CMS

In WP Booking Calendar plugin for WordPress versions up to and including 10.11.1 a medium severity vulnerability CVE-2025-4669 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts via the wpbc shortcode, which execute when a user accesses an injected page, due to insufficient input sanitization and output escaping. To address this issue, users should upgrade WP Booking Calendar plugin to versions 10.11.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4669.

In Jupiter X Core plugin for WordPress versions up to and including 4.8.12 a medium severity vulnerability CVE-2025-3888 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via SVG file inclusion due to insufficient input sanitization and output escaping, leading to script execution when a user accesses the affected page. To address this issue, users should upgrade Jupiter X Core plugin to versions 4.9.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3888.

In EventON Pro plugin versions up to and including 4.9.6 a medium severity vulnerability CVE-2025-3527 was detected. This vulnerability allows authenticated attackers with Subscriber-level access and above to inject arbitrary web scripts due to a missing capability check in the assets/lib/settings/settings.js file, leading to script execution when a user accesses an affected page. To address this issue, users should upgrade EventON Pro plugin to versions 4.9.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3527.

In Newsletters plugin for WordPress versions up to and including 4.9.9.8 a medium severity vulnerability CVE-2025-3107 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to perform time-based SQL Injection via the ‘orderby’ parameter, enabling them to extract sensitive information from the database. To address this issue, users should upgrade Newsletters plugin to versions 4.9.9.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3107.

In Firelight Lightbox plugin for WordPress versions prior to 2.3.15 a medium severity vulnerability CVE-2025-3597 was detected. This vulnerability lets authenticated users with post-writing access run harmful JavaScript when the jQuery Metadata feature is enabled, even in the free version of the plugin. To address this issue, users should upgrade Firelight Lightbox plugin to versions 2.3.15 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3597.

In Frontend Dashboard plugin for WordPress versions 1.0 to 2.2.7 a high severity vulnerability CVE-2025-4474 was detected. This vulnerability allows authenticated attackers with Subscriber-level access and above to escalate privileges by overwriting the plugin’s ‘register’ role setting, making new user registrations default to the administrator role. To address this issue, users should upgrade Frontend Dashboard plugin to versions 2.2.8 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4474.

In TheGem theme for WordPress versions up to and including 5.10.3 a medium severity vulnerability CVE-2025-4339 was detected. This vulnerability allows authenticated attackers with Subscriber-level access and above to modify arbitrary theme options due to a missing capability check on the ajaxApi() function. To address this issue, users should upgrade TheGem theme to versions 5.10.3.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4339.

In the Jeg Elementor Kit plugin for WordPress versions up to and including 2.6.12 a medium severity vulnerability CVE-2025-2944 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts via the plugin’s Video Button and Countdown Widgets, which, due to insufficient input sanitization and output escaping, execute whenever a user accesses a compromised page. To address this issue, users should upgrade the Jeg Elementor Kit plugin to versions 2.6.13. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2944.

In BuddyBoss Platform Pro plugin for WordPress versions up to and including 2.7.01 a critical severity vulnerability CVE-2025-1909 was detected. This vulnerability allows unauthenticated attackers to bypass authentication and log in as any existing user, including administrators, if they have access to the user’s email address, due to insufficient verification during the Apple OAuth authentication process. To address this issue, users should upgrade BuddyBoss Platform Pro plugin to versions 2.7.10 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1909.