• New Page 1

    RSSFacebookInstagramTwitterYouTubeYouTubeYouTubeYouTubeYouTubeYouTubeYouTube  

    AGÊNCIA JF | Social - Repositório

Wordfence Intelligence Weekly WordPress Vulnerability Report (April 14, 2025 to April 20, 2025)

por | |

📢 In case you missed it, Wordfence just published its annual WordPress security report for 2024. Read it now to learn more about the evolving risk landscape of WordPress so you can keep your sites protected in 2025 and beyond.  

Last week, there were 252 vulnerabilities disclosed in 215 WordPress Plugins and 15 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 56 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 25,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

  • WAF-RULE-821 – Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Patched 137
Unpatched 115

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 1
Medium Severity 179
High Severity 42
Critical Severity 30

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 79
Cross-Site Request Forgery (CSRF) 44
Missing Authorization 35
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) 21
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 17
Deserialization of Untrusted Data 12
Unrestricted Upload of File with Dangerous Type 10
Exposure of Sensitive Information to an Unauthorized Actor 8
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 6
Improper Privilege Management 6
Improper Control of Generation of Code (‘Code Injection’) 4
URL Redirection to Untrusted Site (‘Open Redirect’) 4
Authorization Bypass Through User-Controlled Key 2
Improper Validation of Integrity Check Value 2
External Control of File Name or Path 1
Incorrect Authorization 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities

johska

22

stealthcopter

18

muhammad yudha

17

Trương Hữu Phúc (truonghuuphuc)

17

Nguyen Xuan Chien

14

LVT-tholv2k

13

Bonds

13

0xd4rk5id3

11

astra.r3verii

9

Nabil Irawan

8

Le Ngoc Anh

8

Ananda Dhakal

7

theviper17y

6

João Pedro Soares de Alcântara

6

Kévin Mosbahi (Mika)

6

Dimas Maulana

5

Peter Thaleikis

5

Aiden (Thái An)

5

Asaf Mozes

4

Phan Trong Quan

4

Webbernaut

4

Nguyễn Trung Kiên

4

zaim

3

lucky_buddy

3

Skalucy

3

Brian Sans-Souci (liardom)

2

the sneaky squirrel

2

SOPROBRO

2

wesley (wcraft)

2

nquangit

2

Phat RiO – BlueRock

2

ch4r0n

2

chuck

2

khanhhnahk1

1

Foxyyy

1

broccoli

1

zer0gh0st

1

Doan Dinh Van

1

haidv35

1

Deltree

1

Tran Nguyen Bao Khanh

1

Carlos Ferreira

1

Muhamad Visat

1

Alyudin Nafiie

1

ayato

1

Pham Van Phuoc

1

domiee13

1

Tim Coen

1

Abdi Pranata

1

tahu.datar

1

Yassine Neggaoui (Y45NG)

