In Genesis Framework theme for WordPress versions up to and including 3.6.0 a medium severity vulnerability CVE-2025-10737 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts via the theme’s shortcodes due to insufficient input sanitization and output escaping. To fix this vulnerability, users should upgrade to version 3.6.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-10737.
Read more CMSIn WordPress User Feedback plugin versions up to and including 1.8.0 a medium severity vulnerability CVE-2025-10694 was detected. This vulnerability allows unauthenticated attackers to access the plugin’s onboarding wizard page due to a missing capability check, exposing configuration details including the administrator’s email address. To fix this vulnerability, users should upgrade to version 1.8.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-10694.
Read more CMSIn the WordPress BackWPup plugin versions prior to and including 5.5.0 a medium severity vulnerability CVE-2025-10579 was detected. This vulnerability allows authenticated attackers with Subscriber-level access and above to retrieve a backup’s filename via the backwpup_working AJAX action due to a missing capability check. While the filename alone has limited value, it could aid targeted brute-force attempts to obtain backup contents in certain environments. To fix this vulnerability, users should upgrade to version 5.5.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-10579.
Read more CMSIn the WordPress eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams versions prior to and including 1.5.6 a high severity vulnerability CVE-2025-11760 was detected. This vulnerability exposes the Zoom SDK secret key in client-side JavaScript, making it possible for unauthenticated attackers to extract the key and generate valid JWT signatures. This could allow unauthorized access to private meetings or other Zoom resources. To fix this vulnerability, users should upgrade to version 1.5.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-11760.
Read more CMSThe AI Chatbot Free Models – Customer Support, Live Chat, Virtual Assistant plugin for WordPress is vulnerable to CSV Injection in all versions up to and including 1.6.5. This vulnerability allows unauthenticated attackers to embed untrusted input into exported CSV files, potentially leading to code execution when these files are opened on vulnerable systems. To fix this vulnerability, users should upgrade to version 1.6.6 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-11576.
Read more CMSIn the WordPress GenerateBlocks plugin versions prior to and including 2.1.1 a medium severity vulnerability CVE-2025-11879 was detected. This vulnerability allows authenticated attackers with contributor level access and above to read arbitrary WordPress options, including sensitive data such as SMTP credentials and API keys, due to a missing capability check on the get_option_rest function. To fix this vulnerability, users should upgrade to version 2.1.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-11879.
Read more CMSIn the WordPress wpForo Forum plugin versions prior to and including 2.4.8 a high severity vulnerability CVE-2025-4203 was detected. This vulnerability allows unauthenticated attackers to perform error-based or time-based blind SQL injection via the get_members() function due to missing integer validation on the offset and row_count parameters. Attackers can exploit this to extract sensitive information from the database. To fix this vulnerability, users should upgrade to version 2.4.9 and later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4203.
Read more CMSIn the WordPress Password Protected plugin versions prior to and including 2.7.11 a medium severity vulnerability CVE-2025-11244 was detected. This vulnerability allows attackers to bypass authorization via IP address spoofing by manipulating client-controlled HTTP headers when the “Use transients” feature is enabled. To fix this vulnerability, users should upgrade to version 2.7.12 and later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-11244.
Read more CMSIn the WordPress Watu Quiz plugin versions prior to and including 3.4.4 a medium severity vulnerability CVE-2025-11238 was detected. This vulnerability allows unauthenticated attackers to perform stored cross-site scripting (XSS) via the HTTP Referer header when the “Save source URL” option is enabled. To fix this vulnerability, users should upgrade to version 3.4.5 and later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-11238.
Read more CMS