In Liferay Portal 7.4.0 through 7.4.3.99, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 34, and older unsupported versions a medium severity vulnerability CVE-2025-62261 was detected. This vulnerability allows attackers with access to the database to obtain password reset tokens stored in plain text, reset a user’s password, and take over the user’s account. To fix this issue, users should upgrade to Liferay Portal 7.4.3.100, Liferay DXP 2024.Q1.1, Liferay DXP 2023.Q4.0, Liferay DXP 2023.Q3.5, or Liferay DXP 7.3 U35. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62261.
Read more CMS
In Jeg Kit for Elementor plugin for WordPress versions prior to 2.7.0 a medium severity vulnerability CVE-2025-9978 was detected. This vulnerability allows attackers to execute arbitrary scripts in the context of a user’s browser by uploading specially crafted SVG files via xmlrpc.php. To address this issue, users should upgrade Jeg Kit for Elementor plugin to version 2.7.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8416.
Read more CMS
In Product Filter by WBW plugin for WordPress versions up to and including 2.9.7 a high severity vulnerability CVE-2025-8416 was detected. This vulnerability allows unauthenticated attackers to supply specially crafted input to the filtersDataBackend parameter to inject additional SQL into existing queries and extract sensitive database information due to insufficient escaping and lack of prepared statements. To address this issue, users should upgrade Product Filter by WBW plugin to version 2.9.8 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8416.
Read more CMS
In the Listeo theme for WordPress versions up to and including 2.0.8 a medium severity vulnerability CVE-2025-8413 was detected. This vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary scripts via the theme’s soundcloud shortcode because of insufficient input sanitization and output escaping on user-supplied attributes; injected scripts execute whenever a user accesses an affected page. To address this issue, users should upgrade the Listeo theme to version 2.0.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8413.
Read more CMS
In Liferay Portal versions 7.4.0 through 7.4.3.132, and Liferay DXP versions 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, and 2024.Q1.1 through 2024.Q1.19 a low severity vulnerability CVE-2025-62247 was detected. This vulnerability allows instance users to access and select unauthorized Blueprints through Collection Providers across instances, potentially exposing restricted configuration data. To address this issue, users should update to Liferay DXP 2025.Q3.0, 2025.Q2.10, 2025.Q1.17, or 2024.Q1.20. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62247.
Read more CMS
In Liferay Portal versions 7.4.0 through 7.4.3.109, and Liferay DXP versions 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.7, 7.4 GA through update 92, and 7.3 GA through update 35 a medium severity vulnerability CVE-2025-62256 was detected. This vulnerability allows remote attackers to bypass OpenAPI access restrictions and retrieve the OpenAPI YAML file through a crafted URL, potentially exposing sensitive API structure and endpoint information. To address this issue, users should update to Liferay Portal 7.4.3.110, Liferay DXP 2024.Q1.1, 2023.Q4.6, 2023.Q3.8, or 7.3 update 36. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62256.
Read more CMS
In Liferay Portal versions 7.4.0 through 7.4.3.101 and Liferay DXP versions 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92 and older unsupported versions a low severity vulnerability CVE-2025-62255 was detected. This vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted attachment filename on the Knowledge Base article edit page, potentially enabling self-XSS when the affected page is rendered in the victim’s browser. To address this issue, users should update to Liferay Portal 7.4.3.102, Liferay DXP 2023.Q3.6, or 7.3 update 35. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62255.
Read more CMS
In Liferay Portal versions 7.4.0 through 7.4.3.111 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92, 7.3 GA through update 35 and older unsupported versions a medium severity vulnerability CVE-2025-62254 was detected. This vulnerability allows remote attackers to trigger a denial of service by sending crafted requests that cause the ComboServlet to combine an excessive number or size of files, leading to very large responses and resource exhaustion. To address this issue, users should update to Liferay Portal 7.4.3.112, Liferay DXP 2024.Q1.1, 2023.Q4.3, 2023.Q3.6, or 7.3 update 36. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62254.
Read more CMS
In Liferay Portal versions 7.4.0 through 7.4.3.132, and Liferay DXP versions 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, and 2024.Q1.1 through 2024.Q1.19 a medium severity vulnerability CVE-2025-62248 was detected. This vulnerability allows a remote authenticated attacker to inject and execute JavaScript code via the _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_definition parameter, leading to code execution in the victim’s browser when visiting a crafted URL. To address this issue, users should update to Liferay DXP 2025.Q2.10, 2025.Q1.17, or 2024.Q1.20. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-62248.
Read more CMS