Business and Enterprise Solutions

In Restrict File Access plugin for WordPress versions up to and including 1.1.2 a high severity vulnerability CVE-2025-7667 was detected. This vulnerability allows unauthenticated attackers to delete arbitrary files on the server via a forged request due to missing or incorrect nonce validation on the ‘restrict-file-access’ page, which can lead to remote code execution if a critical file such as wp-config.php is deleted. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-7667.

In Companion Auto Update plugin for WordPress versions up to and including 3.9.2 a medium severity vulnerability CVE-2025-4369 was detected. This vulnerability allows admin-level users to inject scripts via the update_delay_days parameter, affecting multi-site setups with unfiltered_html disabled. To address this issue, users should update Companion Auto Update plugin to versions 3.9.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4369.

In Strong Testimonials plugin for WordPress versions up to and including 3.2.11 a medium severity vulnerability CVE-2025-7367 was detected. This vulnerability allows authenticated attackers with Author-level access and above to inject arbitrary web scripts via Testimonial Custom Fields due to insufficient input sanitization and output escaping. To address this issue, users should update Strong Testimonials plugin to versions 3.2.12 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-7367.

In the Premium Age Verification / Restriction for WordPress plugin, all versions up to and including 3.0.2 a critical severity vulnerability CVE-2025-7401 was detected. This vulnerability allows unauthenticated attackers to read from or write to arbitrary files on the server due to insufficiently protected remote support functionality in remote_tunnel.php. This may lead to exposure of sensitive information or remote code execution. Currently the is no fix for this vulnerability. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-7401.

In the Broken Link Notifier plugin for WordPress, all versions up to and including 1.3.0 a high severity vulnerability CVE-2025-6851 was detected. This vulnerability allows unauthenticated attackers to perform Server-Side Request Forgery via the ajax_blinks() function, which ultimately calls the check_url_status_code() function. Currently, there is no fix for this vulnerability. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6851.

In the Broken Link Notifier plugin for WordPress, all versions up to and including 1.3.0 a high severity vulnerability CVE-2025-6838 was detected. This vulnerability allows attackers to inject malicious input into exported CSV files via broken links. To fix this issue, users should upgrade the plugin to version 1.3.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6838.

In the WPBookit plugin for WordPress, all versions up to and including 1.0.4 a critical severity vulnerability CVE-2025-6058 was detected. This vulnerability allows unauthenticated attackers to upload arbitrary files to the affected site’s server, potentially leading to remote code execution. To fix this issue, users should upgrade the plugin to version 1.0.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6058.

In the PayMaster for WooCommerce plugin for WordPress, all versions up to and including 0.4.31 a high severity vulnerability CVE-2025-6729 was detected. This vulnerability allows attackers to send unauthorized requests from the server to internal or external systems, potentially accessing or modifying sensitive information. Currently there is not fix for this vulnerability. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6729.

In the JKDEVKIT plugin for WordPress all versions up to and including 1.9.4 a critical severity vulnerability CVE-2025-2932 was detected. This vulnerability allows authenticated attackers with Subscriber-level access or higher to delete arbitrary files on the server due to insufficient file path validation in the ‘font_upload_handler’ function. Currently there is not fix for this vulnerability. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2932.