CMS

In teachPress plugin for WordPress versions 9.0.9 and prior a medium severity vulnerability CVE-2025-1320 was detected. This vulnerability allows attackers to delete imports via a forged request by exploiting missing or incorrect nonce validation on the import.php page, tricking site administrators into performing actions such as clicking on a malicious link. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1320.

In DICOM Support plugin for WordPress versions 0.10.6 and prior a medium severity vulnerability CVE-2024-12623 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts via the plugin’s ‘dcm’ shortcode due to insufficient input sanitization and output escaping on user-supplied attributes, with the injected scripts executing whenever a user accesses the affected page. To address this issue, users should upgrade DICOM Support plugin to versions 0.10.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12623.

In Liferay Portal versions 7.4.0 through 7.4.3.126 and Liferay DXP versions 2024.Q3.0, 2024.Q2.0 through 2024.Q2.12, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92 a medium severity vulnerability CVE-2025-2565 was detected. This vulnerability allows unauthorized users to obtain entry data from forms. To address this issue, users should upgrade Liferay Portal to version 7.4.3.129, Liferay DXP to versions 2024.Q4.0, 2024.Q3.1 or 2024.Q1.13. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2565.

In CryoKey plugin for WordPress versions 2.4 and prior a medium severity vulnerability CVE-2025-2477 was detected. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts via the ‘ckemail’ parameter due to insufficient input sanitization and output escaping, which can be exploited by tricking users into performing actions, such as clicking on a malicious link. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2477.

In Liferay Portal versions 7.4.3.82 through 7.4.3.128 and Liferay DXP versions 2024.Q3.0, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 update 82 through update 92 a medium severity vulnerability CVE-2025-2536 was detected. This vulnerability allows remote attackers to inject arbitrary web scripts or HTML via the `toastData` parameter in the Frontend JS module’s `layout-taglib/__liferay__/index.js`, leading to cross-site scripting (XSS) attacks. To address this issue, users should upgrade Liferay Portal to version 7.4.3.129, Liferay DXP to versions 2024.Q1.13, 2024.Q3.1 or 2024.Q4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2536.

In File Away plugin for WordPress versions 3.9.9.0.1 and prior a high severity vulnerability CVE-2025-2539 was detected. This vulnerability allows unauthenticated attackers to access arbitrary files on the server due to a missing capability check in the ajax() function and a reversible weak algorithm, potentially exposing sensitive information. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2539.

In Age Gate plugin for WordPress versions 3.5.3 and prior a critical severity vulnerability CVE-2025-2505 was detected. This vulnerability allows unauthenticated attackers to include and execute arbitrary PHP files on the server via the `lang` parameter, potentially bypassing access controls, exposing sensitive data, or achieving remote code execution if certain file types can be uploaded and included. To address this issue, users should upgrade Age Gate plugin to versions 3.5.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2505.

In SpotBot plugin for WordPress versions 0.1.8 and prior a high severity vulnerability CVE-2024-13878 was detected. This vulnerability allows attackers to execute Reflected Cross-Site Scripting (XSS) attacks by exploiting an unsanitized parameter, potentially targeting high-privilege users such as administrators. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13878.

In File Away plugin for WordPress versions 3.9.9.0.1 and prior a critical severity vulnerability CVE-2025-2512 was detected. This vulnerability allows unauthenticated attackers to upload arbitrary files due to a missing capability check and lack of file type validation in the upload() function, potentially leading to remote code execution. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2512.