1

Affan Ali

1

Arshid KV

1

siavashvafshar

1

Rafie Muhammad

1

Prissy

1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
ActiveDEMAND activedemand
Add to Header add-to-header
Administrator Z administrator-z
AdminQuickbar adminquickbar
Advanced Dynamic Pricing for WooCommerce advanced-dynamic-pricing-for-woocommerce
AI Text to Speech – TTS Plugin For WordPress ai-text-to-speech
All push notification for WP all-push-notification
Amazon Showcase WordPress Plugin amazon-showcase-wordpress-widget
AnalyticsWP analyticswp
Anthologize anthologize
Arigato Autoresponder and Newsletter bft-autoresponder
Asgaros Forum asgaros-forum
Attendance Manager attendance-manager
Author WIP Progress Bar author-work-in-progress-bar
Avatar avatar
Barcode Generator for WooCommerce – Show barcodes on products, orders, invoices and other pages embedding-barcodes-into-product-pages-and-orders
Basic Interactive World Map basic-interactive-world-map
bbPress2 shortcode whitelist bbpress2-shortcode-whitelist
BERTHA AI. Your AI co-pilot for WordPress and Chrome bertha-ai-free
Bknewsticker bknewsticker
BMA Lite – Appointment Booking and Scheduling Plugin bma-lite-appointment-booking-and-scheduling
Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment booking-and-rental-manager-for-woocommerce
Booster Plus for WooCommerce booster-plus-for-woocommerce
Bring Fraktguiden for WooCommerce bring-fraktguiden-for-woocommerce
Broken Links Remover broken-links-remover
BruteGuard – Brute Force Login Protection bruteguard
Bulk Page Stub Creator bulk-page-stub-creator
Bulk Term Editor bulk-term-editor
Checkout Files Upload for WooCommerce checkout-files-upload-woocommerce
Checkout for PayPal checkout-for-paypal
Church Admin church-admin
CLEVER – HTML5 Radio Player With History – Shoutcast and Icecast – Elementor Widget Addon elementor_widget_clever_radio_player
Cloak Front End Email cloak-front-end-email
Conditional Payments for WooCommerce conditional-payments-for-woocommerce
Conditional Shipping for WooCommerce conditional-shipping-for-woocommerce
Contact Form 7 contact-form-7
Contact Form by Supsystic contact-form-by-supsystic
Contact Form vCard Generator contact-form-vcard-generator
Contact Form, Drag and Drop Form Builder Plugin – Live Forms liveforms
Cost Calculator Builder cost-calculator-builder
Coupon Affiliates – Affiliate Plugin for WooCommerce woo-coupon-usage
Course Booking System course-booking-system
CRM Perks – WordPress HelpDesk Integration – Zendesk, Freshdesk, HelpScout support-x
CRUDLab Scroll to Top crudlab-scroll-to-top
Custom CSS, JS & PHP custom-css
Dashboard Notepads dashboard-notepads
Dashi dashi
Debug Log Manager debug-log-manager
Directory Listings WordPress plugin – uListing ulisting
Docket Cache – Object Cache Accelerator docket-cache
Download Manager download-manager
Dynamic Post dynamic-post
Editor Wysiwyg Background Color editor-wysiwyg-background-color
Element Pack Addons for Elementor – Best Elementor addons with Ready Templates, Blocks, Widgets and WooCommerce Builder bdthemes-element-pack-lite
ElementsReady Addons for Elementor element-ready-lite
Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders essential-addons-for-elementor-lite
Event Espresso – Custom Email Template Shortcode email-shortcode
Event Manager, Events Calendar, Tickets, Registrations – Eventin wp-event-solution
Ever Accounting – WordPress Accounting and Invoice Plugin wp-ever-accounting
Fast eBay Listings fast-ebay-listings
Feedify – Web Push Notifications push-notification-by-feedify
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder fluentform
FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration fluent-boards
FluentCommunity – Ultra-Fast High-Performance Social Network, Community, LMS & Online Courses Plugin fluent-community
Forminator Forms – Contact Form, Payment Form & Custom Form Builder forminator
FS Poster – WordPress Social media Auto Poster & Scheduler [Facebook, Instagram, Twitter, Pinterest] fs-poster
GoodBarber goodbarber
Gravity Forms CSS Themes with Fontawesome and Placeholders gravity-forms-css-themes-with-fontawesome-and-placeholder-support
HelpGent – The Ultimate Form Builder & TypeForm Alternative on WordPress | Craft Conversational Multi Step Form with Video, Voice, Screen Recording, & Text Messaging helpgent
Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress hive-support
hockeydata LOS hockeydata-los
Hostel hostel
Hotel Booking nd-booking
HTML5 Audio Player- Best WordPress Audio Player Plugin html5-audio-player
I Draw idraw
illow – Cookies Consent lgpd-compliant-cookie-banner
Insert Headers And Footers wp-headers-and-footers
Integration for WooCommerce and QuickBooks wp-woocommerce-quickbooks
IP2Location Variables ip2location-variables
JetBlocks for Elementor jet-blocks
JetBlog for Elementor jet-blog
JetElements jet-elements
JetMenu for Elementor jet-menu
JetPopup jet-popup
JetReviews for Elementor jet-reviews
JetTabs for Elementor jet-tabs
JetTricks for Elementor jet-tricks
JetWooBuilder for Elementor jet-woo-builder
JobWP – Job Board, Job Listing, Career Page and Recruitment Plugin jobwp
JS Job Manager js-jobs
Kadence WooCommerce Email Designer kadence-woocommerce-email-designer
Kata Plus – Addons for Elementor – Widgets, Extensions and Templates kata-plus
KiotViet Sync kiotvietsync
LA-Studio Element Kit for Elementor lastudio-element-kit
Landing Page Cat – Coming Soon Page, Maintenance Page & Squeeze Pages landing-page-cat
Listdom – Business Directory and Classified Ads Listings WordPress Plugin listdom
Local Magic local-magic
Login Manager – Design Login Page, View Login Activity, Limit Login Attempts customized-login
Logo Carousel Gutenberg Block awesome-logo-carousel-block
Logo Carousel Slider logo-carousel-slider
Macro Calculator with Admin Email Optin & Data macro-admin-email-data-optin-calculator
MapSVG – Vector maps, Image maps, Google Maps mapsvg-lite-interactive-vector-maps
Master Slider – Responsive Touch Slider master-slider
Material Dashboard material-dashboard
Mediavine Control Panel mediavine-control-panel
MelaPress Login Security melapress-login-security
Memberpress memberpress
Membership For WooCommerce membership-for-woocommerce
mLanguage mlanguage
modal-survey modal-survey
Most And Least Read Posts Widget most-and-least-read-posts-widget
Movylo Marketing Automation movylo-widget
My auctions allegro my-auctions-allegro-free-edition
My Marginalia my-marginalia
Name Directory name-directory
Office Locator office-locator
OTP-less one tap Sign in otpless
Password Protected – Password Protect your WordPress Site, Pages, & WooCommerce Products – Restrict Content, Protect WooCommerce Category and more password-protected
Payment Form for PayPal Pro payment-form-for-paypal-pro
PDF 2 Post pdf2post
Piotnet Addons For Elementor piotnet-addons-for-elementor
ProfileGrid – User Profiles, Groups and Communities profilegrid-user-profiles-groups-and-communities
Projectopia – WordPress Project Management projectopia-core
Property Hive propertyhive
Quentn WP quentn-wp
Question Answer question-answer
Rating by BestWebSoft rating-bws
Real Estate Manager – Property Listing and Agent Management real-estate-manager
Rescue Shortcodes rescue-shortcodes
Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates responsive-addons-for-elementor
Responsive Blocks – WordPress Gutenberg Blocks responsive-block-editor-addons
Review Wave – Google Places Reviews review-wave-google-places-reviews
Revision Diet revision-diet
Right Click Disable OR Ban right-click-disable-or-ban
Royal Elementor Addons and Templates royal-elementor-addons
RSS Manager rss-manager
Run Contests, Raffles, and Giveaways with ContestsWP contest-code-checker
SB Chart block sb-chart-block
Scriptless Social Sharing scriptless-social-sharing
Sell access, Automate, and add Engaging Exclusive Discord Access: Introducing the MemberPress Discord Addon — Elevate Your Community! expresstechsoftwares-memberpress-discord-add-on
ShopApper: Mobile App for WooCommerce mobile-app-for-woocommerce
Sign-up Sheets sign-up-sheets
Simple Maps interactive-maps
Simple Sitemap – Create a Responsive HTML Sitemap simple-sitemap
Site Search 360 site-search-360
Smart Agreements smart-agreements
Social Media Links social-media-links
Social Sharing Plugin – Sassy Social Share sassy-social-share
spam-stopper spam-stopper
Starfish Review Generation & Marketing for WordPress starfish-reviews
StoreContrl Woocommerce storecontrl-wp-connection
Style Manager – Auto-magical system to style your entire WordPress site style-manager
Subscribe to Unlock Lite – Opt In Content Locker Plugin for WordPress subscribe-to-unlock-lite
Super Store Finder superstorefinder-wp
Széchenyi 2020 Logo szechenyi-2020-logo
T&P Gallery Slider tp-gallery-slider
TableOn – WordPress Posts Table Filterable  posts-table-filterable
Target Video Easy Publish brid-video-easy-publish
Taskbuilder – WordPress Project & Task Management plugin taskbuilder
Team Members – Best WordPress Team Plugin with Team Slider, Team Showcase & Team Builder wps-team
Testimonial Slider And Showcase Pro testimonial-slider-showcase-pro
Theme Changer theme-changer
Themesflat Addons For Elementor themesflat-addons-for-elementor
Themify Shortcodes themify-shortcodes
Total processing card payments for WooCommerce totalprocessing-card-payments
Tour Master – Tour Booking, Travel, Hotel tourmaster
Tourfic Toolkit travelfic-toolkit
translit it! translit-it
TS Poll – Survey, Versus Poll, Image Poll, Video Poll poll-wp
TuriTop Booking System turitop-booking-system
Uix Shortcodes uix-shortcodes
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin ultimate-member
Ultimate Store Kit – Elementor powered WooCommerce Builder, 80+ Widgets and Template Builder ultimate-store-kit
Unlimited Timeline unlimited-timeline
UrbanGo Membership urbango-membership
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor profile-builder
User Registration PRO – Custom Registration Form, Login Form, and User Profile WordPress Plugin user-registration-pro
Verge3D Publishing and E-Commerce verge3d
Verowa Connect verowa-connect
visucom-smart-sections visucom-smart-sections
Vitepos – Point of sale (POS) plugin for WooCommerce vitepos-lite
Web Directory Free web-directory-free
WooCommerce – Social Login woo-social-login
WooCommerce Builder & Gutenberg WooCommerce Blocks – WowStore product-blocks
WooCommerce Products without featured images woocommerce-products-without-featured-images
WooMS wooms
WordPress Button Plugin MaxButtons maxbuttons
WordPress Internal Link Optimiser internal-link-finder
WordPress REST API Authentication wp-rest-api-authentication
WordPress Video Robot – The Ultimate Video Importer wp-video-robot
WordPress WP-Advanced-Search wp-advanced-search
WP Data Access – App, Table, Form, Chart & Map Builder plugin wp-data-access
WP Donate wp-donate
WP Editor wp-editor
WP Flipclock wp-flipclock
WP Logger wp-data-logger
WP Post to PDF Enhanced wp-post-to-pdf-enhanced
WP Posts Carousel wp-posts-carousel
WP Simple Booking Calendar wp-simple-booking-calendar
WP Social Bookmarking wp-social-bookmarking
WP STAGING Pro WordPress Backup Plugin wp-staging-pro
WP Sticky Side Buttons wp-sticky-side-buttons
WP Tools Increase Maximum Limits, Repair, Server PHP Info, Javascript errors, File Permissions, Transients, Error Log wptools
WP Twitter Button wp-twitter-button
wp-google-map-gold wp-google-map-gold
WP_DEBUG Toggle enable-wp-debug-toggle
WPAdverts – Classifieds Plugin wpadverts
WPAMS – Apartment Management System for wordpress apartment-management
WPCafe: Food Menu, Ordering, Reservation, and Delivery Solution – All in One Place! wp-cafe
WPCasa wpcasa
WPCOM Member wpcom-member
wpLike2Get wplike2get
wpt-whatsapp wpt-whatsapp
Xelion Webchat xelion-webchat
ZooEffect Plugin for Video player, Photo Gallery Slideshow jQuery and audio / music / podcast – HTML5 1-jquery-photo-gallery-slideshow-flash

