In Umbraco versions prior to 10.8.10 and 13.8.1 a medium severity vulnerability CVE-2025-46736 was detected. This vulnerability allows attackers to determine whether an account exists by analyzing the timing of post-login API responses. To address this issue, users should upgrade Umbraco to versions 10.8.10 or 13.8.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-46736.
Read more CMS
In LayoutBoxx plugin for WordPress versions up to and including 0.3.1 a high severity vulnerability CVE-2025-2802 was detected. This vulnerability allows unauthenticated attackers to execute arbitrary shortcodes due to insufficient validation before calling do_shortcode. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2802.
Read more CMS
In Cision Block plugin for WordPress versions up to and including 4.3.0 a medium severity vulnerability CVE-2025-3782 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the ‘id’ parameter due to insufficient input sanitization and output escaping, which execute whenever a user accesses an injected page. To address this issue, users should upgrade Cision Block plugin to versions 4.4.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3782.
Read more CMS
In AHAthat plugin for WordPress versions up to and including 1.6 a medium severity vulnerability CVE-2025-4337 was detected. This vulnerability allows unauthenticated attackers to delete AHA pages via a forged request by exploiting missing or incorrect nonce validation in the aha_plugin_page() function, provided they can trick a site administrator into performing an action such as clicking a malicious link. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4337.
Read more CMS
In Envolve Plugin versions up to and including 1.0 a medium severity vulnerability CVE-2024-11615 was detected. This vulnerability allows unauthenticated attackers to delete language files via the `zetra_deleteLanguageFile` and `zetra_deleteFontsFile` functions due to insufficient validation of file paths. To address this issue, users should upgrade Envolve plugin to versions 1.1.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11615.
Read more CMS
In SurveyJS plugin for WordPress versions up to and including 1.12.32 a medium severity vulnerability CVE-2025-3815 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript via the `id` parameter due to insufficient input sanitization and output escaping, resulting in Stored Cross-Site Scripting (XSS). To address this issue, users should upgrade SurveyJS plugin to versions 1.12.33 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3815.
Read more CMS
In WPML plugin for WordPress versions 3.6.0 to 4.7.3 a medium severity vulnerability CVE-2025-3488 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript via the `wpml_language_switcher` shortcode due to insufficient input sanitization and output escaping on user-supplied attributes, resulting in Stored Cross-Site Scripting (XSS). To address this issue, users should upgrade WPML plugin to versions 4.7.4. or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3488.
Read more CMS
In Formality plugin for WordPress versions up to and including 1.5.8 a medium severity vulnerability CVE-2025-3858 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the ‘align’ parameter, which execute when a user accesses an injected page, due to insufficient input sanitization and output escaping. To address this issue, users should upgrade Formality plugin to versions 1.5.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3858.
Read more CMS
In Music Player for Elementor plugin for WordPress versions up to and including 2.4.6 a medium severity vulnerability CVE-2025-5340 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary scripts via the album_buy_url parameter, leading to Stored Cross-Site Scripting (XSS) that executes when a user visits the affected page. To address this issue, users should upgrade Music Player for Elementor plugin to versions 2.4.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5340.
Read more CMS