Unauthenticated Arbitrary Shortcode Execution via get_products_price Function

7.3

CVSS Rating
High (7.3)
CVE-ID
CVE-2024-13487
Patch Status
Patched
Published
Feb 5, 2025

Affected Software
CURCY – Multi Currency for WooCommerce – The best free currency exchange plugin – Run smoothly on WooCommerce 9.x
Researcher

mikemyers

More Details >

Uix Shortcodes <= 2.0.3 – Unauthenticated Arbitrary Shortcode Execution

7.3

CVSS Rating
High (7.3)
CVE-ID
CVE-2025-22677
Patch Status
Patched
Published
Feb 3, 2025

Affected Software
Uix Shortcodes
Researcher

theviper17y

More Details >

All push notification for WP <= 1.5.3 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2025-25092
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
All push notification for WP
Researcher

Dimas Maulana

More Details >

WP All Import Pro <= 4.9.7 – Authenticated (Administrator+) PHP Object Injection via Import File

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2024-9664
Patch Status
Patched
Published
Feb 7, 2025

Affected Software
WP All Import Pro
Researcher

Francesco Carlucci

More Details >

WP All Export Pro <= 1.9.1 – Authenticated (ShopManager+) Arbtirary Options Update

6.8

CVSS Rating
Medium (6.8)
CVE-ID
CVE-2024-7425
Patch Status
Patched
Published
Feb 7, 2025

Affected Software
WP All Export Pro
Researcher

Francesco Carlucci

More Details >

DSGVO All in one for WP <= 4.6 – Cross-Site Request Forgery to Account Deletion

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-13356
Patch Status
Patched
Published
Feb 3, 2025

Affected Software
DSGVO All in one for WP
Researcher

shaman0x01

More Details >

Post and Page Builder by BoldGrid <= 1.27.6 – Path Traversal to Authenticated (Contributor+) Arbitrary File Read via template_via_url Function

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-0859
Patch Status
Patched
Published
Feb 5, 2025

Affected Software
Post and Page Builder by BoldGrid – Visual Drag and Drop Editor
Researcher

mikemyers

More Details >

SocialV – Social Network and Community BuddyPress Theme <= 2.0.15 – Missing Authorization to Arbitrary File Download

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2024-13529
Patch Status
Patched
Published
Feb 3, 2025

Affected Software
SocialV – Social Network and Community BuddyPress Theme
Researcher

Lucio Sá

More Details >

Starter Templates by FancyWP <= 2.0.0 – Cross-Site Request Forgery to Arbitrary Plugin Installation

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-25106
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Starter Templates by FancyWP
Researcher

Abdi Pranata

More Details >

uListing <= 2.1.6 – Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-25151
Patch Status
Patched
Published
Feb 3, 2025

Affected Software
Directory Listings WordPress plugin – uListing
Researcher

Phat RiO

More Details >

Alert Box Block – Display notice/alerts in the front end <= 1.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-22675
Patch Status
Patched
Published
Feb 3, 2025

Affected Software
Alert Box Block – Display notice/alerts in the front end.
Researcher

Pham Van Tam

More Details >

aThemes Addons for Elementor <= 1.0.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-22646
Patch Status
Patched
Published
Feb 3, 2025

Affected Software
aThemes Addons for Elementor
Researcher

Michael

More Details >

Blog, Posts and Category Filter for Elementor <= 2.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-22648
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Blog, Posts and Category Filter for Elementor
Researcher

ghsinfosec

More Details >

Breaking News Ticker <= 2.4.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-25094
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Breaking News Ticker
Researcher

SOPROBRO

More Details >

DWT – Directory & Listing WordPress Theme <=3.3.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-0169
Patch Status
Patched
Published
Feb 8, 2025

Affected Software
DWT – Directory & Listing WordPress Theme
Researcher

István Márton

More Details >

Dynamic Conditions <= 1.7.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-22642
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Dynamic Conditions
Researcher

Michael

More Details >

Easy Chart Builder for WordPress <= 1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-25077
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Easy Chart Builder for WordPress
Researcher

yudha

More Details >

Eventer <= 3.9.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-11132
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Eventer – WordPress Event & Booking Manager Plugin
Researcher