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
AI Hub – Startup & Technology WordPress Theme aihub
Betheme betheme
Celestial Aura celestial-aura
Dessau – Contemporary Theme for Architects and Interior Designers dessau
Dør – Modern Architecture and Interior Design Theme dor
Eduma eduma
Eximius eximius
Foton – Software and App Landing Page Theme foton
Grand Restaurant WordPress grandrestaurant
Grip grip
IvyPrep – Education & School WordPress Theme ivy-school
Real Estate 7 WordPress realestate-7
Sirat sirat
Tastyc – Cafe Restaurant Theme tastyc
Wanderland – Travel Blog wanderland

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

AIHub <= 1.3.7 – Unauthenticated Arbitrary File Upload in generate_image

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-1093
Patch Status
Patched
Published
Apr 18, 2025

Affected Software
AI Hub – Startup & Technology WordPress Theme
Researcher

Foxyyy

More Details >

Dessau < 1.9 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-39463
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
Dessau – Contemporary Theme for Architects and Interior Designers
Researcher

Bonds

More Details >

Docket Cache <= 24.07.02 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-39461
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
Docket Cache – Object Cache Accelerator
Researcher

Dimas Maulana

More Details >

Dør <= 2.4 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-39466
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
Dør – Modern Architecture and Interior Design Theme
Researcher

Bonds

More Details >

FluentBoards <= 1.47 – Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-39551
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

FluentCommunity <= 1.2.15 – Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-39550
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
FluentCommunity – Ultra-Fast High-Performance Social Network, Community, LMS & Online Courses Plugin
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Foton <= 2.5.2 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-39458
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
Foton – Software and App Landing Page Theme
Researcher

Bonds

More Details >

Grip <= 1.0.9 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-26735
Patch Status
Unpatched
Published
Apr 14, 2025

Affected Software
Grip
Researcher

tahu.datar

More Details >

HelpGent <= 2.2.4 – Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-32658
Patch Status
Unpatched
Published
Apr 16, 2025

Affected Software
HelpGent – The Ultimate Form Builder & TypeForm Alternative on WordPress | Craft Conversational Multi Step Form with Video, Voice, Screen Recording, & Text Messaging
Researcher

LVT-tholv2k

More Details >

hockeydata LOS <= 1.2.4 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-26889
Patch Status
Unpatched
Published
Apr 15, 2025

Affected Software
hockeydata LOS
Researcher

Dimas Maulana

More Details >

Hotel Booking <= 3.6 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-39526
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
Hotel Booking
Researcher

LVT-tholv2k

More Details >

IvyPrep <= 1.6.0 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-39470
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
IvyPrep – Education & School WordPress Theme
Researcher

Bonds

More Details >

JS Job Manager <= 2.0.2 – Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-32660
Patch Status
Unpatched
Published
Apr 14, 2025

Affected Software
JS Job Manager
Researcher

LVT-tholv2k

More Details >

Kata Plus <= 1.5.2 – Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-32572
Patch Status
Unpatched
Published
Apr 15, 2025

Affected Software
Kata Plus – Addons for Elementor – Widgets, Extensions and Templates
Researcher

Le Ngoc Anh

More Details >

Material Dashboard <= 1.4.6 – Unauthenticated Privilege Escalation

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-32486
Patch Status
Patched
Published
Apr 14, 2025

Affected Software
Material Dashboard
Researcher

astra.r3verii

More Details >

Modal Survey <= 2.0.2.0.1 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-39468
Patch Status
Unpatched
Published
Apr 16, 2025

Affected Software
modal-survey
Researcher

Bonds

More Details >

Projectopia <= 5.1.16 – Unauthenticated Privilege Escalation via Account Takeover

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-32648
Patch Status
Unpatched
Published
Apr 14, 2025

Affected Software
Projectopia – WordPress Project Management
Researcher

astra.r3verii

More Details >

Quentn WP <= 1.2.8 – Unauthenticated Privilege Escalation

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-39596
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
Quentn WP
Researcher

Le Ngoc Anh

More Details >

Real Estate 7 <= 3.5.2 – Unauthenticated Privilege Escalation

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-39459
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
Real Estate 7 WordPress
Researcher

Ananda Dhakal

More Details >

Real Estate Manager <= 7.3 – Unauthenticated Remote Code Execution

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-32596
Patch Status
Unpatched
Published
Apr 15, 2025

Affected Software
Real Estate Manager – Property Listing and Agent Management
Researcher

theviper17y

More Details >

Smart Agreements <= 1.0.3 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-39462
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
Smart Agreements
Researcher

Dimas Maulana

More Details >

Smart Sections Theme Builder – WPBakery Page Builder Addon <= 1.7.8 – Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-39410
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
visucom-smart-sections
Researcher

Bonds

More Details >

Széchenyi 2020 Logo <= 1.1 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-39429
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
Széchenyi 2020 Logo
Researcher

Nguyen Xuan Chien

More Details >

Tastyc < 2.5.2 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-27010
Patch Status
Patched
Published
Apr 15, 2025

Affected Software
Tastyc – Cafe Restaurant Theme
Researcher

Bonds

More Details >

Ultimate Store Kit Elementor Addons <= 2.4.0 – Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-39588
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
Ultimate Store Kit – Elementor powered WooCommerce Builder, 80+ Widgets and Template Builder
Researcher

domiee13

More Details >

UrbanGo Membership <= 1.0.4 – Unauthenticated Privilege Escalation

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-3278
Patch Status
Patched
Published
Apr 18, 2025

Affected Software
UrbanGo Membership
Researcher

Alyudin Nafiie

More Details >

Wanderland <= 1.7.1 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-39467
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
Wanderland – Travel Blog
Researcher

Bonds

More Details >

WhatsApp Click to Chat Plugin for WordPress <= 2.2.12 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-39411
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
wpt-whatsapp
Researcher

Bonds

More Details >

WPAMS <= 44.0 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-39406
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
WPAMS – Apartment Management System for wordpress
Researcher

Aiden (Thái An)

More Details >

WPAMS <= 44.0 (17-08-2023) – Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-39401
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
WPAMS – Apartment Management System for wordpress
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Celestial Aura <= 2.2 – Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-26892
Patch Status
Unpatched
Published
Apr 14, 2025

Affected Software
Celestial Aura
Researcher

stealthcopter

More Details >

Custom CSS, JS & PHP <= 2.4.1 – Cross-Site Request Forgery to Remote Code Exectuiron

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-39601
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Custom CSS, JS & PHP
Researcher

Nguyen Xuan Chien

More Details >

Download Manager <= 3.3.12 – Authenticated (Author+) Arbitrary File Deletion

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-3404
Patch Status
Patched
Published
Apr 18, 2025

Affected Software
Download Manager
Researchers

Brian Sans-Souci (liardom)
the sneaky squirrel

More Details >

Eventin <= 4.0.25 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-39584
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Event Manager, Events Calendar, Tickets, Registrations – Eventin
Researcher

theviper17y

More Details >

Eximius <= 2.2 – Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-26872
Patch Status
Unpatched
Published
Apr 14, 2025

Affected Software
Eximius
Researcher

stealthcopter

More Details >

I Draw <= 1.0 – Authenticated (Author+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-39436
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
I Draw
Researcher

johska

More Details >

JetReviews <= 2.3.6 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-39396
Patch Status
Patched
Published
Apr 18, 2025

Affected Software
JetReviews for Elementor
Researcher

stealthcopter

More Details >

MapSVG Lite <= 8.5.34 – Authenticated (Contributor+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-32682
Patch Status
Unpatched
Published
Apr 15, 2025

Affected Software
MapSVG – Vector maps, Image maps, Google Maps
Researcher

Nguyễn Trung Kiên

More Details >

PDF 2 Post <= 2.4.0 – Authenticated (Subscriber+) Remote Code Execution

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-32583
Patch Status
Unpatched
Published
Apr 15, 2025

Affected Software
PDF 2 Post
Researcher

Le Ngoc Anh

More Details >

Question Answer <= 1.2.70 – Authenticated (Subscriber+) PHP Object Injection

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-32647
Patch Status
Unpatched
Published
Apr 14, 2025

