Business and Enterprise Solutions

In the Birth Chart Compatibility plugin for WordPress versions up to and including 2.0 a medium severity vulnerability CVE-2025-6082 was detected. This vulnerability allows unauthenticated attackers to retrieve the full path of the web application, which can aid in further attacks, due to insufficient protection against direct access to the plugin’s index.php file that triggers an error exposing the full path. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6082.

In WPLMS theme for WordPress versions 1.5.2 to 1.8.4.1 a high severity vulnerability CVE-2015-10139 was detected. This vulnerability allows authenticated attackers to escalate privileges by exploiting the unprotected wp_ajax_import_data AJAX action, enabling them to modify restricted settings and potentially create a new administrator account. To address this issue, users should upgrade WPLMS theme to versions 1.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2015-10139.

In Work The Flow File Upload plugin for WordPress versions up to and including 2.5.2 a critical severity vulnerability CVE-2015-10138 was detected. This vulnerability allows unauthenticated attackers to upload arbitrary files due to missing file type validation in the jQuery-File-Upload-9.5.0 server and test files, potentially leading to remote code execution. To address this issue, users should upgrade Work The Flow File Upload plugin to versions 2.5.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2015-10138.

In WP Mobile Detector plugin for WordPress versions up to and including 3.5 a critical severity vulnerability CVE-2016-15043 was detected. This vulnerability allows unauthenticated attackers to upload arbitrary files due to missing file type validation in the resize.php file, potentially leading to remote code execution. To address this issue, users should upgrade WP Mobile Detector plugin to versions 3.6 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2016-15043.

In GI-Media Library plugin for WordPress versions prior to 3.0 a high severity vulnerability CVE-2015-10136 was detected. This vulnerability allows unauthenticated attackers to read the contents of arbitrary files on the server via directory traversal using the fileid parameter, potentially exposing sensitive information. To address this issue, users should upgrade GI-Media Library plugin to version 3.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2015-10136.

In Directus versions 9.12.0 and above a medium severity vulnerability CVE-2025-53889 was detected. This vulnerability allows attackers to execute manual trigger Flows without authentication or proper access rights, potentially performing unauthorized actions on behalf of a user. To address this issue, users should upgrade Directus to version 11.9.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-53889.

In Directus versions 9.0.0 and above a medium severity vulnerability CVE-2025-53887 was detected. This vulnerability allows attackers to obtain the exact Directus version via the unauthenticated /server/specs/oas endpoint, potentially aiding in targeted exploitation using known vulnerabilities. To address this issue, users should upgrade Directus to version 11.9.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-53887.

In Directus versions 9.0.0 and above a medium severity vulnerability CVE-2025-53886 was detected. This vulnerability allows malicious administrators to hijack user sessions by accessing sensitive data such as access and refresh tokens logged during Flow WebHook executions. To address this issue, users should upgrade Directus to version 11.9.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-53886.

In Directus versions 9.0.0 and above a medium severity vulnerability CVE-2025-53885 was detected. This vulnerability allows malicious administrators to log sensitive user data using the “Log to Console” operation within Flows triggered by user CRUD events. To address this issue, users should upgrade Directus to version 11.9.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-53885.