In Liferay Portal versions 7.4.0 through 7.4.3.128, and Liferay DXP versions 2024.Q3.0 through 2024.Q3.5, 2024.Q2.0 through 2024.Q2.12, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-43775 was detected. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the remote app title field, leading to stored cross-site scripting. To address this issue, users should upgrade Liferay Portal to version 7.4.3.129, or Liferay DXP to versions 2024.Q1.13, 2024.Q3.6 or 2024.Q4.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43775.
Read more CMS
In Liferay Portal versions 7.4.0 through 7.4.3.132, and Liferay DXP versions 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, and 2024.Q1.1 through 2024.Q1.19 a medium severity vulnerability CVE-2025-43777 was detected. This vulnerability causes an “Internal Server Error” to be returned in the response body when a login attempt is made using a deleted Client Secret. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2025.Q2.10, 2025.Q1.17, or 2024.Q1.20. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43777.
Read more CMS
In Liferay Portal version 7.4.3.132, and Liferay DXP versions 2025.Q1.0 through 2025.Q1.17 a medium severity vulnerability CVE-2025-43774 was detected. This vulnerability allows a remote authenticated user to inject JavaScript code via the Style Book theme name. The malicious payload is then reflected and executed within the user’s browser. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to version 2025.Q1.18. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43774.
Read more CMS
In Liferay Portal versions 7.4.0 through 7.4.3.131, and Liferay DXP versions 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, and 2024.Q1.1 through 2024.Q1.20 a medium severity vulnerability CVE-2025-43763 was detected. This vulnerability affects custom object attachment fields and allows an attacker to manipulate the application into making unauthorized requests to other instances, creating new object entries that link to external resources. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2024.Q4.8, 2024.Q3.14, 2024.Q2.14, or 2024.Q1.21. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43763.
Read more CMS
In the WordPress Comments Import & Export plugin for WordPress, all versions up to and including 2.4.3 a medium severity vulnerability CVE-2025-3919 was detected. This vulnerability allows authenticated attackers with Subscriber-level access and above to inject arbitrary web scripts via the plugin settings page due to a missing capability check on the save_settings function and improper sanitization of FTP settings parameters. The injected scripts execute whenever an administrative user accesses the affected page. To address this issue, users should upgrade the plugin to version 2.4.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3919.
Read more CMS
In Easy Timer plugin for WordPress versions up to and including 4.2.1 a high severity vulnerability CVE-2025-9519 was detected. This vulnerability allows authenticated attackers with Editor-level access and above to execute arbitrary code on the server via the plugin’s shortcodes due to insufficient restriction of shortcode attributes. To address this issue, users should upgrade Easy Timer plugin to versions 4.2.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-9519.
Read more CMS
In TablePress plugin for WordPress versions up to and including 3.2 a medium severity vulnerability CVE-2025-9500 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the ‘shortcode_debug’ parameter, which execute whenever a user accesses an injected page. To address this issue, users should upgrade TablePress plugin to versions 3.2.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-9500.
Read more CMS
In Ocean Extra plugin for WordPress versions up to and including 2.4.9 a medium severity vulnerability CVE-2025-9499 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the ‘oceanwp_library’ shortcode, which execute whenever a user accesses an injected page. To address this issue, users should upgrade Ocean Extra plugin to versions 2.5.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-9499.
Read more CMS
In Optio Dentistry plugin for WordPress versions up to and including 2.2 a medium severity vulnerability CVE-2025-9853 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts via the ‘optio-lightbox’ shortcode, which will execute whenever a user accesses the affected page. To address this issue, users should upgrade Optio Dentistry plugin to versions 2.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-9853.
Read more CMS