Affected Software
Question Answer
Researcher

LVT-tholv2k

More Details >

Rating by BestWebSoft <= 1.7 – Authenticated (Subscriber+) PHP Object Injection

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-39527
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
Rating by BestWebSoft
Researcher

Le Ngoc Anh

More Details >

Starfish Review Generation & Marketing <= 3.1.14 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-39533
Patch Status
Unpatched
Published
Apr 16, 2025

Affected Software
Starfish Review Generation & Marketing for WordPress
Researcher

LVT-tholv2k

More Details >

Subscribe to Unlock Lite <= 1.3.0 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-39592
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Subscribe to Unlock Lite – Opt In Content Locker Plugin for WordPress
Researcher

LVT-tholv2k

More Details >

Team Members <= 3.4.1 – Authenticated (Contributor+) PHP Object Injection

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-32686
Patch Status
Unpatched
Published
Apr 15, 2025

Affected Software
Team Members – Best WordPress Team Plugin with Team Slider, Team Showcase & Team Builder
Researcher

Phat RiO – BlueRock

More Details >

Testimonial Slider And Showcase Pro <= 2.1.7 – Authenticated (Subscriber+) Local File Inclusion

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-32657
Patch Status
Unpatched
Published
Apr 14, 2025

Affected Software
Testimonial Slider And Showcase Pro
Researcher

LVT-tholv2k

More Details >

TuriTop Booking System <= 1.0.10 – Authenticated (Subscriber+) PHP Object Injection

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-32571
Patch Status
Unpatched
Published
Apr 14, 2025

Affected Software
TuriTop Booking System
Researcher

LVT-tholv2k

More Details >

uListing <= 2.2.0 – Authenticated (Subscriber+) PHP Object Injection

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-32662
Patch Status
Unpatched
Published
Apr 15, 2025

Affected Software
Directory Listings WordPress plugin – uListing
Researcher

Phat RiO – BlueRock

More Details >

WPAMS <= 44.0 (17-08-2023) – Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-39402
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
WPAMS – Apartment Management System for wordpress
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

WPAMS <= 44.0 (17-08-2023) – Authenticated (Subscriber+) Privilege Escalation

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-39405
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
WPAMS – Apartment Management System for wordpress
Researcher

Aiden (Thái An)

More Details >

WPCafe <= 2.2.32 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-39452
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
WPCafe: Food Menu, Ordering, Reservation, and Delivery Solution – All in One Place!
Researcher

theviper17y

More Details >

WPCOM Member <= 1.7.7 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-39570
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
WPCOM Member
Researcher

astra.r3verii

More Details >

Xelion Webchat <= 9.1.0 – Authenticated (Subscriber+) Privilege Escalation

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-39542
Patch Status
Unpatched
Published
Apr 16, 2025

Affected Software
Xelion Webchat
Researcher

LVT-tholv2k

More Details >

Avatar <= 0.1.4 – Authenticated (Subscriber+) Arbitrary File Deletion

8.1

CVSS Rating
High (8.1)
CVE-ID
CVE-2025-3520
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
Avatar
Researcher

theviper17y

More Details >

CLEVER – HTML5 Radio Player With History – Shoutcast and Icecast – Elementor Widget Addon <= 2.4 – Unauthenticated Arbitrary File Read

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2025-3103
Patch Status
Patched
Published
Apr 18, 2025

Affected Software
CLEVER – HTML5 Radio Player With History – Shoutcast and Icecast – Elementor Widget Addon
Researcher

khanhhnahk1

More Details >

Cost Calculator Builder <= 3.2.65 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2025-39587
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Cost Calculator Builder
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

JobWP – Job Board, Job Listing, Career Page and Recruitment Plugin <= 2.3.9 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2025-2010
Patch Status
Patched
Published
Apr 18, 2025

Affected Software
JobWP – Job Board, Job Listing, Career Page and Recruitment Plugin
Researcher

stealthcopter

More Details >

JS Job Manager <= 2.0.2 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2025-32626
Patch Status
Unpatched
Published
Apr 15, 2025

Affected Software
JS Job Manager
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Local Magic <= 2.6.0 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2025-32636
Patch Status
Unpatched
Published
Apr 14, 2025

Affected Software
Local Magic
Researcher

LVT-tholv2k

More Details >

Modal Survey <= 2.0.2.0.1 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2025-39471
Patch Status
Unpatched
Published
Apr 16, 2025

Affected Software
modal-survey
Researcher

Bonds

More Details >

Office Locator <= 1.3.0 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2025-32665
Patch Status
Unpatched
Published
Apr 15, 2025

Affected Software
Office Locator
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Quentn WP <= 1.2.8 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2025-39595
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
Quentn WP
Researcher

Le Ngoc Anh

More Details >

StoreContrl Woocommerce <= 4.1.3 – Unauthenticated Arbitrary File Download

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2025-39568
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
StoreContrl Woocommerce
Researcher

astra.r3verii

More Details >

Super Store Finder <= 7.2 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2025-39445
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
Super Store Finder
Researcher

Nguyễn Trung Kiên

More Details >

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin <= 2.10.1 – Unauthenticated Blind SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
Unknown
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
Researcher

Muhamad Visat

More Details >

WP Headers And Footers <= 3.1.1 – Cross-Site Request Forgery to Arbitrary Options Update

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2025-2111
Patch Status
Patched
Published
Apr 18, 2025

Affected Software
Insert Headers And Footers
Researcher

Carlos Ferreira

More Details >

WPAMS <= 44.0 (17-08-2023) – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2025-39395
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
WPAMS – Apartment Management System for wordpress
Researcher

Aiden (Thái An)

More Details >

Debug Log Manager <= 2.3.4 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2025-3809
Patch Status
Patched
Published
Apr 18, 2025

Affected Software
Debug Log Manager
Researcher

Yassine Neggaoui (Y45NG)

More Details >

Kadence WooCommerce Email Designer <= 1.5.14 – Authenticated (Admin+) Arbitrary File Upload

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2025-39557
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Kadence WooCommerce Email Designer
Researcher

Phan Trong Quan

More Details >

MelaPress Login Security <= 2.1.0 – Authenticated (Administrator+) PHP Object Injection

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2025-39565
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
MelaPress Login Security
Researcher

Phan Trong Quan

More Details >

T&P Gallery Slider <= 1.2 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2025-32527
Patch Status
Unpatched
Published
Apr 14, 2025

Affected Software
T&P Gallery Slider
Researcher

Kévin Mosbahi (Mika)

More Details >

WP Editor <= 1.2.9.1 – Authenticated (Administrator+) Directory Traversal to Arbitrary File Update

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2025-3294
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
WP Editor
Researcher

nquangit

More Details >

WP-Advanced-Search <= 3.3.9.3 – Authenticated (Admin+) Arbitrary File Upload

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2025-39538
Patch Status
Unpatched
Published
Apr 16, 2025

Affected Software
WordPress WP-Advanced-Search
Researcher

Nabil Irawan

More Details >

Editor Wysiwyg Background Color <= 1.0 – Missing Authorization

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-23958
Patch Status
Unpatched
Published
Apr 16, 2025

Affected Software
Editor Wysiwyg Background Color
Researcher

Kévin Mosbahi (Mika)

More Details >

KiotViet Sync <= 1.8.3 – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-32573
Patch Status
Unpatched
Published
Apr 15, 2025

Affected Software
KiotViet Sync
Researcher

Le Ngoc Anh

More Details >

ProfileGrid <= 5.9.4.8 – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-39586
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
ProfileGrid – User Profiles, Groups and Communities
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Sign-up Sheets <= 2.3.0.1 – Unauthenticated Arbitrary Shortcode Execution

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-26996
Patch Status
Patched
Published
Apr 15, 2025

