In the Advanced Custom Fields (ACF) plugin for WordPress versions up to and including 3.5.1 a low severity vulnerability CVE-2012-10025 was detected. This vulnerability allows unauthenticated attackers to achieve remote code execution by exploiting insufficient validation in core/actions/export.php, enabling remote file inclusion via the acf_abspath POST parameter when allow_url_include is enabled in the PHP configuration, potentially leading to full compromise of the host. To address this issue, users should upgrade the Advanced Custom Fields (ACF) plugin to versions 3.5.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2012-10025.
Read more CMS
In the Asset-Manager plugin for WordPress versions up to and including 2.0 a critical severity vulnerability CVE-2012-10026 was detected. This vulnerability allows unauthenticated attackers to upload and execute arbitrary PHP scripts via the upload.php endpoint due to insufficient validation of uploaded files. The uploaded files are placed in a predictable temporary directory and can be triggered via direct HTTP requests, resulting in remote code execution under the web server’s context. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2012-10026.
Read more CMS
In Ocean Social Sharing plugin for WordPress versions up to and including 2.2.1 a medium severity vulnerability CVE-2025-7500 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via social icon titles, due to insufficient input sanitization and output escaping. To address this issue, users should upgrade Ocean Social Sharing plugin to versions 2.2.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-7500.
Read more CMS
In Campus Directory plugin for WordPress versions up to and including 1.9.1 a medium severity vulnerability CVE-2025-8313 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the ‘noaccess_msg’ parameter due to insufficient input sanitization and output escaping. To address this issue, users should upgrade Campus Directory plugin to versions 1.9.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8313.
Read more CMS
In Employee Directory plugin for WordPress versions up to and including 4.5. a medium severity vulnerability CVE-2025-8295 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the ‘noaccess_msg’ parameter due to insufficient input sanitization and output escaping. To address this issue, users should upgrade Employee Directory plugin to versions 4.5.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8295.
Read more CMS
In the Zakra theme for WordPress versions up to and including 4.1.5 a medium severity vulnerability CVE-2025-8595 was detected. This vulnerability allows authenticated attackers with Subscriber-level access or higher to modify data by importing demo settings, due to a missing capability check in the welcome_notice_import_handler() function. To address this issue, users should upgrade Zakra theme to version 4.1.6 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8595.
In WP Easy Contact plugin for WordPress versions up to and including 4.0.1 a medium severity vulnerability CVE-2025-8315 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the ‘noaccess_msg’ parameter due to insufficient input sanitization and output escaping. To address this issue, users should upgrade WP Easy Contact plugin to versions 4.0.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8315.
Read more CMS
In Liferay Portal versions 7.4.3.61 through 7.4.3.132, and Liferay DXP versions 2024.Q4.1 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.13, and 7.4 update 61 through update 92 a low severity vulnerability CVE-2025-4599 was detected. This vulnerability allows remote unauthenticated attackers to inject JavaScript into the fragment portlet URL via the fragment preview functionality, leading to postMessage-based Cross-Site Scripting (XSS). To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2024.Q1.14, 2024.Q4.6 or 2025.Q1.0 For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4599.
Read more CMS
In Service Finder SMS System plugin for WordPress versions up to and including 2.0.0 a critical severity vulnerability CVE-2025-5954 was detected. This vulnerability allows unauthenticated attackers to escalate privileges and register as administrator users due to the plugin not restricting user role selection during registration via the aonesms_fn_savedata_after_signup() function. To address this issue, users should upgrade Service Finder SMS System plugin to versions 3.0.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5954.
Read more CMS