CMS

In CSV Me plugin for WordPress versions up to and including 2.0 a high severity vulnerability CVE-2025-6086 was detected. This vulnerability allows authenticated attackers with Administrator-level access and above to upload arbitrary files due to insufficient file type validation, potentially leading to remote code execution. Currently, there is no fixed version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6086.

In Target Video Easy Publish plugin for WordPress versions up to and including 3.8.5 a medium severity vulnerability CVE-2025-5237 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the ‘width’ parameter due to insufficient input sanitization and output escaping. To address this issue, users should update Target Video Easy Publish plugin to versions 3.8.6 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5237.

In tarteaucitron.io plugin for WordPress versions before 1.9.5 a medium severity vulnerability CVE-2025-4955 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to perform Stored Cross-Site Scripting (XSS) attacks by exploiting unsanitized query parameters from YouTube oEmbed URLs. To address this issue, users should upgrade tarteaucitron.io plugin to versions 1.9.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4955.

In Liferay Portal versions 7.0.0 through 7.4.3.21, Liferay DXP 7.4 GA through update 9, 7.3 GA through update 25 and older unsupported versions a high severity vulnerability CVE-2025-3526 was detected. This vulnerability allows remote attackers to consume system memory by saving crafted request parameters in the HTTP session, leading to denial-of-service (DoS) conditions. To address this issue, users should upgrade Liferay Portal to versions 7.4.3.22, Liferay DXP to versions 7.4 Update 10 or 7.3 Update 26. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3526.

In Simple Logo Carousel plugin for WordPress versions up to and including 1.9.3 a medium severity vulnerability CVE-2025-5700 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the ‘id’ parameter due to insufficient input sanitization and output escaping. To address this issue, users should upgrade Simple Logo Carousel plugin to versions 1.9.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5700.

In Ivory Search plugin for WordPress versions before 5.5.10 a low severity vulnerability CVE-2025-5209 was detected. This vulnerability allows high privilege users, such as administrators, to perform Cross-Site Scripting (XSS) attacks due to insufficient sanitization and escaping of certain settings, even when the unfiltered_html capability is disallowed. To address this issue, users should upgrade Ivory Search plugin to versions 5.5.10 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5209.

In Liferay Portal versions 7.4.0 through 7.4.3.97, Liferay DXP 2023.Q3.1 through 2023.Q3.2, 7.4 GA through update 92, 7.3 GA through update 35 and 7.2 fix pack 8 through fix pack 20 a high severity vulnerability CVE-2025-3602 was detected. This vulnerability allows attackers to perform denial-of-service (DoS) attacks by executing overly complex GraphQL queries due to the absence of query depth limitations. To address this issue, users should upgrade Liferay Portal to versions 7.4.3.98, Liferay DXP to versions 2023.Q3.3 or 7.3 U36. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3602.

In Liferay Portal versions 7.0.0 through 7.4.3.4, Liferay DXP 7.4 GA, 7.3 GA through update 34 and older unsupported versions a high severity vulnerability CVE-2025-3594 was detected. This vulnerability allows remote attackers to add files to arbitrary locations on the server and download and execute arbitrary files from the download server via the `_com_liferay_server_admin_web_portlet_ServerAdminPortlet_jarName` parameter. To address this issue, users should upgrade Liferay Portal to versions 7.4.3.5-ga5 or Liferay DXP to versions 7.3 Update 35. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3594.

In Hide It plugin for WordPress versions up to and including 1.0.1 a medium severity vulnerability CVE-2025-5565 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject malicious scripts via the plugin’s hideit shortcode due to insufficient input sanitization and output escaping. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5565.