In WP Import – Ultimate CSV XML Importer plugin versions up to and including 7.33.1 a high severity vulnerability CVE-2025-13145 was detected. This vulnerability allows authenticated attackers with administrator-level access or higher to perform PHP Object Injection by supplying maliciously crafted data in CSV file imports processed by the import_single_post_as_csv function. If a POP chain is available through another plugin or theme on the system, this may lead to arbitrary file deletion, sensitive data exposure, or code execution. To address this issue, users should upgrade the plugin to version 7.33.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13145.
Read more CMSIn SiteSEO – SEO Simplified plugin versions up to and including 1.3.2 a medium severity vulnerability CVE-2025-13085 was detected. This vulnerability allows authenticated attackers with the siteseo_manage capability to read arbitrary post metadata from posts, pages, attachments, or WooCommerce orders they cannot edit due to missing object-level authorization checks in the resolve_variables() AJAX handler. In WooCommerce installations with legacy storage enabled, this may expose sensitive customer billing information such as names, emails, phone numbers, addresses, and payment methods. To address this issue, users should upgrade the plugin to version 1.3.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13085.
Read more CMSIn RTMKit Addons for Elementor plugin versions up to and including 1.6.1 a medium severity vulnerability CVE-2025-8609 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to perform Stored Cross-Site Scripting via the plugin’s Accordion Block attributes due to insufficient sanitization and escaping of user-supplied input, causing injected scripts to run when a user views an affected page. To address this issue, users should upgrade the plugin to version 1.6.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8609.
Read more CMSIn Gutenify – Visual Site Builder Blocks & Site Templates plugin versions up to and including 1.5.9 a medium severity vulnerability CVE-2025-8605 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to perform Stored Cross-Site Scripting by abusing insufficient input sanitization and output escaping on block attributes, enabling malicious scripts to execute whenever a user accesses an affected page. To address this issue, users should upgrade the plugin to version 1.6.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8605.
Read more CMSIn AI Engine plugin versions up to and including 3.1.8 a medium severity vulnerability CVE-2025-8084 was detected. This vulnerability allows authenticated attackers with Editor-level access and above to perform Server-Side Request Forgery via the rest_helpers_create_images function, enabling them to make web requests to arbitrary locations from the web application. On Cloud instances, this can lead to metadata retrieval and unauthorized querying or modification of internal services. To address this issue, users should upgrade the plugin to version 3.1.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8084.
Read more CMSIn Simple User Import Export plugin versions up to and including 1.1.7 a medium severity vulnerability CVE-2025-13133 was detected. This vulnerability allows authenticated attackers with Administrator-level access and above to perform CSV Injection via the ‘Import/export users’ function by embedding untrusted input into exported CSV files, which may lead to code execution when the files are opened on a local system with a vulnerable configuration. To address this issue, users should upgrade the plugin to version 1.1.8 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13133.
Read more CMSThe Coil Web Monetization plugin for WordPress versions up to and including 2.0.2 contains a medium severity vulnerability CVE-2025-9625. This vulnerability is caused by missing or incorrect nonce validation on the coil-get-css-selector parameter in the maybe_restrict_content function, allowing unauthenticated attackers to trigger CSS selector detection via a forged request if a site administrator is tricked into clicking a malicious link. To address this issue, users should upgrade the plugin to version 2.0.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-9625.
Read more CMSThe RTMKit Addons for Elementor plugin for WordPress versions up to and including 1.6.1 contains a medium severity vulnerability CVE-2025-8609. This vulnerability is caused by insufficient input sanitization and output escaping on the plugin’s Accordion Block attributes, allowing authenticated attackers with contributor-level access and above to inject arbitrary web scripts that execute whenever a user accesses the infected page. To address this issue, users should upgrade the plugin to version 1.6.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8609.
Read more CMSIn Ovatheme Events Manager plugin for WordPress versions up to and including 1.8.6 a medium severity vulnerability CVE-2025-7663 was detected. This vulnerability allows unauthenticated attackers to delete ticket files, download tickets, and perform other unauthorized actions due to missing capability checks in the `/class-ovaem-ajax.php` file. To address this issue, users should upgrade Ovatheme Events Manager plugin to version 1.8.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-7663.
Read more CMS