In Profile Builder plugin for WordPress versions up to and including 3.13.8 a medium severity vulnerability CVE-2025-4671 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts via the `user_meta` and `compare` shortcodes, due to insufficient input sanitization and output escaping. To address this issue, users should upgrade Profile Builder plugin to versions 3.13.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4671.
Read more CMS
In Mautic versions above 5.0 a medium severity vulnerability CVE-2024-47055 was detected. This vulnerability allows authenticated users to clone segments without proper authorization due to missing permission checks in the segment cloning functionality. To address this issue, users should upgrade Mautic to versions 5.2.6 or 6.0.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-47055.
Read more Marketing Automation
In Mautic versions above 4.0 a medium severity vulnerability CVE-2025-5257 was detected. This vulnerability allows unauthenticated attackers to access unpublished page previews via predictable URLs, potentially exposing draft content or sensitive information to the public and search engine indexing. To address this issue, users should upgrade Mautic to versions 6.0.2, 5.2.6 or 4.4.16. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5257.
Read more Marketing Automation
In Mautic versions above 1.0 a medium severity vulnerability CVE-2025-5256 was detected. This vulnerability allows attackers to redirect users to malicious external websites via the returnUrl parameter in the user unlocking endpoint, potentially leading to phishing or exploit delivery. To address this issue, users should upgrade Mautic to versions 6.0.2, 5.2.6 or 4.4.16. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5256.
Read more Marketing Automation
In Mautic versions above 1.0 a medium severity vulnerability CVE-2024-47057 was detected. This vulnerability allows unauthenticated attackers to enumerate valid usernames through the “Forget your password” functionality by exploiting differences in response times for valid and invalid users. To address this issue, users should upgrade Mautic to versions 6.0.2, 5.2.6 or 4.4.16. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-47057.
Read more Marketing Automation
In Mautic versions above 4.4 a high severity vulnerability CVE-2024-47056 was detected. This vulnerability allows unauthenticated attackers to access sensitive .env configuration files via a web browser due to improper web server restrictions, potentially exposing database credentials, API keys, and other critical data. To address this issue, users should upgrade Mautic to versions 6.0.2, 5.2.6 or 4.4.16. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-47056.
Read more Marketing Automation
In WP Extended plugin for WordPress versions up to and including 3.0.15 a medium severity vulnerability CVE-2025-4963 was detected. This vulnerability allows authenticated attackers with Author-level access or higher to upload malicious SVG files containing scripts, resulting in Stored Cross-Site Scripting (XSS) that executes whenever a user accesses the SVG file. To address this issue, users should upgrade WP Extended plugin to version 3.0.16 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4963.
Read more CMS
In Likes and Dislikes plugin for WordPress versions up to and including 1.0.0 a high severity vulnerability CVE-2025-5287 was detected. This vulnerability allows unauthenticated attackers to perform SQL Injection via the ‘post’ parameter, potentially enabling them to extract sensitive information from the database. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5287.
Read more CMS
In WP Attachments plugin for WordPress versions up to and including 5.0.12 a medium severity vulnerability CVE-2025-5082 was detected. This vulnerability allows unauthenticated attackers to perform Reflected Cross-Site Scripting (XSS) via the `attachment_id` parameter, enabling script injection if a user is tricked into clicking a malicious link. To address this issue, users should upgrade WP Attachments plugin to versions 5.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5082.
Read more CMS