István Márton

More Details >

External Video For Everybody <= 2.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-25097
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
External “Video for Everybody”
Researcher

yudha

More Details >

FlexIDX Home Search <= 2.1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-25082
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
FlexIDX Home Search
Researcher

yudha

More Details >

Google Earth Embed <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-25078
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Google Earth Embed
Researcher

yudha

More Details >

Graceful Email Obfuscation <= 0.2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-25076
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Graceful Email Obfuscation
Researcher

yudha

More Details >

HT Mega <= 2.7.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via block_css and inner_css

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-12597
Patch Status
Patched
Published
Feb 3, 2025

Affected Software
HT Mega – Absolute Addons For Elementor
Researcher

Sean Murphy

More Details >

Include Mastodon Feed <= 1.9.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-22660
Patch Status
Patched
Published
Feb 3, 2025

Affected Software
Include Mastodon Feed
Researcher

yudha

More Details >

Kona Gallery Block <= 1.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-25080
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Kona Gallery Block
Researcher

Peter Thaleikis

More Details >

Links in Captions <= 1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-25098
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Links in Captions
Researcher

yudha

More Details >

Music Press Pro <= 1.4.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-22653
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Music Press Pro
Researcher

Kévin Mosbahi (Mika)

More Details >

NextGen Cooliris Gallery <= 0.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-25091
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
NextGen Cooliris Gallery
Researcher

yudha

More Details >

Optimate Ads <= 1.0.3 – Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-25136
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Optimate Ads – Advance Ad Inserter AdSense & Ad Manager
Researcher

Abdi Pranata

More Details >

Orbit Fox by ThemeIsle <= 2.10.44 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-22659
Patch Status
Patched
Published
Feb 3, 2025

Affected Software
Orbit Fox by ThemeIsle
Researcher

Prissy

More Details >

Product Blocks for WooCommerce <= 1.9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-22674
Patch Status
Patched
Published
Feb 3, 2025

Affected Software
Product Blocks for WooCommerce
Researcher

Peter Thaleikis

More Details >

Product Table For WooCommerce <= 1.2.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-22638
Patch Status
Patched
Published
Feb 3, 2025

Affected Software
Product Table For WooCommerce
Researcher

zaim

More Details >

Qi Addons For Elementor <= 1.8.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13699
Patch Status
Patched
Published
Feb 3, 2025

Affected Software
Qi Addons For Elementor
Researcher

zer0gh0st

More Details >

ReverbNation Widgets <= 2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-25095
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
ReverbNation Widgets
Researcher

yudha

More Details >

RSS in Page <= 2.9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-25096
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
RSS in Page
Researcher

yudha

More Details >

SendPulse Email Marketing Newsletter <= 2.1.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-22662
Patch Status
Patched
Published
Feb 3, 2025

Affected Software
SendPulse Email Marketing Newsletter
Researcher

Webula

More Details >

Simple Select All Text Box <= 3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-25079
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Simple Select All Text Box
Researcher

yudha

More Details >

SKT Blocks – Gutenberg based Page Builder <= 1.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13733
Patch Status
Patched
Published
Feb 3, 2025

Affected Software
SKT Blocks – Gutenberg based Page Builder
Researcher

zaim

More Details >

Smart Countdown FX <= 1.5.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-25117
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Smart Countdown FX
Researcher

yudha

More Details >

Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce <= 1.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-22644
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce
Researcher

Gab

More Details >

Video & Photo Gallery for Ultimate Member <= 1.1.2 – Authenticated (Subscriber+) Server-Side Request Forgery

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-22672
Patch Status
Patched
Published
Feb 3, 2025

Affected Software
Video & Photo Gallery for Ultimate Member
Researcher

theviper17y

More Details >

WooCommerce Cart Count Shortcode <= 1.0.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-10563
Patch Status
Patched
Published
Feb 5, 2025

