In Digital License Manager plugin for WordPress versions up to and including 1.7.3 a medium severity vulnerability CVE-2025-2635 was detected. This vulnerability allows attackers to inject arbitrary web scripts via reflected cross-site scripting (XSS) by exploiting the improper use of the remove_query_arg() function without appropriate URL escaping, tricking users into performing actions such as clicking on a malicious link. To address this issue, users should upgrade Digital License Manager plugin to versions 1.7.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2635.
Read more CMS
In WP Church Donation plugin for WordPress versions 1.7 and prior a high severity vulnerability CVE-2024-13690 was detected. This vulnerability allows attackers to inject arbitrary web scripts via several donation form submission parameters, which execute whenever a user accesses the affected page due to insufficient input sanitization and output escaping. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13690.
Read more CMS
In teachPress plugin for WordPress versions 9.0.9 and prior a medium severity vulnerability CVE-2025-1320 was detected. This vulnerability allows attackers to delete imports via a forged request by exploiting missing or incorrect nonce validation on the import.php page, tricking site administrators into performing actions such as clicking on a malicious link. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1320.
Read more CMS
In Liferay Portal versions 7.4.0 through 7.4.3.126 and Liferay DXP versions 2024.Q3.0, 2024.Q2.0 through 2024.Q2.12, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92 a medium severity vulnerability CVE-2025-2565 was detected. This vulnerability allows unauthorized users to obtain entry data from forms. To address this issue, users should upgrade Liferay Portal to version 7.4.3.129, Liferay DXP to versions 2024.Q4.0, 2024.Q3.1 or 2024.Q1.13. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2565.
Read more CMS
In CryoKey plugin for WordPress versions 2.4 and prior a medium severity vulnerability CVE-2025-2477 was detected. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts via the ‘ckemail’ parameter due to insufficient input sanitization and output escaping, which can be exploited by tricking users into performing actions, such as clicking on a malicious link. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2477.
Read more CMS
In Liferay Portal versions 7.4.3.82 through 7.4.3.128 and Liferay DXP versions 2024.Q3.0, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 update 82 through update 92 a medium severity vulnerability CVE-2025-2536 was detected. This vulnerability allows remote attackers to inject arbitrary web scripts or HTML via the `toastData` parameter in the Frontend JS module’s `layout-taglib/__liferay__/index.js`, leading to cross-site scripting (XSS) attacks. To address this issue, users should upgrade Liferay Portal to version 7.4.3.129, Liferay DXP to versions 2024.Q1.13, 2024.Q3.1 or 2024.Q4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2536.
Read more CMS
In File Away plugin for WordPress versions 3.9.9.0.1 and prior a high severity vulnerability CVE-2025-2539 was detected. This vulnerability allows unauthenticated attackers to access arbitrary files on the server due to a missing capability check in the ajax() function and a reversible weak algorithm, potentially exposing sensitive information. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2539.
Read more CMS
In Age Gate plugin for WordPress versions 3.5.3 and prior a critical severity vulnerability CVE-2025-2505 was detected. This vulnerability allows unauthenticated attackers to include and execute arbitrary PHP files on the server via the `lang` parameter, potentially bypassing access controls, exposing sensitive data, or achieving remote code execution if certain file types can be uploaded and included. To address this issue, users should upgrade Age Gate plugin to versions 3.5.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2505.
Read more CMS
In SpotBot plugin for WordPress versions 0.1.8 and prior a high severity vulnerability CVE-2024-13878 was detected. This vulnerability allows attackers to execute Reflected Cross-Site Scripting (XSS) attacks by exploiting an unsanitized parameter, potentially targeting high-privilege users such as administrators. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13878.
Read more CMS