In FancyBox plugin for WordPress versions before 3.3.6 a high severity vulnerability CVE-2025-3662 was detected. This vulnerability allows unauthenticated attackers to inject malicious scripts into gallery captions due to the failure to escape `captions` and `titles` attributes, leading to Stored Cross-Site Scripting (XSS). To address this issue, users should upgrade FancyBox plugin to versions 3.3.6 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3662.
Read more CMSIn WP Plugin Info Card plugin for WordPress versions up to and including 5.3.1 a medium severity vulnerability CVE-2025-5116 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject malicious scripts via the containerid parameter due to insufficient input sanitization and output escaping. To address this issue, users should upgrade WP Plugin Info Card plugin to versions 5.4.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5116.
Read more CMSIn Umbraco versions 14.0.0 and prior to versions 15.4.2 and 16.0.0 a medium severity vulnerability CVE-2025-48953 was detected. This vulnerability allows attackers to upload files with disallowed extensions by manipulating API requests, bypassing configured file upload restrictions. To address this issue, users should upgrade Umbraco to versions 15.4.2 or 16.0.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-48953.
Read more CMSIn Profile Builder plugin for WordPress versions up to and including 3.13.8 a medium severity vulnerability CVE-2025-4671 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts via the `user_meta` and `compare` shortcodes, due to insufficient input sanitization and output escaping. To address this issue, users should upgrade Profile Builder plugin to versions 3.13.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4671.
Read more CMSIn File Provider plugin for WordPress versions through 1.2.3 a medium severity vulnerability CVE-2025-4580 was detected. This vulnerability allows attackers to perform Cross-Site Request Forgery (CSRF) attacks, enabling them to change plugin settings if a logged-in admin visits a malicious site. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4580.
Read more CMSIn Popup Maker plugin for WordPress versions up to and including 1.20.4 a medium severity vulnerability CVE-2025-4205 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject malicious scripts via the ‘popupID’ parameter, leading to Stored Cross-Site Scripting (XSS) that executes when a user accesses the affected page. To address this issue, users should upgrade Popup Maker plugin to versions 1.20.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4205.
Read more CMSIn Mautic versions above 4.0 a medium severity vulnerability CVE-2025-5257 was detected. This vulnerability allows unauthenticated attackers to access unpublished page previews via predictable URLs, potentially exposing draft content or sensitive information to the public and search engine indexing. To address this issue, users should upgrade Mautic to versions 6.0.2, 5.2.6 or 4.4.16. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5257.
Read more Marketing AutomationIn Mautic versions above 1.0 a medium severity vulnerability CVE-2025-5256 was detected. This vulnerability allows attackers to redirect users to malicious external websites via the returnUrl parameter in the user unlocking endpoint, potentially leading to phishing or exploit delivery. To address this issue, users should upgrade Mautic to versions 6.0.2, 5.2.6 or 4.4.16. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5256.
Read more Marketing AutomationIn Mautic versions above 1.0 a medium severity vulnerability CVE-2024-47057 was detected. This vulnerability allows unauthenticated attackers to enumerate valid usernames through the “Forget your password” functionality by exploiting differences in response times for valid and invalid users. To address this issue, users should upgrade Mautic to versions 6.0.2, 5.2.6 or 4.4.16. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-47057.
Read more Marketing Automation