In WordPress versions 3.5 through 6.8.2 a low severity vulnerability CVE-2025-54352 was identified. This vulnerability allows remote attackers to guess the titles of private and draft posts via pingback.ping XML-RPC requests, which can potentially lead to information disclosure. The WordPress supplier has chosen not to change this behavior. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-54352.
Read more CMS
In LibreNMS versions up to and including 25.6.0 a high severity vulnerability CVE-2025-54138 was discovered in the ajax_form.php endpoint. This vulnerability allows remote file inclusion based on user-controlled POST input, as the application directly uses the type parameter to dynamically include .inc.php files from the trusted includes/html/forms/ path without proper validation or allowlisting, introducing a Remote Code Execution (RCE) risk if an attacker can stage a file in that path—such as via symlinks, misconfigurations, or chained exploits. To address this issue, users should upgrade LibreNMS to versions 25.7.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-54138.
Read more CMS
In the YANewsflash plugin for WordPress versions up to and including 1.0.3 a medium severity vulnerability CVE-2025-6054 was detected. This vulnerability allows unauthenticated attackers to update settings and inject malicious web scripts via a forged request, if they can trick a site administrator into performing an action such as clicking a link. This is due to missing or incorrect nonce validation on the yanewsflash/yanewsflash.php page. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6054.
Read more CMS
In the Social Streams plugin for WordPress versions up to and including 1.0.1 a high severity vulnerability CVE-2025-7722 was detected. This vulnerability allows authenticated users with Subscriber-level access or higher to escalate privileges to administrator by exploiting missing identity validation in the update_user_meta() function. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-7722.
Read more CMS
In the Omnishop plugin for WordPress versions up to and including 1.0.9 a medium severity vulnerability CVE-2025-6215 was detected. This vulnerability lets unauthenticated attackers create customer accounts despite registration being disabled, by exploiting a publicly exposed /users/register endpoint that bypasses permission checks and calls wp_create_user() directly. The issue remains unfixed as of the latest version. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6215.
Read more CMS
In the Birth Chart Compatibility plugin for WordPress versions up to and including 2.0 a medium severity vulnerability CVE-2025-6082 was detected. This vulnerability allows unauthenticated attackers to retrieve the full path of the web application, which can aid in further attacks, due to insufficient protection against direct access to the plugin’s index.php file that triggers an error exposing the full path. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6082.
Read more CMS
In the Orion Login with SMS plugin for WordPress versions up to and including 1.0.5 a high severity vulnerability CVE-2025-7692 was detected. This vulnerability allows unauthenticated attackers to log in as other users, including administrators, if they have access to their phone number, due to the olws_handle_verify_phone() function using a weak OTP value, exposing the hash used to generate it, and lacking restrictions on OTP submission attempts. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-7692.
Read more CMS
In the Latest Post Accordian Slider plugin for WordPress versions up to and including 1.3 a medium severity vulnerability CVE-2025-7687 was detected. This vulnerability allows unauthenticated attackers to update settings and inject malicious web scripts via a forged request, if they can trick a site administrator into performing an action such as clicking a link. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-7687.
Read more CMS
In the Like & Share My Site plugin for WordPress versions up to and including 0.2 a medium severity vulnerability CVE-2025-7685 was detected. This vulnerability allows unauthenticated attackers to update settings and inject malicious web scripts via a forged request, if they can trick a site administrator into performing an action such as clicking a link. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-7685.
Read more CMS