CMS

In WP Extended plugin for WordPress versions up to and including 3.0.15 a medium severity vulnerability CVE-2025-4963 was detected. This vulnerability allows authenticated attackers with Author-level access or higher to upload malicious SVG files containing scripts, resulting in Stored Cross-Site Scripting (XSS) that executes whenever a user accesses the SVG file. To address this issue, users should upgrade WP Extended plugin to version 3.0.16 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4963.

In Likes and Dislikes plugin for WordPress versions up to and including 1.0.0 a high severity vulnerability CVE-2025-5287 was detected. This vulnerability allows unauthenticated attackers to perform SQL Injection via the ‘post’ parameter, potentially enabling them to extract sensitive information from the database. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5287.

In WP Attachments plugin for WordPress versions up to and including 5.0.12 a medium severity vulnerability CVE-2025-5082 was detected. This vulnerability allows unauthenticated attackers to perform Reflected Cross-Site Scripting (XSS) via the `attachment_id` parameter, enabling script injection if a user is tricked into clicking a malicious link. To address this issue, users should upgrade WP Attachments plugin to versions 5.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5082.

In MasterStudy LMS Pro plugin versions up to and including 4.7.0 a high severity vulnerability CVE-2025-4800 allows authenticated users with Subscriber-level access or higher to upload arbitrary files due to missing file type validation in the `stm_lms_add_assignment_attachment` function. This could potentially lead to remote code execution on the server. To address this issue, users should upgrade MasterStudy LMS Pro plugin to versions 4.7.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4800.

In Exclusive Addons for Elementor plugin for WordPress versions up to and including 2.7.9.1 a medium severity vulnerability CVE-2025-4783 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts via the Countdown Timer Widget’s HTML attributes, which execute when a user accesses an affected page. To address this issue, users should upgrade Exclusive Addons for Elementor plugin to versions 2.7.9.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4783.

In TablePress plugin for WordPress versions up to and including 3.1.2 a medium severity vulnerability CVE-2025-5096 was detected. This DOM-based stored XSS vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts via the data-caption, data-s-content-padding, data-s-title and data-footerattributes. To address this issue, users should upgrade TablePress plugin to versions 3.1.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5096.

In 4stats plugin for WordPress versions up to and including 2.0.9 a medium severity vulnerability CVE-2025-3869 was detected. This Cross-Site Request Forgery (CSRF) vulnerability, caused by missing or incorrect nonce validation on the stats/stats.php page, allows unauthenticated attackers to update settings and inject malicious web scripts via a forged request if they can trick a site administrator into performing an action such as clicking a link. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3869.

In ClipArt plugin for WordPress versions through 0.2 a high severity vulnerability CVE-2024-12726 was detected. This vulnerability allows attackers to perform Reflected Cross-Site Scripting (XSS) attacks, which could be exploited against high privilege users such as administrators. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12726.

In Hot Random Image plugin for WordPress versions up to and including 1.9.2 a medium severity vulnerability CVE-2025-4419 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to exploit a path traversal flaw via the ‘path’ parameter to access arbitrary images with allowed extensions outside the intended directory. To address this issue, users should upgrade Hot Random Image plugin to versions 1.9.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4419.