Affected Software
Sign-up Sheets
Researcher

Phan Trong Quan

More Details >

Taskbuilder <= 4.0.1 – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-39569
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
Taskbuilder – WordPress Project & Task Management plugin
Researcher

astra.r3verii

More Details >

WP Tools <= 5.18 – Cross-Site Request Forgery to Arbitrary File Renaming

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-39544
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
WP Tools Increase Maximum Limits, Repair, Server PHP Info, Javascript errors, File Permissions, Transients, Error Log
Researcher

chuck

More Details >

WPAMS <= 44.0 (17-08-2023) – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-39403
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
WPAMS – Apartment Management System for wordpress
Researcher

Aiden (Thái An)

More Details >

Asgaros Forum <= 3.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-39514
Patch Status
Unpatched
Published
Apr 16, 2025

Affected Software
Asgaros Forum
Researcher

muhammad yudha

More Details >

Attendance Manager <= 0.6.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-39515
Patch Status
Unpatched
Published
Apr 16, 2025

Affected Software
Attendance Manager
Researcher

muhammad yudha

More Details >

Author WIP Progress Bar <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-39516
Patch Status
Unpatched
Published
Apr 16, 2025

Affected Software
Author WIP Progress Bar
Researcher

muhammad yudha

More Details >

Betheme <= 28.0.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-3077
Patch Status
Patched
Published
Apr 15, 2025

Affected Software
Betheme
Researcher

Webbernaut

More Details >

Checkout Files Upload for WooCommerce <= 2.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-39520
Patch Status
Unpatched
Published
Apr 16, 2025

Affected Software
Checkout Files Upload for WooCommerce
Researcher

muhammad yudha

More Details >

Checkout for PayPal <= 1.0.38 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-39572
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Checkout for PayPal
Researcher

muhammad yudha

More Details >

Church Admin <= 5.0.23 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-39555
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Church Admin
Researcher

zaim

More Details >

Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) <= 5.10.28 – Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1457
Patch Status
Patched
Published
Apr 18, 2025

Affected Software
Element Pack Addons for Elementor – Best Elementor addons with Ready Templates, Blocks, Widgets and WooCommerce Builder
Researcher

Webbernaut

More Details >

Essential Addons for Elementor <= 6.1.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-39590
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders
Researcher

stealthcopter

More Details >

Fluent Forms <= 6.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-3615
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
Researcher

Asaf Mozes

More Details >

Forminator <= 1.42.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘limit’

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-3487
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Researcher

Asaf Mozes

More Details >

Html5 Audio Player <= 2.2.28 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-39524
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
HTML5 Audio Player- Best WordPress Audio Player Plugin
Researcher

muhammad yudha

More Details >

JetElements For Elementor <= 2.7.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-39448
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
JetElements
Researcher

stealthcopter

More Details >

JetTabs <= 2.2.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-39450
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
JetTabs for Elementor
Researcher

stealthcopter

More Details >

LA-Studio Element Kit for Elementor <= 1.4.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Table of Contents Widget

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-3106
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
LA-Studio Element Kit for Elementor
Researcher

Webbernaut

More Details >

Logo Carousel Gutenberg Block <= 2.1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via sliderId Parameter

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-2083
Patch Status
Patched
Published
Apr 14, 2025

Affected Software
Logo Carousel Gutenberg Block
Researcher

Peter Thaleikis

More Details >

Logo Carousel Slider <= 2.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-39525
Patch Status
Unpatched
Published
Apr 16, 2025

Affected Software
Logo Carousel Slider
Researcher

muhammad yudha

More Details >

Membership For WooCommerce <= 2.8.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-39579
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Membership For WooCommerce
Researcher

zaim

More Details >

Most And Least Read Posts Widget <= 2.5.20 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-39549
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Most And Least Read Posts Widget
Researcher

muhammad yudha

More Details >

Piotnet Addons For Elementor <= 2.4.34 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-13650
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
Piotnet Addons For Elementor
Researcher

zer0gh0st

More Details >

PropertyHive <= 2.1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-39577
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Property Hive
Researcher

muhammad yudha

More Details >

Rescue Shortcodes <= 3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-39528
Patch Status
Unpatched
Published
Apr 16, 2025

Affected Software
Rescue Shortcodes
Researcher

muhammad yudha

More Details >

Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates <= 1.6.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘rael_title_tag’

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-2225
Patch Status
Patched
Published
Apr 14, 2025

Affected Software
Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates
Researcher

Prissy

More Details >

Responsive Blocks <= 2.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-39578
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Responsive Blocks – WordPress Gutenberg Blocks
Researcher

zaim

More Details >

Royal Elementor Addons <= 1.3.977 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-39543
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Royal Elementor Addons and Templates
Researcher

stealthcopter

More Details >

SB Chart block <= 1.2.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via className Parameter

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-3661
Patch Status
Patched
Published
Apr 18, 2025

Affected Software
SB Chart block
Researcher

Peter Thaleikis

More Details >

Scriptless Social Sharing <= 3.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-39529
Patch Status
Unpatched
Published
Apr 16, 2025

Affected Software
Scriptless Social Sharing
Researcher

muhammad yudha

More Details >

Themesflat Addons For Elementor <= 2.2.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-3275
Patch Status
Patched
Published
Apr 18, 2025

Affected Software
Themesflat Addons For Elementor
Researcher

Webbernaut

More Details >

Themify Shortcodes <= 2.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-39581
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Themify Shortcodes
Researcher

Peter Thaleikis

More Details >

Travelfic Toolkit <= 1.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-39585
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Tourfic Toolkit
Researcher

João Pedro Soares de Alcântara

More Details >

Uix Shortcodes <= 2.0.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-39574
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Uix Shortcodes
Researcher

muhammad yudha

More Details >

User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor <= 3.13.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-2314
Patch Status
Patched
Published
Apr 15, 2025

Affected Software
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
Researcher

muhammad yudha

More Details >

WP Data Access <= 5.5.36 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-39582
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
WP Data Access – App, Table, Form, Chart & Map Builder plugin
Researcher

Peter Thaleikis

More Details >

WP Flipclock <= 1.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-39540
Patch Status
Unpatched
Published
Apr 16, 2025

Affected Software
WP Flipclock
Researcher

theviper17y

More Details >

WP Posts Carousel <= 1.3.10 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-39573
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
WP Posts Carousel
Researcher

muhammad yudha

More Details >

WPAdverts <= 2.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-39576
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
WPAdverts – Classifieds Plugin
Researcher

muhammad yudha

More Details >

WPCasa <= 1.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-39575
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
WPCasa
Researcher

muhammad yudha

More Details >

Add to Header <= 1.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-39423
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
Add to Header
Researcher

johska

More Details >

AdminQuickbar <= 1.9.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-39464
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
AdminQuickbar
Researcher

Dimas Maulana

More Details >

All push notification for WP <= 1.5.3 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-32546
Patch Status
Unpatched
Published
Apr 14, 2025

Affected Software
All push notification for WP
Researcher

0xd4rk5id3

More Details >

Amazon Showcase WordPress Plugin <= 2.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-39431
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
Amazon Showcase WordPress Plugin
Researcher

johska

More Details >

Arigato Autoresponder and Newsletter <= 2.7.2.4 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-39594
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
Arigato Autoresponder and Newsletter
Researcher

Le Ngoc Anh

More Details >

Booster Plus for WooCommerce <= 7.2.4 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-39446
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
Booster Plus for WooCommerce
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Broken Links Remover <= 1.2.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-39440
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
Broken Links Remover
Researcher

johska

More Details >

BruteGuard – Brute Force Login Protection <= 0.1.4 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-39408
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
BruteGuard – Brute Force Login Protection
Researcher

0xd4rk5id3

More Details >

Bulk Page Stub Creator <= 1.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-39519
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
Bulk Page Stub Creator
Researcher

Nguyen Xuan Chien

More Details >

Contact Form by Supsystic <= 1.7.29 – Cross-Site Request Forgery to Stored Cross-Site Scripting via saveAsCopy AJAX Action

