CMS

In BuddyBoss Platform Pro plugin for WordPress versions up to and including 2.7.01 a critical severity vulnerability CVE-2025-1909 was detected. This vulnerability allows unauthenticated attackers to bypass authentication and log in as any existing user, including administrators, if they have access to the user’s email address, due to insufficient verification during the Apple OAuth authentication process. To address this issue, users should upgrade BuddyBoss Platform Pro plugin to versions 2.7.10 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1909.

In Login Lockdown & Protection plugin for WordPress versions up to and including 2.11 a medium severity vulnerability CVE-2025-3766 was detected. This vulnerability allows authenticated users with Subscriber-level access or higher to obtain a valid nonce via the ajax_run_tool function, enabling them to generate a global unlock key and add IPs to the allowlist—exploitable only on new installs where the loginlockdown page has not been visited by an admin. To address this issue, users should upgrade Login Lockdown & Protection plugin to versions 2.12 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3766.

In Frontend Dashboard Plugin for WordPress versions 1.0 to 2.2.6 a critical severity vulnerability CVE-2025-4104 was detected. This vulnerability allows unauthenticated attackers to reset the administrator’s email and password and escalate privileges to administrator due to a missing capability check in the fed_wp_ajax_fed_login_form_post() function. To address this issue, users should upgrade Frontend Dashboard Plugin to versions 2.2.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4104.

In WP SEO Structured Data Schema plugin for WordPress versions up to and including 2.7.11 a medium severity vulnerability CVE-2025-4127 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the ‘Price Range’ parameter, which execute when an administrator accesses the plugin settings page, due to insufficient input sanitization and output escaping. To address this issue, users should upgrade WP SEO Structured Data Schema plugin to versions 2.8.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4127.

In Liferay Portal versions 7.4.0 through 7.4.3.131 and Liferay DXP versions 2024.Q4.0 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-4388 was detected. This vulnerability allows remote unauthenticated attackers to inject JavaScript into the modules/apps/marketplace/marketplace-app-manager-web via reflected cross-site scripting. To address this issue, users should upgrade Liferay Portal to versions 7.4.3.132, Liferay DXP to versions 2024.Q1.13 or 2024.Q4.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4388.

In Umbraco versions prior to 10.8.10 and 13.8.1 a medium severity vulnerability CVE-2025-46736 was detected. This vulnerability allows attackers to determine whether an account exists by analyzing the timing of post-login API responses. To address this issue, users should upgrade Umbraco to versions 10.8.10 or 13.8.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-46736.

In LayoutBoxx plugin for WordPress versions up to and including 0.3.1 a high severity vulnerability CVE-2025-2802 was detected. This vulnerability allows unauthenticated attackers to execute arbitrary shortcodes due to insufficient validation before calling do_shortcode. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2802.

In Cision Block plugin for WordPress versions up to and including 4.3.0 a medium severity vulnerability CVE-2025-3782 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the ‘id’ parameter due to insufficient input sanitization and output escaping, which execute whenever a user accesses an injected page. To address this issue, users should upgrade Cision Block plugin to versions 4.4.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3782.

In AHAthat plugin for WordPress versions up to and including 1.6 a medium severity vulnerability CVE-2025-4337 was detected. This vulnerability allows unauthenticated attackers to delete AHA pages via a forged request by exploiting missing or incorrect nonce validation in the aha_plugin_page() function, provided they can trick a site administrator into performing an action such as clicking a malicious link. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4337.