In Umbraco versions 10.0.0 through 10.8.10 and 13.0.0 through 13.9.1 a medium severity vulnerability CVE-2025-49147 was detected. This vulnerability allows unauthenticated attackers to access limited information about the configured password requirements via an anonymous endpoint, which could aid brute-force attacks. To address this issue, users should upgrade Umbraco to versions 10.8.11 or 13.9.2. For more […]
In the Pixabay Images plugin for WordPress versions up to and including 3.4 a high severity vulnerability CVE-2025-4413 was detected. This vulnerability allows authenticated attackers with Author-level access and above to upload arbitrary files to the affected site’s server due to missing file type validation, which may lead to remote code execution. Currently, there is […]
In the Ultra Addons for Contact Form 7 plugin for WordPress versions up to and including 3.5.12 a high severity vulnerability CVE-2025-6220 was detected. This vulnerability allows authenticated attackers with Administrator-level access and above to upload arbitrary files to the affected site’s server due to missing file type validation in the save_options function, potentially leading […]
In Euro FxRef Currency Converter plugin for WordPress versions up to and including 2.0.2 a medium severity vulnerability CVE-2025-6257 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the plugin’s currency shortcode due to insufficient input sanitization and output escaping. These scripts execute whenever a user […]
In Poll, Survey & Quiz Maker Plugin by Opinion Stage for WordPress versions up to and including 19.9.0 a medium severity vulnerability CVE-2025-3880 was detected. This vulnerability allows authenticated users with Contributor access and above to change plugin settings, including the account email or connection status, due to insufficient permission checks. To address this issue, […]
In Gutenverse News plugin for WordPress versions up to and including 1.0.4 a medium severity vulnerability CVE-2025-5234 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to perform Stored Cross-Site Scripting (XSS) attacks via the ‘elementId’ parameter due to insufficient input sanitization and output escaping. To address this issue, users should upgrade […]
In AI Engine plugin for WordPress versions 2.8.0 through 2.8.3 a high severity vulnerability CVE-2025-5071 was detected. This vulnerability allows authenticated attackers with Subscriber-level access and above to gain unauthorized access to the MCP, enabling them to execute various commands such as `wp_create_user`, `wp_update_user`, `wp_update_option`, `wp_update_post`, and others. These actions can lead to privilege escalation […]
In WPBakery Page Builder plugin for WordPress versions up to and including 8.4.1 a medium severity vulnerability CVE-2025-4965 was detected. This vulnerability allows authenticated attackers with Author-level access and above to perform Stored Cross-Site Scripting (XSS) attacks via the Grid Builder feature due to insufficient input sanitization and output escaping on user-supplied attributes. To address […]
In Football Pool plugin for WordPress versions up to and including 2.12.4 a medium severity vulnerability CVE-2025-5490 was detected. This vulnerability allows authenticated attackers with Administrator-level access and above to inject arbitrary web scripts into admin settings, leading to Stored Cross-Site Scripting (XSS) attacks in multi-site installations or setups where the unfiltered_html capability is disabled. […]
