In Test Email Plugin for WordPress versions 1.1.8 and prior a high severity vulnerability CVE-2025-2325 was detected. This vulnerability allows unauthenticated attackers to exploit stored XSS via email logs due to insufficient sanitization and escaping, injecting arbitrary scripts that execute when users access the compromised page. To address this issue, users should upgrade WP Test Email plugin to versions 1.1.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2325.
Read more CMS
In Zoorum Comments plugin for WordPress versions up to and including 0.9 a medium severity vulnerability CVE-2025-2163 was detected. This vulnerability allows unauthenticated attackers to exploit CSRF due to missing or incorrect nonce validation in the zoorum_set_options() function, enabling them to update settings and inject malicious scripts by tricking a site administrator into clicking a link. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2163.
Read more CMS
In WP01 plugin for WordPress versions up to and including 2.6.2 a medium severity vulnerability CVE-2025-2267 was detected. This vulnerability allows authenticated attackers with Subscriber-level access and above to download arbitrary files from the server due to a missing capability check and insufficient restrictions on the make_archive() function. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2267.
Read more CMS
In Pixelstats plugin for WordPress versions up to and including 0.8.2 a medium severity vulnerability CVE-2025-2164 was detected. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts via the ‘post_id’ and ‘sortby’ parameters due to insufficient input sanitization and output escaping, which execute when a user is tricked into performing an action like clicking on a link. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2164.
In SoundRise Music plugin for WordPress versions up to and including 1.6.11 a high vulnerability CVE-2025-2103 was detected. This vulnerability allows authenticated attackers with subscriber-level access and above to modify WordPress site options due to a missing capability check in the theironMusic_ajax() function, enabling them to change the default registration role to administrator and gain administrative access. To address this issue, users should upgrade SoundRise Music plugin to versions 1.7.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2103.
Read more CMS
In the Omnipress plugin for WordPress versions 1.5.4 and prior a medium severity vulnerability CVE-2024-13407 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to extract data from password-protected, private, or draft posts via the megamenu block. To address this issue, users should upgrade Omnipress plugin to the versions 1.5.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13407.
Read more CMS
In AnalyticsWP plugin for WordPress versions 2.0.0 and prior a high severity vulnerability CVE-2024-13321 was detected. This vulnerability allows unauthenticated attackers to perform SQL injection via the ‘custom_sql’ parameter due to insufficient authorization checks in the handle_get_stats() function, enabling them to append additional SQL queries and extract sensitive information from the database. To address this issue, users should upgrade AnalyticsWP plugin to versions 2.1.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13321.
Read more CMS
In Umbraco versions prior to 10.8.9 and prior to 13.7.1 a medium severity vulnerability CVE-2025-27602 was detected. This vulnerability allows authenticated backoffice users to retrieve or delete content and media from restricted folders by manipulating backoffice API URLs. To address this issue, users should upgrade Umbraco to versions 10.8.9 and 13.7.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27602.
Read more CMS
In Workreap plugin for WordPress versions up to and including 3.2.5 a critical severity vulnerability CVE-2024-13446 was detected. This vulnerability allows attackers to escalate privileges through account takeover by exploiting the plugin’s failure to properly validate a user’s identity before performing social auto-login or updating profile details, including password changes, enabling unauthenticated attackers to log in as any user by knowing their email address or change an arbitrary user’s password, including administrators, to gain unauthorized access. To address this issue, users should upgrade Workreap plugin to versions 3.2.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13446.
Read more CMS