Affected Software
WooCommerce Cart Count Shortcode
Researcher

Bob Matyas

More Details >

WP SimpleWeather <= 0.2.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-25085
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
WP SimpleWeather
Researcher

yudha

More Details >

WPForms Lite <= 1.9.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via fieldHTML Parameter

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13403
Patch Status
Patched
Published
Feb 3, 2025

Affected Software
WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More
Researcher

Asaf Mozes

More Details >

Embed RSS <= 3.1 – Authenticated (Subscriber+) Arbitrary Shortcode Execution

6.3

CVSS Rating
Medium (6.3)
CVE-ID
CVE-2025-25081
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Embed RSS
Researcher

yudha

More Details >

Appointment Buddy Widget <= 1.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-25099
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Appointment Buddy Widget By Accrete
Researcher

Dimas Maulana

More Details >

Auto SEO <= 2.5.6 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-25147
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Auto SEO
Researcher

Abdi Pranata

More Details >

BookPress – For Book Authors <= 1.2.7 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-25168
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
BookPress – For Book Authors
Researcher

Phat RiO

More Details >

CalendApp <= 1.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13669
Patch Status
Unpatched
Published
Feb 4, 2025

Affected Software
CalendApp
Researcher

Hassan Khan Yusufzai – Splint3r7

More Details >

Custom Block Builder – Lazy Blocks <= 3.8.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-12878
Patch Status
Patched
Published
Feb 4, 2025

Affected Software
Custom Block Builder – Lazy Blocks
Researcher

Hassan Khan Yusufzai – Splint3r7

More Details >

Custom Comment Notifications <= 1.0.8 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-25154
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Custom Comment Notifications
Researcher

Abdi Pranata

More Details >

Custom Links On Admin Dashboard Toolbar <= 3.3 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-25135
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Custom Links On Admin Dashboard Toolbar
Researcher

Abdi Pranata

More Details >

Dynamic URL SEO <= 1.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-23984
Patch Status
Patched
Published
Feb 3, 2025

Affected Software
Dynamic URL SEO
Researcher

thiennv

More Details >

Easy Related Posts <= 2.0.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-25123
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Easy Related Posts
Researcher

Abdi Pranata

More Details >

Fyrebox Quizzes <= 2.7 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-25125
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Fyrebox Quizzes
Researcher

Abdi Pranata

More Details >

Image Rotator <= 2.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-25089
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Image Rotator
Researcher

Dimas Maulana

More Details >

InLocation <= 1.8 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-25166
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
InLocation
Researcher

Abdi Pranata

More Details >

Job Board Manager <= 2.1.60 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-22679
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Job Board Manager
Researcher

0xd4rk5id3

More Details >

Listings for Appfolio <= 1.2.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-22658
Patch Status
Patched
Published
Feb 3, 2025

Affected Software
Listings for Appfolio
Researcher

Abdi Pranata

More Details >

Login-box <= 2.0.4 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-25149
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Login-box
Researcher

Abdi Pranata

More Details >

On Page SEO + Whatsapp Chat Button <= 2.0.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-25138
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
On Page SEO + Social Live Chat (Formerly OPS)
Researcher

Abdi Pranata

More Details >

Post Sync <= 1.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13634
Patch Status
Unpatched
Published
Feb 4, 2025

Affected Software
Post Sync
Researcher

Hassan Khan Yusufzai – Splint3r7

More Details >

pushBIZ – Push Notification <= 1.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13629
Patch Status
Unpatched
Published
Feb 4, 2025

Affected Software
pushBIZ – Push Notification
Researcher

Hassan Khan Yusufzai – Splint3r7

More Details >

Quote Comments <= 2.2.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-25156
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Quote Comments
Researcher

Abdi Pranata

More Details >

R3W InstaFeed <= 1.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13678
Patch Status
Unpatched
Published
Feb 4, 2025

Affected Software
R3W InstaFeed
Researcher

Hassan Khan Yusufzai – Splint3r7

More Details >

Read More Copy Link <= 1.0.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-25148
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Read More Copy Link
Researcher

Abdi Pranata

More Details >

ShopSite <= 1.5.10 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13510
Patch Status
Patched
Published
Feb 3, 2025

