In the WoodMart theme for WordPress versions up to and including 8.2.6 a medium severity vulnerability CVE-2025-8097 was detected. This vulnerability allows unauthenticated attackers to manipulate cart quantities using fractional values via the qty parameter in the woodmart_update_cart_item function, where insufficient input validation enables setting extremely small quantities (e.g., 0.00001) that round the cart total to $0.00, resulting in unauthorized acquisition of virtual or downloadable products. To address this issue, users should update the WoodMart theme to versions 8.2.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8097.
Read more CMSIn GitLab Language Server versions from 7.6.0 up to but not including 7.30.0 a high severity vulnerability CVE-2025-8279 was detected. This vulnerability allows unauthorized attackers to execute arbitrary GraphQL queries due to missing authentication for a critical function and insufficient input validation. To address this issue, users should upgrade GitLab Language Server to version 7.30.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8279.
Read more CMSIn Mine CloudVod plugin for WordPress versions up to and including 2.1.10 a medium severity vulnerability CVE-2025-8071 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject web scripts via the ‘audio’ parameter, which execute when a user accesses the affected page due to insufficient sanitization and escaping. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8071.
Read more CMSIn the Get Youtube Subs plugin for WordPress versions up to and including 3.5 a medium severity vulnerability CVE-2025-7966 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the ‘channel’, ‘layout’, and ‘subs_count’ parameters due to insufficient input sanitization and output escaping. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-7966.
Read more CMSIn Mine CloudVod plugin for WordPress versions up to and including 2.1.10 a medium severity vulnerability CVE-2025-8071 was detected. This vulnerability allows Contributor-level users to inject scripts via the ‘audio’ parameter, which execute when a user views the affected page. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8071.
Read more CMSIn LibreNMS versions up to and including 25.6.0 a high severity vulnerability CVE-2025-54138 was discovered in the ajax_form.php endpoint. This vulnerability allows remote file inclusion based on user-controlled POST input, as the application directly uses the type parameter to dynamically include .inc.php files from the trusted includes/html/forms/ path without proper validation or allowlisting, introducing a Remote Code Execution (RCE) risk if an attacker can stage a file in that path—such as via symlinks, misconfigurations, or chained exploits. To address this issue, users should upgrade LibreNMS to versions 25.7.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-54138.
Read more CMSIn the YANewsflash plugin for WordPress versions up to and including 1.0.3 a medium severity vulnerability CVE-2025-6054 was detected. This vulnerability allows unauthenticated attackers to update settings and inject malicious web scripts via a forged request, if they can trick a site administrator into performing an action such as clicking a link. This is due to missing or incorrect nonce validation on the yanewsflash/yanewsflash.php page. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6054.
Read more CMSIn the Social Streams plugin for WordPress versions up to and including 1.0.1 a high severity vulnerability CVE-2025-7722 was detected. This vulnerability allows authenticated users with Subscriber-level access or higher to escalate privileges to administrator by exploiting missing identity validation in the update_user_meta() function. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-7722.
Read more CMSIn the Omnishop plugin for WordPress versions up to and including 1.0.9 a medium severity vulnerability CVE-2025-6215 was detected. This vulnerability lets unauthenticated attackers create customer accounts despite registration being disabled, by exploiting a publicly exposed /users/register endpoint that bypasses permission checks and calls wp_create_user() directly. The issue remains unfixed as of the latest version. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6215.
Read more CMS