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2024-13452
Patch Status
Patched
Published
Apr 15, 2025

Affected Software
Contact Form by Supsystic
Researcher

Tim Coen

More Details >

Contact Form vCard Generator <= 2.4 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-39521
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
Contact Form vCard Generator
Researcher

Nguyen Xuan Chien

More Details >

Coupon Affiliates – Affiliate Plugin for WooCommerce <= 6.3.0 – Reflected Cross-Site Scripting via ‘commission_summary’ Parameter

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-3598
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
Coupon Affiliates – Affiliate Plugin for WooCommerce
Researcher

wesley (wcraft)

More Details >

Course Booking System <= 6.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-32508
Patch Status
Unpatched
Published
Apr 14, 2025

Affected Software
Course Booking System
Researcher

LVT-tholv2k

More Details >

CRM Perks <= 1.1.7 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-39558
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
CRM Perks – WordPress HelpDesk Integration – Zendesk, Freshdesk, HelpScout
Researcher

0xd4rk5id3

More Details >

CRUDLab Scroll to Top <= 1.0.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-22774
Patch Status
Unpatched
Published
Apr 14, 2025

Affected Software
CRUDLab Scroll to Top
Researcher

João Pedro Soares de Alcântara

More Details >

Dashboard Notepads <= 1.2.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-39441
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
Dashboard Notepads
Researcher

johska

More Details >

Event Espresso – Custom Email Template Shortcode <= 1.0.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-32507
Patch Status
Unpatched
Published
Apr 14, 2025

Affected Software
Event Espresso – Custom Email Template Shortcode
Researcher

João Pedro Soares de Alcântara

More Details >

Fast eBay Listings <= 2.12.15 – Open Redirect

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-39597
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Fast eBay Listings
Researcher

Nguyen Xuan Chien

More Details >

Feedify – Web Push Notifications <= 2.4.5 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-32540
Patch Status
Patched
Published
Apr 15, 2025

Affected Software
Feedify – Web Push Notifications
Researcher

João Pedro Soares de Alcântara

More Details >

GoodBarber <= 1.0.26 – Open Redirect

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-39523
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
GoodBarber
Researcher

Le Ngoc Anh

More Details >

Hive Support <= 1.2.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-32666
Patch Status
Unpatched
Published
Apr 15, 2025

Affected Software
Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Internal Link Optimiser <= 5.1.3 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-39547
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
WordPress Internal Link Optimiser
Researcher

johska

More Details >

KiotViet Sync <= 1.8.4 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-39381
Patch Status
Unpatched
Published
Apr 18, 2025

Affected Software
KiotViet Sync
Researcher

Nguyen Xuan Chien

More Details >

Landing Page Cat <= 1.7.8 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-26992
Patch Status
Patched
Published
Apr 14, 2025

Affected Software
Landing Page Cat – Coming Soon Page, Maintenance Page & Squeeze Pages
Researcher

Nguyen Xuan Chien

More Details >

Listdom <= 4.0.0 – Open Redirect

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-39599
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Listdom – Business Directory and Classified Ads Listings WordPress Plugin
Researcher

Nguyen Xuan Chien

More Details >

Memberpress <= 1.11.37 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-39407
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
Memberpress
Researcher

0xd4rk5id3

More Details >

MemberPress Discord Addon <= 1.1.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-32605
Patch Status
Patched
Published
Apr 14, 2025

Affected Software
Sell access, Automate, and add Engaging Exclusive Discord Access: Introducing the MemberPress Discord Addon — Elevate Your Community!
Researcher

0xd4rk5id3

More Details >

Modal Survey <= 2.0.2.0.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-39469
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
modal-survey
Researcher

Bonds

More Details >

Movylo Marketing Automation <= 2.0.7 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-32608
Patch Status
Unpatched
Published
Apr 14, 2025

Affected Software
Movylo Marketing Automation
Researcher

0xd4rk5id3

More Details >

My Marginalia <= 1.0.6 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-39435
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
My Marginalia
Researcher

johska

More Details >

Nomupay Payment Processing Gateway <= 7.1.6 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-32513
Patch Status
Patched
Published
Apr 14, 2025

Affected Software
Total processing card payments for WooCommerce
Researcher

João Pedro Soares de Alcântara

More Details >

OTP-less one tap Sign in <= 2.0.58 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-32622
Patch Status
Patched
Published
Apr 14, 2025

Affected Software
OTP-less one tap Sign in
Researcher

0xd4rk5id3

More Details >

Revision Diet <= 1.0.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-39419
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
Revision Diet
Researcher

johska

More Details >

Right Click Disable OR Ban <= 1.1.17 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-39548
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Right Click Disable OR Ban
Researcher

johska

More Details >

RSS Manager <= 0.06 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-39418
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
RSS Manager
Researcher

johska

More Details >

Run Contests, Raffles, and Giveaways with ContestsWP <= 2.0.6 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-32634
Patch Status
Unpatched
Published
Apr 15, 2025

Affected Software
Run Contests, Raffles, and Giveaways with ContestsWP
Researcher

João Pedro Soares de Alcântara

More Details >

Sassy Social Share <= 3.3.73 – Open Redirect

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-39404
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
Social Sharing Plugin – Sassy Social Share
Researcher

Affan Ali

More Details >

ShopApper <= 0.4.39 – Unauthenticated Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-32638
Patch Status
Unpatched
Published
Apr 14, 2025

Affected Software
ShopApper: Mobile App for WooCommerce
Researcher

stealthcopter

More Details >

Site Search 360 <= 2.1.7 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-39530
Patch Status
Unpatched
Published
Apr 16, 2025

Affected Software
Site Search 360
Researcher

Nguyen Xuan Chien

More Details >

Social Media Links <= 1.0.3 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-39415
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
Social Media Links
Researcher

johska

More Details >

spam-stopper <= 3.1.3 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-39414
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
spam-stopper
Researcher

johska

More Details >

TableOn – WordPress Posts Table Filterable <= 1.0.3 – Unauthenticated Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-32592
Patch Status
Patched
Published
Apr 14, 2025

Affected Software
TableOn – WordPress Posts Table Filterable 
Researcher

Abdi Pranata

More Details >

Tourmaster < 5.4.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-32923
Patch Status
Patched
Published
Apr 15, 2025

Affected Software
Tour Master – Tour Booking, Travel, Hotel
Researcher

Bonds

More Details >

translit it! <= 1.6 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-39416
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
translit it!
Researcher

johska

More Details >

Verowa Connect <= 3.0.4 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-32609
Patch Status
Patched
Published
Apr 14, 2025

Affected Software
Verowa Connect
Researcher

0xd4rk5id3

More Details >

Web Directory Free <= 1.7.8 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-39567
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
Web Directory Free
Researcher

astra.r3verii

More Details >

WooMS <= 9.12 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-32602
Patch Status
Unpatched
Published
Apr 15, 2025

Affected Software
WooMS
Researcher

0xd4rk5id3

More Details >

WordPress Video Robot – The Ultimate Video Importer <= 1.20.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-39409
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
WordPress Video Robot – The Ultimate Video Importer
Researcher

Bonds

More Details >

WP Donate <= 2.0 – Unauthenticated Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-32637
Patch Status
Unpatched
Published
Apr 15, 2025

Affected Software
WP Donate
Researcher

johska

More Details >

WP_DEBUG Toggle <= 1.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-32561
Patch Status
Unpatched
Published
Apr 14, 2025

Affected Software
WP_DEBUG Toggle
Researcher

SOPROBRO

More Details >

WPAMS <= 44.0 (17-08-2023) – Unauthenticated Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-39392
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
WPAMS – Apartment Management System for wordpress
Researcher

Aiden (Thái An)

More Details >

ZooEffect <= 1.11 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-26954
Patch Status
Unpatched
Published
Apr 14, 2025