Affected Software
ShopSite
Researcher

SOPROBRO

More Details >

Show notice or message on admin area <= 2.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-25075
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Show notice or message on admin area
Researcher

SOPROBRO

More Details >

Simple Auto Tag <= 1.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-25153
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Simple Auto Tag
Researcher

Abdi Pranata

More Details >

Simple catalogue <= 1.0.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13633
Patch Status
Unpatched
Published
Feb 4, 2025

Affected Software
Simple catalogue
Researcher

Hassan Khan Yusufzai – Splint3r7

More Details >

Simple Certain Time to Show Content <= 1.2.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-10152
Patch Status
Patched
Published
Feb 4, 2025

Affected Software
Simple Certain Time to Show Content
Researcher

Bob Matyas

More Details >

Simple User Profile <= 1.9 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-25140
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Simple User Profile
Researcher

Abdi Pranata

More Details >

Smart DoFollow <= 1.0.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-25152
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Smart DoFollow
Researcher

Abdi Pranata

More Details >

Songkick Concerts and Festivals <= 0.9.7 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-25146
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Songkick Concerts and Festivals
Researcher

Pham Van Tam

More Details >

Spiritual Gifts Survey <= 0.9.10 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-0688
Patch Status
Unpatched
Published
Feb 4, 2025

Affected Software
Spiritual Gifts Survey (and optional S.H.A.P.E survey)
Researcher

Hassan Khan Yusufzai – Splint3r7

More Details >

Spiritual Gifts Survey <= 0.9.10 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-0687
Patch Status
Unpatched
Published
Feb 4, 2025

Affected Software
Spiritual Gifts Survey (and optional S.H.A.P.E survey)
Researcher

Hassan Khan Yusufzai – Splint3r7

More Details >

Status Updater <= 1.9.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-25124
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Status Updater
Researcher

Abdi Pranata

More Details >

Style Tweaker <= 0.11 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-25160
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Style Tweaker
Researcher

Abdi Pranata

More Details >

Stylish Google Sheet Reader <= 4.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-22651
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Stylish Google Sheet Reader 4.0 – Seamlessly Embed Google Sheets as Responsive Data Tables
Researcher

Jorge Diaz (ddiax)

More Details >

Theasys <= 1.0.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-25144
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Theasys
Researcher

Abdi Pranata

More Details >

Total Contest Lite <= 2.8.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13822
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Photo Contest | Competition | Video Contest
Researcher

Hassan Khan Yusufzai – Splint3r7

More Details >

URL-Preview-Box <= 1.20 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-25104
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
URL-Preview-Box
Researcher

Abdi Pranata

More Details >

Vignette Ads <= 0.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-25071
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Vignette Ads
Researcher

SOPROBRO

More Details >

WordPress Activity-o-meter <= 1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13668
Patch Status
Unpatched
Published
Feb 4, 2025

Affected Software
WordPress Activity-o-meter
Researcher

Hassan Khan Yusufzai – Splint3r7

More Details >

WP Admin Custom Page <= 1.5.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-25072
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
WP Admin Custom Page
Researcher

SOPROBRO

More Details >

WP Custom Post RSS Feed <= 1.0.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-25139
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
WP Custom Post RSS Feed
Researcher

Abdi Pranata

More Details >

WP doodlez <= 1.0.10 – Unauthenticated Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-25159
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
WP doodlez
Researcher

Abdi Pranata

More Details >

WP Extra Fields <= 1.0.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13632
Patch Status
Unpatched
Published
Feb 4, 2025

Affected Software
WP Extra Fields
Researcher

Hassan Khan Yusufzai – Splint3r7

More Details >

WP Keyword Monitor <= 1.0.5 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-25088
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
WP Keyword Monitor
Researcher

0xd4rk5id3

More Details >

WP Pricing Table <= 1.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13628
Patch Status
Unpatched
Published
Feb 4, 2025

Affected Software
WP Pricing Table
Researcher

Hassan Khan Yusufzai – Splint3r7

More Details >

WP Social Stream <= 1.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-25074
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
WP Social Stream
Researcher

