In FunnelKit – Funnel Builder for WooCommerce Checkout plugin versions up to and including 3.13.1.2 a medium severity vulnerability CVE-2025-12878 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the wfop_phone shortcode’s default attribute, due to insufficient input sanitization and output escaping. These scripts will execute whenever a user accesses a page containing the injected shortcode. To address this issue, users should upgrade to version 3.13.1.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-12878.
Read more CMS
In SiteSEO – SEO Simplified plugin versions up to and including 1.3.2 a medium severity vulnerability CVE-2025-12814 was detected. This vulnerability allows authenticated attackers with access to at least one SiteSEO setting capability to reset the plugin’s settings due to an incorrect capability check on the siteseo_reset_settings function. To address this issue, users should upgrade the plugin to version 1.3.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-12814.
Read more CMS
In WSChat – WordPress Live Chat plugin versions up to and including 3.1.6 a medium severity vulnerability CVE-2025-12751 was detected. This vulnerability allows authenticated attackers with Subscriber-level access and above to reset the plugin’s settings due to a missing capability check on the ‘reset_settings’ AJAX endpoint. To address this issue, users should upgrade the plugin to version 3.1.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-12751.
Read more CMS
In GiveWP – Donation Plugin and Fundraising Platform plugin versions up to and including 4.13.0 a high severity vulnerability CVE-2025-13206 was detected. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts via the name parameter due to insufficient input sanitization and output escaping, provided that avatars are enabled in the WordPress installation. These scripts will execute whenever a user views an affected page. To address this issue, users should upgrade the plugin to version 4.13.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13206.
Read more CMS
In WP Import – Ultimate CSV XML Importer plugin versions up to and including 7.33.1 a high severity vulnerability CVE-2025-13145 was detected. This vulnerability allows authenticated attackers with administrator-level access or higher to perform PHP Object Injection by supplying maliciously crafted data in CSV file imports processed by the import_single_post_as_csv function. If a POP chain is available through another plugin or theme on the system, this may lead to arbitrary file deletion, sensitive data exposure, or code execution. To address this issue, users should upgrade the plugin to version 7.33.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13145.
Read more CMS
In SiteSEO – SEO Simplified plugin versions up to and including 1.3.2 a medium severity vulnerability CVE-2025-13085 was detected. This vulnerability allows authenticated attackers with the siteseo_manage capability to read arbitrary post metadata from posts, pages, attachments, or WooCommerce orders they cannot edit due to missing object-level authorization checks in the resolve_variables() AJAX handler. In WooCommerce installations with legacy storage enabled, this may expose sensitive customer billing information such as names, emails, phone numbers, addresses, and payment methods. To address this issue, users should upgrade the plugin to version 1.3.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13085.
Read more CMS
In RTMKit Addons for Elementor plugin versions up to and including 1.6.1 a medium severity vulnerability CVE-2025-8609 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to perform Stored Cross-Site Scripting via the plugin’s Accordion Block attributes due to insufficient sanitization and escaping of user-supplied input, causing injected scripts to run when a user views an affected page. To address this issue, users should upgrade the plugin to version 1.6.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8609.
Read more CMS
In Gutenify – Visual Site Builder Blocks & Site Templates plugin versions up to and including 1.5.9 a medium severity vulnerability CVE-2025-8605 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to perform Stored Cross-Site Scripting by abusing insufficient input sanitization and output escaping on block attributes, enabling malicious scripts to execute whenever a user accesses an affected page. To address this issue, users should upgrade the plugin to version 1.6.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8605.
Read more CMS
In AI Engine plugin versions up to and including 3.1.8 a medium severity vulnerability CVE-2025-8084 was detected. This vulnerability allows authenticated attackers with Editor-level access and above to perform Server-Side Request Forgery via the rest_helpers_create_images function, enabling them to make web requests to arbitrary locations from the web application. On Cloud instances, this can lead to metadata retrieval and unauthorized querying or modification of internal services. To address this issue, users should upgrade the plugin to version 3.1.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8084.
Read more CMS