Business and Enterprise Solutions

In Buddyboss Platform plugin for WordPress versions 2.8.50 and prior a medium severity vulnerability CVE-2024-13860 was detected. This vulnerability allows authenticated attackers with Subscriber-level access or higher to inject malicious scripts via the `bbp_topic_title` parameter, leading to Stored Cross-Site Scripting (XSS) on affected pages. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13860.

In SureForms plugin for WordPress versions prior to 1.4.4 a medium severity vulnerability CVE-2025-3471 was detected. This vulnerability allows attackers with Contributor-level access or higher to update plugin settings via the REST API due to a missing authorization check. To address this issue, users should upgrade SureForms plugin to versions 1.4.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3471.

In Calculated Fields Form plugin for WordPress versions prior to 5.2.62 a low severity vulnerability CVE-2024-12273 was detected. This vulnerability allows high-privilege users, such as admins, to perform Stored Cross-Site Scripting (XSS) attacks due to improper sanitization and escaping of certain settings, even when the unfiltered_html capability is disallowed (e.g., in multisite setups). To address this issue, users should upgrade Calculated Fields Form plugin to versions 5.2.62 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12273.

In Admin and Site Enhancements (ASE) plugin for WordPress versions prior to 7.6.10 a medium severity vulnerability CVE-2024-13688 was detected. This vulnerability allows attackers to bypass the Password Protection feature by exploiting a hardcoded password through a crafted request. To address this issue, users should upgrade Admin and Site Enhancements (ASE) plugin to versions 7.6.10 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13688.

In WP-Recall plugin for WordPress versions prior to 16.26.12 a low severity vulnerability CVE-2024-9771 was detected. This vulnerability allows high privilege users such as administrators to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disallowed, such as in a multisite setup. To address this issue, users should upgrade WP-Recall plugin to versions 16.26.12 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-9771.

In Edumall theme for WordPress versions up to and including 4.2.4 a high severity vulnerability CVE-2025-2101 was detected. This vulnerability allows attackers to include and execute arbitrary PHP files on the server, potentially leading to code execution, bypassing access controls, or exposing sensitive information. To address this issue, users should upgrade Edumall theme to versions 4.3.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2101.

In The Anps Theme plugin for WordPress versions up to and including 1.1.1 a medium severity vulnerability CVE-2024-13812 was detected. This vulnerability allows attackers to execute arbitrary shortcodes without authentication, potentially leading to site compromise. To address this issue, users should upgrade The Anps Theme plugin to versions 1.1.25 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13812.

In Aeropage Sync for Airtable plugin for WordPress versions up to and including 3.2.0 a medium severity vulnerability CVE-2025-3915 was detected. This vulnerability allows authenticated attackers with Subscriber-level access and above to delete arbitrary posts. To address this issue, users should upgrade Aeropage Sync for Airtable plugin to versions 3.3.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3915.

In Add Custom Page Template plugin versions up to and including 2.0.1 a high severity vulnerability CVE-2025-3491 was detected. This vulnerability allows authenticated attackers with Administrator-level access and above to execute arbitrary code on the server via insufficient sanitization of the ‘template_name’ parameter. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3491.