In CryoKey plugin for WordPress versions 2.4 and prior a medium severity vulnerability CVE-2025-2477 was detected. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts via the ‘ckemail’ parameter due to insufficient input sanitization and output escaping, which can be exploited by tricking users into performing actions, such as clicking on a malicious link. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2477.
Read more CMS
In Liferay Portal versions 7.4.3.82 through 7.4.3.128 and Liferay DXP versions 2024.Q3.0, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 update 82 through update 92 a medium severity vulnerability CVE-2025-2536 was detected. This vulnerability allows remote attackers to inject arbitrary web scripts or HTML via the `toastData` parameter in the Frontend JS module’s `layout-taglib/__liferay__/index.js`, leading to cross-site scripting (XSS) attacks. To address this issue, users should upgrade Liferay Portal to version 7.4.3.129, Liferay DXP to versions 2024.Q1.13, 2024.Q3.1 or 2024.Q4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2536.
Read more CMS
In File Away plugin for WordPress versions 3.9.9.0.1 and prior a high severity vulnerability CVE-2025-2539 was detected. This vulnerability allows unauthenticated attackers to access arbitrary files on the server due to a missing capability check in the ajax() function and a reversible weak algorithm, potentially exposing sensitive information. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2539.
Read more CMS
In Age Gate plugin for WordPress versions 3.5.3 and prior a critical severity vulnerability CVE-2025-2505 was detected. This vulnerability allows unauthenticated attackers to include and execute arbitrary PHP files on the server via the `lang` parameter, potentially bypassing access controls, exposing sensitive data, or achieving remote code execution if certain file types can be uploaded and included. To address this issue, users should upgrade Age Gate plugin to versions 3.5.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2505.
Read more CMS
In SpotBot plugin for WordPress versions 0.1.8 and prior a high severity vulnerability CVE-2024-13878 was detected. This vulnerability allows attackers to execute Reflected Cross-Site Scripting (XSS) attacks by exploiting an unsanitized parameter, potentially targeting high-privilege users such as administrators. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13878.
Read more CMS
In File Away plugin for WordPress versions 3.9.9.0.1 and prior a critical severity vulnerability CVE-2025-2512 was detected. This vulnerability allows unauthenticated attackers to upload arbitrary files due to a missing capability check and lack of file type validation in the upload() function, potentially leading to remote code execution. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2512.
Read more CMS
In AHAthat Plugin for WordPress versions 1.6 and prior a medium severity vulnerability CVE-2025-2511 was detected. This vulnerability allows authenticated attackers with Administrator-level access and above to perform time-based SQL Injection via the ‘id’ parameter due to insufficient escaping and lack of proper SQL query preparation, enabling them to extract sensitive information from the database. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2511.
Read more CMS
In Service Finder Bookings plugin for WordPress versions 5.0 and prior a critical severity vulnerability CVE-2024-13442 was detected. This vulnerability allows unauthenticated attackers to take over accounts due to improper identity validation, enabling them to log in as any user with a known email or change passwords, including for administrators, to gain unauthorized access. To address this issue, users should upgrade Service Finder Bookings plugin to versions 5.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13442.
Read more CMS
In BoomBox Theme Extensions plugin for WordPress versions 1.8.0 and prior a high severity vulnerability CVE-2024-12295 was detected. This vulnerability allows attackers with subscriber-level access to take over accounts by exploiting improper identity validation in the password reset function, enabling them to change any user’s password, including administrators, and gain unauthorized access. To address this issue, users should upgrade BoomBox Theme Extensions plugin to versions 1.8.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12295.
Read more CMS