Get Started

CMS

Selected category
5 May 2025 Business and Enterprise Solutions
WordPress: Stored XSS in Formality Plugin via Align Parameter

In Formality plugin for WordPress versions up to and including 1.5.8 a medium severity vulnerability CVE-2025-3858 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the ‘align’ parameter, which execute when a user accesses an injected page, due to insufficient input sanitization and output escaping. To address this issue, users should upgrade Formality plugin to versions 1.5.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3858.

 Read more CMS
3 May 2025 Business and Enterprise Solutions
WordPress: Stored XSS via album_buy_url Parameter in Music Player for Elementor Plugin

In Music Player for Elementor plugin for WordPress versions up to and including 2.4.6 a medium severity vulnerability CVE-2025-5340 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary scripts via the album_buy_url parameter, leading to Stored Cross-Site Scripting (XSS) that executes when a user visits the affected page. To address this issue, users should upgrade Music Player for Elementor plugin to versions 2.4.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5340.

 Read more CMS
2 May 2025 Business and Enterprise Solutions
WordPress: Stored Cross-Site Scripting via bbp_topic_title Parameter in Buddyboss Platform Plugin

In Buddyboss Platform plugin for WordPress versions 2.8.50 and prior a medium severity vulnerability CVE-2024-13860 was detected. This vulnerability allows authenticated attackers with Subscriber-level access or higher to inject malicious scripts via the `bbp_topic_title` parameter, leading to Stored Cross-Site Scripting (XSS) on affected pages. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13860.

 Read more CMS
30 Apr 2025 Business and Enterprise Solutions
WordPress: Unauthorized Settings Update via REST API in SureForms Plugin

In SureForms plugin for WordPress versions prior to 1.4.4 a medium severity vulnerability CVE-2025-3471 was detected. This vulnerability allows attackers with Contributor-level access or higher to update plugin settings via the REST API due to a missing authorization check. To address this issue, users should upgrade SureForms plugin to versions 1.4.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3471.

 Read more CMS
30 Apr 2025 Business and Enterprise Solutions
WordPress: Stored Cross-Site Scripting via Unsanitized Settings in Calculated Fields Form Plugin

In Calculated Fields Form plugin for WordPress versions prior to 5.2.62 a low severity vulnerability CVE-2024-12273 was detected. This vulnerability allows high-privilege users, such as admins, to perform Stored Cross-Site Scripting (XSS) attacks due to improper sanitization and escaping of certain settings, even when the unfiltered_html capability is disallowed (e.g., in multisite setups). To address this issue, users should upgrade Calculated Fields Form plugin to versions 5.2.62 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12273.

 Read more CMS
30 Apr 2025 Business and Enterprise Solutions
WordPress: Password Protection Bypass via Hardcoded Credential in Admin and Site Enhancements Plugin

In Admin and Site Enhancements (ASE) plugin for WordPress versions prior to 7.6.10 a medium severity vulnerability CVE-2024-13688 was detected. This vulnerability allows attackers to bypass the Password Protection feature by exploiting a hardcoded password through a crafted request. To address this issue, users should upgrade Admin and Site Enhancements (ASE) plugin to versions 7.6.10 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13688.

 Read more CMS
30 Apr 2025 Business and Enterprise Solutions
WordPress: Stored XSS via Unsanitized Settings in WP-Recall Plugin

In WP-Recall plugin for WordPress versions prior to 16.26.12 a low severity vulnerability CVE-2024-9771 was detected. This vulnerability allows high privilege users such as administrators to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disallowed, such as in a multisite setup. To address this issue, users should upgrade WP-Recall plugin to versions 16.26.12 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-9771.

 Read more CMS
28 Apr 2025 Business and Enterprise Solutions
WordPress: Local File Inclusion via Unvalidated Template Parameter in Edumall Theme

In Edumall theme for WordPress versions up to and including 4.2.4 a high severity vulnerability CVE-2025-2101 was detected. This vulnerability allows attackers to include and execute arbitrary PHP files on the server, potentially leading to code execution, bypassing access controls, or exposing sensitive information. To address this issue, users should upgrade Edumall theme to versions 4.3.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2101.

 Read more CMS
28 Apr 2025 Business and Enterprise Solutions
WordPress: Arbitrary Shortcode Execution via Improper Validation in The Anps Theme Plugin

In The Anps Theme plugin for WordPress versions up to and including 1.1.1 a medium severity vulnerability CVE-2024-13812 was detected. This vulnerability allows attackers to execute arbitrary shortcodes without authentication, potentially leading to site compromise. To address this issue, users should upgrade The Anps Theme plugin to versions 1.1.25 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13812.

 Read more CMS