In the Admin and Site Enhancements (ASE) plugin for WordPress versions before 7.6.10 a medium severity vulnerability CVE-2024-13685 was detected. This vulnerability allows attackers to manipulate client IP addresses via untrusted headers, potentially bypassing the login limit feature. To address this issue, users should upgrade Admin and Site Enhancements (ASE) plugin to version 7.6.10 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13685.
Read more CMS Newsflash Business and Enterprise Solutions
In WP Posts Carousel plugin for WordPress versions 1.3.7 and prior a medium severity vulnerability CVE-2025-1491 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages, which will execute whenever a user accesses the injected page, due to insufficient input sanitization and output escaping in the ‘auto_play_timeout’ parameter. To address this issue, users should upgrade WP Posts Carousel plugin to versions 1.3.8 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1491.
Read more CMS Newsflash Business and Enterprise Solutions
In GenerateBlocks plugin for WordPress versions 1.9.1 and prior a medium severity vulnerability CVE-2024-13546 was detected. This vulnerability allows attackers with Contributor-level access and above to extract sensitive information, including the content of private, draft, and scheduled posts and pages, via the ‘get_image_description’ function. To address this issue, users should upgrade GenerateBlocks plugin to versions 2.0.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13546.
Read more CMS Newsflash Business and Enterprise Solutions
In Academist Membership plugin for WordPress versions 1.1.6 and prior a critical severity vulnerability CVE-2025-1671 was detected. This vulnerability allows unauthenticated attackers to escalate their privileges and log in as any user, including site administrators, due to improper identity verification in the academist_membership_check_facebook_user() function. To address this issue, users should upgrade Academist Membership plugin to versions 1.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1671.
Read more CMS Newsflash Business and Enterprise Solutions
In WP-Appbox plugin for WordPress versions 4.5. and prior a medium severity vulnerability CVE-2025-1489 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to exploit Stored Cross-Site Scripting (XSS) via the appbox shortcode due to insufficient input sanitization and output escaping. To address this issue, users should upgrade WP-Appbox plugin to version 4.5.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1489.
Read more CMS Newsflash Business and Enterprise Solutions
In Event Tickets and Registration plugin for WordPress versions 5.19.1.1 and prior a medium severity vulnerability CVE-2025-1402 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to delete arbitrary attendee tickets due to a missing capability check on the ‘ajax_ticket_delete’ function. To address this issue, users should upgrade Event Tickets and Registration plugin to version 5.19.1.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1402.
Read more CMS Newsflash Business and Enterprise Solutions
In Maps for WP plugin for WordPress versions 1.2.4 and prior a medium severity vulnerability CVE-2024-13648 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to exploit Stored Cross-Site Scripting (XSS) via the ‘MapOnePoint’ shortcode due to insufficient input sanitization and output escaping. Attackers can inject arbitrary web scripts that execute whenever a user accesses an affected page. To address this issue, users should upgrade Maps for WP plugin to version 1.2.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13648.
Read more CMS Newsflash Business and Enterprise Solutions
In Ziggeo plugin for WordPress versions 3.1 and prior a medium severity vulnerability CVE-2024-12452 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to exploit Stored Cross-Site Scripting (XSS) via the ‘ziggeo_event’ shortcode, enabling them to inject arbitrary web scripts that execute whenever a user accesses an affected page due to insufficient input sanitization and output escaping. To address this issue, users should upgrade Ziggeo plugin to version 3.1.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12452.
Read more CMS Newsflash Business and Enterprise Solutions
In Ajax Search Lite plugin for WordPress versions prior to 4.12.5 a medium severity vulnerability CVE-2024-13585 was detected. This vulnerability allows high-privilege users, such as administrators, to exploit Stored Cross-Site Scripting (XSS) due to improper sanitization and escaping of certain settings. This can be exploited even when the unfiltered_html capability is disallowed, such as in a multisite setup. Currently, there is no fix version for that issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13585.