SOPROBRO

More Details >

WPMovieLibrary <= 2.1.4.8 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13624
Patch Status
Unpatched
Published
Feb 4, 2025

Affected Software
WPMovieLibrary
Researcher

Hassan Khan Yusufzai – Splint3r7

More Details >

ZMSEO <= 1.14.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-25126
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
ZMSEO
Researcher

Abdi Pranata

More Details >

Simple add pages or posts <= 2.0.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)
CVE-ID
CVE-2024-13850
Patch Status
Unpatched
Published
Feb 8, 2025

Affected Software
Simple add pages or posts
Researcher

Pham Van Tam

More Details >

Facilita Form Tracker <= 1.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

5.4

CVSS Rating
Medium (5.4)
CVE-ID
CVE-2025-25128
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Facilita Form Tracker
Researcher

Abdi Pranata

More Details >

Awesome Event Booking <= 2.7.2 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-22668
Patch Status
Patched
Published
Feb 3, 2025

Affected Software
Awesome Event Booking
Researcher

Kévin Mosbahi (Mika)

More Details >

Eventer <= 3.9.9 – Missing Authorization to Unauthenticated Event Ticket Download

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-11133
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Eventer – WordPress Event & Booking Manager Plugin
Researcher

István Márton

More Details >

WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto <= 8.0.8 – Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2024-13829
Patch Status
Patched
Published
Feb 4, 2025

Affected Software
WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto
Researcher

Tim Coen

More Details >

Link to URL / Post <= 1.3 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-25116
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Link to URL / Post
Researcher

Tri Doan

More Details >

Payment Forms for Paystack <= 4.0.1 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-22652
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Payment Forms for Paystack
Researcher

Webula

More Details >

GlobalQuran <= 1.0 – Cross-Site Request Forgery to Settings Update

4.7

CVSS Rating
Medium (4.7)
CVE-ID
CVE-2025-25143
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
GlobalQuran
Researcher

0xd4rk5id3

More Details >

Easy WP Tiles <= 1 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-25073
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Easy WP Tiles
Researcher

Pham Van Tam

More Details >

FM Notification Bar <= 1.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-22641
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Notification Bar – Top Bar – Easy Sticky Notification Bar | FM Notification Bar
Researcher

yudha

More Details >

Paytm Payment Donation <= 2.3.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-22640
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Paytm Payment Donation
Researcher

Khang Duong

More Details >

Pop Up <= 0.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-25105
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Pop Up
Researcher

Nguyen Khanh Hao

More Details >

Survey Maker <= 5.1.3.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-22664
Patch Status
Patched
Published
Feb 3, 2025

Affected Software
Survey Maker
Researcher

astra.r3verii

More Details >

WP Project Manager <= 2.6.17 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-22649
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts
Researcher

Manab Jyoti Dowarah

More Details >

AIO Performance Profiler, Monitor, Optimize, Compress & Debug <= 1.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-22647
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
AIO Performance Profiler, Monitor, Optimize, Compress & Debug
Researcher

Joshua Chan

More Details >

Awesome Event Booking <= 2.7.5 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-22669
Patch Status
Patched
Published
Feb 3, 2025

Affected Software
Awesome Event Booking
Researcher

Kévin Mosbahi (Mika)

More Details >

B Slider- Gutenberg Slider Block for WP <= 1.1.23 – Authenticated (Contributor+) Private Post Disclosure via bsb-slider Shortcode

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13514
Patch Status
Patched
Published
Feb 3, 2025

Affected Software
B Slider- Gutenberg Slider Block for WP
Researcher

Nishiv

More Details >

Builder Shortcode Extras – WordPress Shortcodes Collection to Save You Time <= 1.0.0 – Authenticated (Contributor+) Post Disclosure

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13841
Patch Status
Unpatched
Published
Feb 6, 2025

Affected Software
Builder Shortcode Extras – WordPress Shortcodes Collection to Save You Time
Researcher

