In the WordPress GenerateBlocks plugin versions prior to and including 2.1.1 a medium severity vulnerability CVE-2025-11879 was detected. This vulnerability allows authenticated attackers with contributor level access and above to read arbitrary WordPress options, including sensitive data such as SMTP credentials and API keys, due to a missing capability check on the get_option_rest function. To fix this vulnerability, users should upgrade to version 2.1.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-11879.
Read more CMS
In the WordPress wpForo Forum plugin versions prior to and including 2.4.8 a high severity vulnerability CVE-2025-4203 was detected. This vulnerability allows unauthenticated attackers to perform error-based or time-based blind SQL injection via the get_members() function due to missing integer validation on the offset and row_count parameters. Attackers can exploit this to extract sensitive information from the database. To fix this vulnerability, users should upgrade to version 2.4.9 and later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4203.
Read more CMS
In the WordPress Password Protected plugin versions prior to and including 2.7.11 a medium severity vulnerability CVE-2025-11244 was detected. This vulnerability allows attackers to bypass authorization via IP address spoofing by manipulating client-controlled HTTP headers when the “Use transients” feature is enabled. To fix this vulnerability, users should upgrade to version 2.7.12 and later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-11244.
Read more CMS
In the WordPress Watu Quiz plugin versions prior to and including 3.4.4 a medium severity vulnerability CVE-2025-11238 was detected. This vulnerability allows unauthenticated attackers to perform stored cross-site scripting (XSS) via the HTTP Referer header when the “Save source URL” option is enabled. To fix this vulnerability, users should upgrade to version 3.4.5 and later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-11238.
Read more CMS
In WooCommerce versions prior to and including 10.0.2 a medium severity vulnerability CVE-2025-49042 was detected. This vulnerability allows remote attackers to perform stored cross-site scripting (XSS) due to improper neutralization of input during web page generation. To fix this vulnerability, users should upgrade to a version later than 10.0.2. For more details, visit https://avd.aquasec.com/nvd/2025/cve-2025-49042.
Read more E-commerce
In Liferay Portal versions 7.4.3.8 through 7.4.3.111, and Liferay DXP versions 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, Liferay DXP 7.4 U4 through U92 a high severity vulnerability CVE-2025-62264 was detected. This vulnerability allows remote attackers to inject arbitrary web scripts or HTML via the `_com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_selectedLanguageId` parameter, leading to a reflected cross-site scripting (XSS) issue. To address this issue, users should upgrade Liferay Portal to version 7.4.3.112 and Liferay DXP to version 2024.Q1.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62264.
Read more CMS
In Liferay Portal versions 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP versions 7.4.0 through 7.4.3.111, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92 a medium severity vulnerability CVE-2025-62276 was detected. This vulnerability allows local users to access downloaded files via the browser’s cache due to an incorrect Cache-Control header configuration. To address this issue, users should upgrade Liferay Portal to version 7.4.3.112 and Liferay DXP to version 2024.Q1.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62276.
Read more CMS
In Liferay Portal versions 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP versions 7.4.0 through 7.4.3.111, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92 a medium severity vulnerability CVE-2025-62275 was detected. This vulnerability allows remote attackers to view images in blog entries without proper authorization by exploiting a missing permission check via a crafted URL. To address this issue, users should upgrade Liferay Portal to version 7.4.3.112 and Liferay DXP to version 2024.Q1.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62275.
Read more CMS
In Liferay Portal versions 7.4.3.35 through 7.4.3.111 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 U35 through U92 a medium severity vulnerability CVE-2025-62267 was detected. This vulnerability allows remote attackers to inject arbitrary web scripts or HTML via crafted payloads in a user’s First Name, Middle Name, or Last Name fields, leading to multiple cross-site scripting (XSS) issues. To address this issue, users should upgrade Liferay Portal to version 7.4.3.112 and Liferay DXP to version 2024.Q1.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62267.
Read more CMS