In Drupal versions 8.0.0 to 10.3.12, 10.4.0 to 10.4.2, 11.0.0 to 11.0.11 and 11.1.0 to 11.1.2 a high severity vulnerability CVE-2025-31674 was detected. This vulnerability allows attackers to perform object injection by improperly modifying dynamically-determined object attributes, which can lead to unauthorized access and manipulation of sensitive data. To address this issue, users should upgrade Drupal Core to versions 10.3.13, 10.4.3, 11.0.12, 11.1.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-31674.
Read more CMS
In Drupal versions 8.0.0 to 10.3.13, 10.4.0 to 10.4.4, 11.0.0 to 11.0.12 and 11.1.0 to 11.1.4 a low severity vulnerability CVE-2025-31675 was detected. This vulnerability allows attackers to execute arbitrary JavaScript in the context of the user’s browser through improper neutralization of input during web page generation. This can lead to session hijacking, data theft, or website defacement. To address this issue, users should upgrade Drupal Core to versions 10.3.14, 10.4.5, 11.0.13, 11.1.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-31675.
Read more CMS
In Cal.com versions up to and including 1.0.0 a medium severity vulnerability CVE-2025-31604 was detected. This vulnerability allows attackers to execute stored cross-site scripting (XSS) attacks by improperly neutralizing script-related HTML tags in a web page. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2025/cve-2025-31604.
Read more Productivity
In BWL Advanced FAQ Manager plugin for WordPress versions 2.1.4 and prior a high severity vulnerability CVE-2024-13801 was detected. This vulnerability allows attackers with Subscriber-level access or higher to modify option values without proper capability checks, potentially causing a denial of service (DoS) or enabling unauthorized actions such as registration settings adjustments. To address this issue, users should upgrade BWL Advanced FAQ Manager plugin to versions 2.1.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13801.
Read more CMS
In Newsletters plugin for WordPress versions 4.9.9.7 and prior a high severity vulnerability CVE-2025-2009 was detected. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts through the logging functionality, which will execute when users access an injected page. To address this issue, users should upgrade Newsletters plugin to versions 4.9.9.8 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2009.
Read more CMS
In Event Post plugin for WordPress versions 5.9.9 and prior a medium severity vulnerability CVE-2025-2167 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts via the plugin’s ‘events_list’ shortcodes due to insufficient input sanitization and output escaping on user-supplied attributes, which will execute whenever a user accesses an affected page. To address this issue, users should upgrade Event Post plugin to versions 5.9.10 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2167.
Read more CMS
In Jobs plugin for WordPress versions 2.7.11 and prior a medium severity vulnerability CVE-2025-1310 was detected. This vulnerability allows authenticated attackers with Subscriber-level access and above to read the contents of arbitrary files on the server through the ‘job_postings_get_file’ parameter, which can contain sensitive information. To address this issue, users should upgrade Jobs plugin to versions 2.7.12 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1310.
Read more CMS
In Job Postings plugin for WordPress versions prior to 2.7.11 a medium severity vulnerability CVE-2024-10105 was detected. This vulnerability occurs due to the plugin failing to sanitize and escape certain settings, which could allow high privilege users such as contributors to perform Stored Cross-Site Scripting attacks, even when the unfiltered_html capability is disallowed (e.g., in a multisite setup). To address this issue, users should upgrade Job Postings plugin to versions 2.7.11 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-10105.
Read more CMS
In Digital License Manager plugin for WordPress versions up to and including 1.7.3 a medium severity vulnerability CVE-2025-2635 was detected. This vulnerability allows attackers to inject arbitrary web scripts via reflected cross-site scripting (XSS) by exploiting the improper use of the remove_query_arg() function without appropriate URL escaping, tricking users into performing actions such as clicking on a malicious link. To address this issue, users should upgrade Digital License Manager plugin to versions 1.7.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2635.
Read more CMS