Affected Software
ZooEffect Plugin for Video player, Photo Gallery Slideshow jQuery and audio / music / podcast – HTML5
Researcher

Dimas Maulana

More Details >

Gravity Forms CSS Themes with Fontawesome and Placeholders <= 8.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)
CVE-ID
CVE-2025-39428
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
Gravity Forms CSS Themes with Fontawesome and Placeholders
Researcher

Nabil Irawan

More Details >

Download Manager <= 3.3.12 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

5.4

CVSS Rating
Medium (5.4)
CVE-ID
CVE-2025-3056
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
Download Manager
Researcher

siavashvafshar

More Details >

Target Video Easy Publish <= 3.8.5 – Authenticated (Subscriber+) Arbitrary Shortcode Execution

5.4

CVSS Rating
Medium (5.4)
CVE-ID
CVE-2025-32688
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
Target Video Easy Publish
Researcher

Phan Trong Quan

More Details >

ActiveDEMAND <= 0.2.46 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-39513
Patch Status
Unpatched
Published
Apr 16, 2025

Affected Software
ActiveDEMAND
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

AI Text to Speech <= 3.0.3 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-39554
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
AI Text to Speech – TTS Plugin For WordPress
Researcher

Kévin Mosbahi (Mika)

More Details >

AnalyticsWP <= 2.0.0 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-39388
Patch Status
Unpatched
Published
Apr 18, 2025

Affected Software
AnalyticsWP
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

AnalyticsWP <= 2.1.2 – Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-39394
Patch Status
Unpatched
Published
Apr 18, 2025

Affected Software
AnalyticsWP
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Booking and Rental Manager <= 2.2.8 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-39457
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment
Researcher

LVT-tholv2k

More Details >

Booking and Rental Manager <= 2.3.8 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-39390
Patch Status
Patched
Published
Apr 18, 2025

Affected Software
Booking and Rental Manager for Bike | Car | Resort | Appointment | Dress | Equipment
Researcher

LVT-tholv2k

More Details >

Church Admin <= 5.0.9 – Unauthenticated Information Disclosure

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-39553
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Church Admin
Researcher

Kévin Mosbahi (Mika)

More Details >

Cloak Front End Email <= 1.9.5 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-26968
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
Cloak Front End Email
Researcher

muhammad yudha

More Details >

Contact Form 7 <= 6.0.5 – Order Replay Vulnerability

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-3247
Patch Status
Patched
Published
Apr 15, 2025

Affected Software
Contact Form 7
Researcher

Asaf Mozes

More Details >

Dashi <= 3.1.8 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-39580
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
Dashi
Researcher

0xd4rk5id3

More Details >

Eduma <= 5.6.4 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-39460
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
Eduma
Researcher

Ananda Dhakal

More Details >

Forminator <= 1.42.0 – Order Replay Vulnerability

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-3479
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Researcher

Asaf Mozes

More Details >

Grand Restaurant WordPress <= 7.0 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-39353
Patch Status
Unpatched
Published
Apr 18, 2025

Affected Software
Grand Restaurant WordPress
Researcher

Ananda Dhakal

More Details >

Hive Support <= 1.2.2 – Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-32635
Patch Status
Unpatched
Published
Apr 15, 2025

Affected Software
Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress
Researcher

stealthcopter

More Details >

JetBlocks For Elementor <= 1.3.16 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-39451
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
JetBlocks for Elementor
Researcher

stealthcopter

More Details >

JetBlog <= 2.4.3 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-26958
Patch Status
Patched
Published
Apr 15, 2025

Affected Software
JetBlog for Elementor
Researcher

stealthcopter

More Details >

JetElements For Elementor <= 2.7.4.1 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-39447
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
JetElements
Researcher

stealthcopter

More Details >

JetMenu <= 2.4.9 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-26953
Patch Status
Patched
Published
Apr 15, 2025

Affected Software
JetMenu for Elementor
Researcher

stealthcopter

More Details >

JetPopup <= 2.0.11 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-26944
Patch Status
Patched
Published
Apr 15, 2025

Affected Software
JetPopup
Researcher

stealthcopter

More Details >

JetTricks <= 1.5.1 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-26942
Patch Status
Patched
Published
Apr 15, 2025

Affected Software
JetTricks for Elementor
Researcher

stealthcopter

More Details >

JetWooBuilder <= 2.1.18 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-39449
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
JetWooBuilder for Elementor
Researcher

stealthcopter

More Details >

Macro Calculator with Admin Email Optin & Data <= 1.0 – Unauthenticated Information Disclosure

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-26730
Patch Status
Unpatched
Published
Apr 15, 2025

Affected Software
Macro Calculator with Admin Email Optin & Data
Researcher

Deltree

More Details >

Mediavine Control Panel <= 2.10.6 – Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-39556
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Mediavine Control Panel
Researcher

Nguyễn Trung Kiên

More Details >

Password Protected – Password Protect your WordPress Site, Pages, & WooCommerce Products <= 2.7.7 – Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-3453
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Password Protected – Password Protect your WordPress Site, Pages, & WooCommerce Products – Restrict Content, Protect WooCommerce Category and more
Researchers

Brian Sans-Souci (liardom)
the sneaky squirrel

More Details >

Unlimited Timeline < 1.6.1 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-27008
Patch Status
Patched
Published
Apr 15, 2025

Affected Software
Unlimited Timeline
Researcher

Tran Nguyen Bao Khanh

More Details >

WP Staging Pro <= 6.1.2 – Unauthenticated Information Exposure via getOutdatedPluginsRequest Function

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-3104
Patch Status
Patched
Published
Apr 15, 2025

Affected Software
WP STAGING Pro WordPress Backup Plugin
Researcher

haidv35

More Details >

wpLike2Get <= 1.2.9 – Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-39439
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
wpLike2Get
Researcher

ch4r0n

More Details >

BMA Lite <= 1.4.2 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-39518
Patch Status
Unpatched
Published
Apr 16, 2025

Affected Software
BMA Lite – Appointment Booking and Scheduling Plugin
Researcher

Pham Van Phuoc

More Details >

Hostel <= 1.1.5.6 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-39566
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Hostel
Researcher

astra.r3verii

More Details >

TS Poll – Survey, Versus Poll, Image Poll, Video Poll <= 2.4.6 – Authenticated (Administrator+) SQL Injection via ‘s’ Parameter

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-3470
Patch Status
Patched
Published
Apr 14, 2025

Affected Software
TS Poll – Survey, Versus Poll, Image Poll, Video Poll
Researcher

broccoli

More Details >

WP Editor <= 1.2.9.1 – Authenticated (Administrator+) Directory Traversal to Arbitrary File Read

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-3295
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
WP Editor
Researcher

nquangit

More Details >

Login Manager – Design Login Page, View Login Activity, Limit Login Attempts <= 2.0.5 – Authenticated (Administrator+) Stored Cross-Site Scripting via Custom URL

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-2613
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
Login Manager – Design Login Page, View Login Activity, Limit Login Attempts
Researcher

Arshid KV

More Details >

MaxButtons <= 9.8.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-39444
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
WordPress Button Plugin MaxButtons
Researcher

ayato

More Details >

Payment Form for PayPal Pro <= 1.1.72 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-39562
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
Payment Form for PayPal Pro
Researcher

Doan Dinh Van

More Details >

WP Post to PDF Enhanced <= 1.1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-39427
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
WP Post to PDF Enhanced
Researcher

Nabil Irawan

More Details >

Advanced Dynamic Pricing for WooCommerce <= 4.9.3 – Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39453
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
Advanced Dynamic Pricing for WooCommerce
Researcher

lucky_buddy

More Details >

Advanced Google Maps <= 5.8.4 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39465
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
wp-google-map-gold
Researcher

Nguyễn Trung Kiên

More Details >

Anthologize <= 0.8.3 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39437
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
Anthologize
Researcher

