In Frontend Dashboard plugin for WordPress versions 1.0 to 2.2.7 a high severity vulnerability CVE-2025-4474 was detected. This vulnerability allows authenticated attackers with Subscriber-level access and above to escalate privileges by overwriting the plugin’s ‘register’ role setting, making new user registrations default to the administrator role. To address this issue, users should upgrade Frontend Dashboard plugin to versions 2.2.8 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4474.
Read more CMS
In TheGem theme for WordPress versions up to and including 5.10.3 a medium severity vulnerability CVE-2025-4339 was detected. This vulnerability allows authenticated attackers with Subscriber-level access and above to modify arbitrary theme options due to a missing capability check on the ajaxApi() function. To address this issue, users should upgrade TheGem theme to versions 5.10.3.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4339.
Read more CMS
In Newsletters plugin for WordPress versions up to and including 4.9.9.8 a medium severity vulnerability CVE-2025-3107 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to perform time-based SQL Injection via the ‘orderby’ parameter, enabling them to extract sensitive information from the database. To address this issue, users should upgrade Newsletters plugin to versions 4.9.9.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3107.
Read more CMS
In the Jeg Elementor Kit plugin for WordPress versions up to and including 2.6.12 a medium severity vulnerability CVE-2025-2944 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts via the plugin’s Video Button and Countdown Widgets, which, due to insufficient input sanitization and output escaping, execute whenever a user accesses a compromised page. To address this issue, users should upgrade the Jeg Elementor Kit plugin to versions 2.6.13. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2944.
Read more CMS
In BuddyBoss Platform Pro plugin for WordPress versions up to and including 2.7.01 a critical severity vulnerability CVE-2025-1909 was detected. This vulnerability allows unauthenticated attackers to bypass authentication and log in as any existing user, including administrators, if they have access to the user’s email address, due to insufficient verification during the Apple OAuth authentication process. To address this issue, users should upgrade BuddyBoss Platform Pro plugin to versions 2.7.10 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1909.
Read more CMS
In Login Lockdown & Protection plugin for WordPress versions up to and including 2.11 a medium severity vulnerability CVE-2025-3766 was detected. This vulnerability allows authenticated users with Subscriber-level access or higher to obtain a valid nonce via the ajax_run_tool function, enabling them to generate a global unlock key and add IPs to the allowlist—exploitable only on new installs where the loginlockdown page has not been visited by an admin. To address this issue, users should upgrade Login Lockdown & Protection plugin to versions 2.12 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3766.
Read more CMS
In WP SEO Structured Data Schema plugin for WordPress versions up to and including 2.7.11 a medium severity vulnerability CVE-2025-4127 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the ‘Price Range’ parameter, which execute when an administrator accesses the plugin settings page, due to insufficient input sanitization and output escaping. To address this issue, users should upgrade WP SEO Structured Data Schema plugin to versions 2.8.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4127.
Read more CMS
In Liferay Portal versions 7.4.0 through 7.4.3.131 and Liferay DXP versions 2024.Q4.0 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-4388 was detected. This vulnerability allows remote unauthenticated attackers to inject JavaScript into the modules/apps/marketplace/marketplace-app-manager-web via reflected cross-site scripting. To address this issue, users should upgrade Liferay Portal to versions 7.4.3.132, Liferay DXP to versions 2024.Q1.13 or 2024.Q4.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4388.
Read more CMS
In Umbraco versions prior to 10.8.10 and 13.8.1 a medium severity vulnerability CVE-2025-46736 was detected. This vulnerability allows attackers to determine whether an account exists by analyzing the timing of post-login API responses. To address this issue, users should upgrade Umbraco to versions 10.8.10 or 13.8.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-46736.
Read more CMS