In Sneeit Framework plugin for WordPress versions up to and including 8.3 a critical severity vulnerability CVE-2025-6389 was detected. This vulnerability allows unauthenticated attackers to achieve Remote Code Execution through the sneeit_articles_pagination_callback() function, which processes untrusted user input and passes it to call_user_func(). Successful exploitation enables attackers to execute arbitrary code on the server, potentially leading to backdoor injection or creation of new administrative accounts. To address this issue, users should upgrade the plugin to version 8.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6389.
Read more CMS
In SKT PayPal for WooCommerce plugin for WordPress versions up to and including 1.4 a high severity vulnerability CVE-2025-7820 was detected. This vulnerability allows unauthenticated attackers to bypass payment processing by exploiting the plugin’s enforcement of client-side controls instead of server-side controls. As a result, attackers can make confirmed purchases without actually paying. To address this issue, users should upgrade to a fixed version once available. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-7820.
Read more CMS
In the Webform Multiple File Upload module for Drupal 7.x a high severity vulnerability CVE-2025-12848 was detected. This vulnerability allows unauthenticated attackers to execute arbitrary JavaScript in a victim’s browser by uploading a file with a malicious filename when file type validation is disabled on a Webform Multifile field. The issue originates from a third-party library used by the module. To address this issue, users should update the module to version 7.x-1.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-12848.
Read more CMS
In YouTube Subscribe plugin versions up to and including 3.0.0 a medium severity vulnerability CVE-2025-12025 was detected. This vulnerability allows authenticated attackers with administrator-level permissions and above to inject arbitrary web scripts via admin settings, which execute when users access the affected pages. This issue affects only multi-site installations or sites where unfiltered_html has been disabled. To address this issue, users should upgrade the plugin to version 3.0.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-12025.
Read more CMS
In Wishlist for WooCommerce plugin versions up to and including 1.0.9 a medium severity vulnerability CVE-2025-12040 was detected. This vulnerability allows unauthenticated attackers to modify other users’ wishlists due to missing validation on a user-controlled key in several functions within class-th-wishlist-frontend.php. To address this issue, users should upgrade the plugin to version 1.1.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-12040.
Read more CMS
In Autochat Automatic Conversation plugin versions up to and including 1.1.9 a medium severity vulnerability CVE-2025-12043 was detected. This vulnerability allows unauthenticated attackers to connect and disconnect client IDs due to a missing capability check on the wp_ajax_nopriv_auycht_saveCid AJAX endpoint. To address this issue, users should upgrade the plugin to version 1.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-12043.
Read more CMS
In WordPress eCommerce Plugin versions up to and including 2.9.0 a high severity vulnerability CVE-2024-14015 was detected. This vulnerability allows attackers to perform reflected cross-site scripting (XSS) by exploiting unsanitized and unescaped parameters output back on the page, which could be used against high privilege users such as administrators. To address this issue, users should upgrade the plugin to a version later than 2.9.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-14015.
Read more CMS
In Perfect Brands for WooCommerce plugin versions up to and including 3.6.2 a medium severity vulnerability CVE-2025-10144 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to perform time-based SQL injection via the brands attribute of the products shortcode, due to insufficient escaping and lack of proper SQL query preparation. Exploiting this flaw can enable extraction of sensitive database information. To address this issue, users should upgrade the plugin to version 3.6.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-10144.
Read more CMS
In Code Snippets plugin versions up to and including 3.9.1 a high severity vulnerability CVE-2025-13035 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to execute arbitrary PHP code on the server via the [code_snippet] shortcode, due to the plugin using extract() on attacker-controlled shortcode attributes in the evaluate_shortcode_from_flat_file method, which can overwrite the $filepath variable that is later passed to require_once. Exploitation requires that the administrator has enabled the “Enable file-based execution” setting and that there is at least one active Content snippet. To address this issue, users should upgrade the plugin to version 3.9.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13035.
Read more CMS