Francesco Carlucci

More Details >

Disable Elementor Editor Translation <= 1.0.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-22671
Patch Status
Patched
Published
Feb 3, 2025

Affected Software
Disable Elementor Editor Translation
Researcher

Kévin Mosbahi (Mika)

More Details >

EAN for WooCommerce <= 5.3.5 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-22673
Patch Status
Patched
Published
Feb 3, 2025

Affected Software
EAN Barcode Generator for WooCommerce: UPC, ISBN & GTIN Inventory
Researcher

Peter Thaleikis

More Details >

Event Kikfyre <= 2.1.8 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-25110
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Events, Calendars & Tickets – Event Kikfyre
Researcher

Pham Van Tam

More Details >

Eventer <= 3.9.9 – Missing Authorization to Authenticated (Subscriber+) Bookings Export

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-11134
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Eventer – WordPress Event & Booking Manager Plugin
Researcher

István Márton

More Details >

Export Order, Product, Customer & Coupon for WooCommerce to Google Sheets <= 1.8.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-22667
Patch Status
Patched
Published
Feb 3, 2025

Affected Software
Export Order, Product, Customer & Coupon for WooCommerce to Google Sheets
Researcher

Kévin Mosbahi (Mika)

More Details >

Indeed API <= 0.5 – Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-25103
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Indeed API
Researcher

0xd4rk5id3

More Details >

Infusionsoft Analytics <= 2.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-25145
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Infusionsoft Analytics for WordPress
Researcher

0xd4rk5id3

More Details >

JS Help Desk – The Ultimate Help Desk & Support Plugin <= 2.8.8 – Authenticated (Subscriber+) Insecure Direct Object Reference

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-13607
Patch Status
Patched
Published
Feb 3, 2025

Affected Software
JS Help Desk – The Ultimate Help Desk & Support Plugin
Researcher

Tim Coen

More Details >

Medical Addon for Elementor <= 1.6.2 – Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Exposure via Shortcode

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-12046
Patch Status
Patched
Published
Feb 3, 2025

Affected Software
Medical Addon for Elementor
Researcher

Francesco Carlucci

More Details >

Munk Sites <= 1.0.7 – Cross-Site Request Forgery to Arbitrary Plugin Installation

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-25101
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Ready to use Gutenberg and Elementor Templates – Munk Sites
Researcher

Abdi Pranata

More Details >

OnePress <= 2.3.11 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-22643
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
OnePress
Researcher

Fariq Fadillah Gusti Insani (fariqfgi)

More Details >

OneStore Sites <= 0.1.1 – Cross-Site Request Forgery to Arbitrary Plugin Installation

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-25107
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
OneStore Sites
Researcher

Abdi Pranata

More Details >

Print PDF Generator and Publisher <= 1.2.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-22637
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Print PDF Generator and Publisher
Researcher

Khang Duong

More Details >

RapidLoad <= 2.4.4 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-22665
Patch Status
Patched
Published
Feb 3, 2025

Affected Software
RapidLoad AI – Optimize Web Vitals Automatically
Researcher

Hakiduck

More Details >

Slide Banners <= 1.3 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-25120
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Slide Banners
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Theme Options Z <= 1.4 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-25121
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
Theme Options Z
Researcher

Abdi Pranata

More Details >

VikBooking Hotel Booking Engine & PMS <= 1.7.2 – Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-22670
Patch Status
Patched
Published
Feb 3, 2025

Affected Software
VikBooking Hotel Booking Engine & PMS
Researcher

Dhabaleshwar Das

More Details >

WP All Import Pro <= 4.9.7 – Cross-Site Request Forgery to Imported Content Deletion

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2024-9661
Patch Status
Patched
Published
Feb 7, 2025

Affected Software
WP All Import Pro
Researcher

Francesco Carlucci

More Details >

WP Spell Check <= 9.21 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-25111
Patch Status
Unpatched
Published
Feb 3, 2025

Affected Software
WP Spell Check
Researcher

Khang Duong

More Details >

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (February 3, 2025 to February 9, 2025) appeared first on Wordfence.

Adicionar aos favoritos o Link permanente.