In Mautic versions above 4.4 a high severity vulnerability CVE-2024-47056 was detected. This vulnerability allows unauthenticated attackers to access sensitive .env configuration files via a web browser due to improper web server restrictions, potentially exposing database credentials, API keys, and other critical data. To address this issue, users should upgrade Mautic to versions 6.0.2, 5.2.6 or 4.4.16. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-47056.
Read more Marketing AutomationIn Mautic versions above 5.0 a medium severity vulnerability CVE-2024-47055 was detected. This vulnerability allows authenticated users to clone segments without proper authorization due to missing permission checks in the segment cloning functionality. To address this issue, users should upgrade Mautic to versions 5.2.6 or 6.0.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-47055.
Read more Marketing AutomationIn Likes and Dislikes plugin for WordPress versions up to and including 1.0.0 a high severity vulnerability CVE-2025-5287 was detected. This vulnerability allows unauthenticated attackers to perform SQL Injection via the ‘post’ parameter, potentially enabling them to extract sensitive information from the database. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5287.
Read more CMSIn WP Attachments plugin for WordPress versions up to and including 5.0.12 a medium severity vulnerability CVE-2025-5082 was detected. This vulnerability allows unauthenticated attackers to perform Reflected Cross-Site Scripting (XSS) via the `attachment_id` parameter, enabling script injection if a user is tricked into clicking a malicious link. To address this issue, users should upgrade WP Attachments plugin to versions 5.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5082.
Read more CMSIn MasterStudy LMS Pro plugin versions up to and including 4.7.0 a high severity vulnerability CVE-2025-4800 allows authenticated users with Subscriber-level access or higher to upload arbitrary files due to missing file type validation in the `stm_lms_add_assignment_attachment` function. This could potentially lead to remote code execution on the server. To address this issue, users should upgrade MasterStudy LMS Pro plugin to versions 4.7.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4800.
Read more CMSIn WP Extended plugin for WordPress versions up to and including 3.0.15 a medium severity vulnerability CVE-2025-4963 was detected. This vulnerability allows authenticated attackers with Author-level access or higher to upload malicious SVG files containing scripts, resulting in Stored Cross-Site Scripting (XSS) that executes whenever a user accesses the SVG file. To address this issue, users should upgrade WP Extended plugin to version 3.0.16 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4963.
Read more CMSIn Exclusive Addons for Elementor plugin for WordPress versions up to and including 2.7.9.1 a medium severity vulnerability CVE-2025-4783 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts via the Countdown Timer Widget’s HTML attributes, which execute when a user accesses an affected page. To address this issue, users should upgrade Exclusive Addons for Elementor plugin to versions 2.7.9.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4783.
Read more CMSIn TablePress plugin for WordPress versions up to and including 3.1.2 a medium severity vulnerability CVE-2025-5096 was detected. This DOM-based stored XSS vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts via the data-caption, data-s-content-padding, data-s-title and data-footerattributes. To address this issue, users should upgrade TablePress plugin to versions 3.1.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5096.
Read more CMSIn 4stats plugin for WordPress versions up to and including 2.0.9 a medium severity vulnerability CVE-2025-3869 was detected. This Cross-Site Request Forgery (CSRF) vulnerability, caused by missing or incorrect nonce validation on the stats/stats.php page, allows unauthenticated attackers to update settings and inject malicious web scripts via a forged request if they can trick a site administrator into performing an action such as clicking a link. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3869.
Read more CMS