Nabil Irawan

More Details >

Avatar <= 0.1.4 – Authenticated (Subscriber+) Insecure Direct Object Reference

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39434
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
Avatar
Researcher

Nguyen Xuan Chien

More Details >

Barcode Generator for WooCommerce <= 2.0.4 – Authenticated (Subscriber+) Arbitrary Content Deletion

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-32929
Patch Status
Patched
Published
Apr 15, 2025

Affected Software
Barcode Generator for WooCommerce – Show barcodes on products, orders, invoices and other pages
Researcher

Kévin Mosbahi (Mika)

More Details >

Basic Interactive World Map <= 2.7 – Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39517
Patch Status
Unpatched
Published
Apr 16, 2025

Affected Software
Basic Interactive World Map
Researcher

Nguyen Xuan Chien

More Details >

bbPress2 shortcode whitelist <= 2.2.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39432
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
bbPress2 shortcode whitelist
Researcher

johska

More Details >

BERTHA AI <= 1.12.10.2 – Authenticated (Subscriber+) Arbitrary Content Deletion

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39583
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
BERTHA AI. Your AI co-pilot for WordPress and Chrome
Researcher

theviper17y

More Details >

Bknewsticker <= 1.0.5 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39433
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
Bknewsticker
Researcher

johska

More Details >

Bring Fraktguiden for WooCommerce <= 1.11.4 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39559
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Bring Fraktguiden for WooCommerce
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Bulk Term Editor <= 1.1.4 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39512
Patch Status
Unpatched
Published
Apr 16, 2025

Affected Software
Bulk Term Editor
Researcher

Skalucy

More Details >

Conditional Payments for WooCommerce <= 3.3.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39563
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Conditional Payments for WooCommerce
Researcher

lucky_buddy

More Details >

Conditional Shipping for WooCommerce <= 3.4.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39564
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Conditional Shipping for WooCommerce
Researcher

lucky_buddy

More Details >

Dynamic Post <= 4.10 – Missing Authorization to Authenticated (Subscriber+) Settings Update

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39522
Patch Status
Unpatched
Published
Apr 16, 2025

Affected Software
Dynamic Post
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

ElementsReady Addons for Elementor <= 6.6.2 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39546
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
ElementsReady Addons for Elementor
Researcher

Nabil Irawan

More Details >

Essential Addons for Elementor <= 6.1.9 – Authenticated (Contributor+) Information Disclosure

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39589
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Essential Addons for Elementor – Popular Elementor Addon With Ready Templates, Advanced Widgets, Kits & WooCommerce Builders
Researcher

stealthcopter

More Details >

Ever Accounting <= 2.1.5 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39593
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Ever Accounting – WordPress Accounting and Invoice Plugin
Researcher

Skalucy

More Details >

FS Poster <= 6.5.8 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-30960
Patch Status
Patched
Published
Apr 15, 2025

Affected Software
FS Poster – WordPress Social media Auto Poster & Scheduler [Facebook, Instagram, Twitter, Pinterest]
Researcher

Rafie Muhammad

More Details >

Grand Restaurant WordPress <= 7.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39351
Patch Status
Unpatched
Published
Apr 18, 2025

Affected Software
Grand Restaurant WordPress
Researcher

Ananda Dhakal

More Details >

illow – Cookies Consent <= 0.2.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39426
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
illow – Cookies Consent
Researcher

Skalucy

More Details >

Integration for WooCommerce and QuickBooks <= 1.3.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39600
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Integration for WooCommerce and QuickBooks
Researcher

Nguyen Xuan Chien

More Details >

IP2Location Variables <= 2.9.5 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39455
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
IP2Location Variables
Researcher

SOPROBRO

More Details >

Live Forms <= 4.8.4 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39560
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Contact Form, Drag and Drop Form Builder Plugin – Live Forms
Researcher

Nguyen Xuan Chien

More Details >

Master Slider <= 3.10.7 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39412
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
Master Slider – Responsive Touch Slider
Researcher

Ananda Dhakal

More Details >

mLanguage <= 1.6.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39430
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
mLanguage
Researcher

johska

More Details >

My auctions allegro <= 3.6.20 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-27009
Patch Status
Unpatched
Published
Apr 14, 2025

Affected Software
My auctions allegro
Researcher

Nabil Irawan

More Details >

Name Directory <= 1.30.0 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39454
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
Name Directory
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Review Wave – Google Places Reviews <= 1.4.7 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39442
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
Review Wave – Google Places Reviews
Researcher

johska

More Details >

Simple Maps <= 0.98 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39424
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
Simple Maps
Researcher

johska

More Details >

Simple Sitemap – Create a Responsive HTML Sitemap <= 3.5.14 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39413
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
Simple Sitemap – Create a Responsive HTML Sitemap
Researcher

Ananda Dhakal

More Details >

Sirat <= 1.5.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39385
Patch Status
Unpatched
Published
Apr 18, 2025

Affected Software
Sirat
Researcher

Peter Thaleikis

More Details >

Style Manager <= 2.2.7 – Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39425
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
Style Manager – Auto-magical system to style your entire WordPress site
Researcher

Nabil Irawan

More Details >

Theme Changer <= 1.3 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39438
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
Theme Changer
Researcher

ch4r0n

More Details >

User Registration & Membership PRO – Custom Registration Form, Login Form, and User Profile <= 5.1.3 – Cross-Site Request Forgery to User Deletion

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-3284
Patch Status
Patched
Published
Apr 18, 2025

Affected Software
User Registration PRO – Custom Registration Form, Login Form, and User Profile WordPress Plugin
Researcher

wesley (wcraft)

More Details >

Verge3D <= 4.9.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39443
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
Verge3D Publishing and E-Commerce
Researcher

Nabil Irawan

More Details >

Vitepos <= 3.1.7 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39535
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
Vitepos – Point of sale (POS) plugin for WooCommerce
Researcher

astra.r3verii

More Details >

WooCommerce Products without featured images <= 0.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-32545
Patch Status
Unpatched
Published
Apr 14, 2025

Affected Software
WooCommerce Products without featured images
Researcher

0xd4rk5id3

More Details >

WooCommerce Social Login <= 2.8.2 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39472
Patch Status
Unpatched
Published
Apr 16, 2025

Affected Software
WooCommerce – Social Login
Researcher

Ananda Dhakal

More Details >

WordPress REST API Authentication <= 3.6.3 – Missing Authorization to Authenticated (Subscriber+) Limited Options Update

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39545
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
WordPress REST API Authentication
Researcher

chuck

More Details >

WowStore <= 4.2.4 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39571
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
WooCommerce Builder & Gutenberg WooCommerce Blocks – WowStore
Researcher

astra.r3verii

More Details >

WP Logger <= 2.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39456
Patch Status
Patched
Published
Apr 17, 2025

Affected Software
WP Logger
Researcher

Kévin Mosbahi (Mika)

More Details >

WP Simple Booking Calendar <= 2.0.13 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39541
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
WP Simple Booking Calendar
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

WP Social Bookmarking <= 3.6 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39422
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
WP Social Bookmarking
Researcher

johska

More Details >

WP Sticky Side Buttons <= 2.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39421
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
WP Sticky Side Buttons
Researcher

johska

More Details >

WP Twitter Button <= 1.4.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-39420
Patch Status
Unpatched
Published
Apr 17, 2025

Affected Software
WP Twitter Button
Researcher

johska

More Details >

Administrator Z <= 2025.03.28 – Authenticated (Admin+) Directory Traversal

2.7

CVSS Rating
Low (2.7)
CVE-ID
CVE-2025-39598
Patch Status
Patched
Published
Apr 16, 2025

Affected Software
Administrator Z
Researcher

Nguyen Xuan Chien

More Details >

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (April 14, 2025 to April 20, 2025) appeared first on Wordfence.

Adicionar aos favoritos o Link permanente.