In Simple User Import Export plugin versions up to and including 1.1.7 a medium severity vulnerability CVE-2025-13133 was detected. This vulnerability allows authenticated attackers with Administrator-level access and above to perform CSV Injection via the ‘Import/export users’ function by embedding untrusted input into exported CSV files, which may lead to code execution when the files are opened on a local system with a vulnerable configuration. To address this issue, users should upgrade the plugin to version 1.1.8 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13133.
Read more CMS
The RTMKit Addons for Elementor plugin for WordPress versions up to and including 1.6.1 contains a medium severity vulnerability CVE-2025-8609. This vulnerability is caused by insufficient input sanitization and output escaping on the plugin’s Accordion Block attributes, allowing authenticated attackers with contributor-level access and above to inject arbitrary web scripts that execute whenever a user accesses the infected page. To address this issue, users should upgrade the plugin to version 1.6.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8609.
Read more CMS
The Coil Web Monetization plugin for WordPress versions up to and including 2.0.2 contains a medium severity vulnerability CVE-2025-9625. This vulnerability is caused by missing or incorrect nonce validation on the coil-get-css-selector parameter in the maybe_restrict_content function, allowing unauthenticated attackers to trigger CSS selector detection via a forged request if a site administrator is tricked into clicking a malicious link. To address this issue, users should upgrade the plugin to version 2.0.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-9625.
Read more CMS
In Ovatheme Events Manager plugin for WordPress versions up to and including 1.8.6 a medium severity vulnerability CVE-2025-7663 was detected. This vulnerability allows unauthenticated attackers to delete ticket files, download tickets, and perform other unauthorized actions due to missing capability checks in the `/class-ovaem-ajax.php` file. To address this issue, users should upgrade Ovatheme Events Manager plugin to version 1.8.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-7663.
Read more CMS
In Genesis Framework theme for WordPress versions up to and including 3.6.0 a medium severity vulnerability CVE-2025-10737 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts via the theme’s shortcodes due to insufficient input sanitization and output escaping. To fix this vulnerability, users should upgrade to version 3.6.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-10737.
Read more CMS
In WordPress User Feedback plugin versions up to and including 1.8.0 a medium severity vulnerability CVE-2025-10694 was detected. This vulnerability allows unauthenticated attackers to access the plugin’s onboarding wizard page due to a missing capability check, exposing configuration details including the administrator’s email address. To fix this vulnerability, users should upgrade to version 1.8.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-10694.
Read more CMS
In the WordPress BackWPup plugin versions prior to and including 5.5.0 a medium severity vulnerability CVE-2025-10579 was detected. This vulnerability allows authenticated attackers with Subscriber-level access and above to retrieve a backup’s filename via the backwpup_working AJAX action due to a missing capability check. While the filename alone has limited value, it could aid targeted brute-force attempts to obtain backup contents in certain environments. To fix this vulnerability, users should upgrade to version 5.5.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-10579.
Read more CMS
In the WordPress eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams versions prior to and including 1.5.6 a high severity vulnerability CVE-2025-11760 was detected. This vulnerability exposes the Zoom SDK secret key in client-side JavaScript, making it possible for unauthenticated attackers to extract the key and generate valid JWT signatures. This could allow unauthorized access to private meetings or other Zoom resources. To fix this vulnerability, users should upgrade to version 1.5.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-11760.
Read more CMS
The AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant plugin for WordPress is vulnerable to CSV Injection in all versions up to and including 1.6.5. This vulnerability allows unauthenticated attackers to embed untrusted input into exported CSV files, potentially leading to code execution when these files are opened on vulnerable systems. To fix this vulnerability, users should upgrade to version 1.6.6 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-11576.
Read more CMS