Business and Enterprise Solutions

In WP Login Control plugin for WordPress versions 2.0.0 and prior a high severity vulnerability CVE-2024-13836 was detected. This vulnerability allows attackers to exploit a Reflected Cross-Site Scripting (XSS) flaw due to improper sanitization and escaping of a parameter, potentially targeting high-privilege users such as administrators. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13836.

In XV Random Quotes plugin for WordPress versions 1.40 and prior a medium severity vulnerability CVE-2024-13580 was detected. This vulnerability allows attackers to exploit a Cross-Site Request Forgery (CSRF) flaw due to missing CSRF checks when updating plugin settings. This could enable an attacker to trick a logged-in admin into resetting the settings. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13580.

In ProductDyno plugin for WordPress versions 1.0.24 and prior a medium severity vulnerability CVE-2024-13413 was detected. This vulnerability allows attackers to exploit reflected Cross-Site Scripting (XSS) via the ‘res’ parameter due to insufficient input sanitization and output escaping, enabling unauthenticated attackers to inject arbitrary web scripts into pages that execute when a user is tricked into clicking on a link. To address this issue, users should upgrade ProductDyno plugin to version 1.0.25 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13413.

In Spreadsheet Integration plugin for WordPress versions 3.8.2 and prior a medium severity vulnerability CVE-2025-1463 was detected. This vulnerability allows attackers to publish arbitrary posts, including private ones, by exploiting improper nonce validation in the class-wpgsi-show.php script. To address this issue, users should upgrade Spreadsheet Integration plugin to versions 3.8.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1463.

In DesignThemes Core Features plugin for WordPress versions 4.7 and prior a high severity vulnerability CVE-2024-13471 was detected. This vulnerability allows unauthenticated attackers to read arbitrary files on the underlying operating system due to a missing capability check on the `dt_process_imported_file` function. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13471.

In Homey Login Register plugin for WordPress versions 2.4.0 and prior a critical severity vulnerability CVE-2024-11951 was detected. This vulnerability allows unauthenticated attackers to escalate privileges by registering an account with an administrator role due to improper role assignment controls. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11951.

In the Admin and Site Enhancements (ASE) plugin for WordPress versions before 7.6.10 a medium severity vulnerability CVE-2024-13685 was detected. This vulnerability allows attackers to manipulate client IP addresses via untrusted headers, potentially bypassing the login limit feature. To address this issue, users should upgrade Admin and Site Enhancements (ASE) plugin to version 7.6.10 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13685.

In WP Posts Carousel plugin for WordPress versions 1.3.7 and prior a medium severity vulnerability CVE-2025-1491 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts in pages, which will execute whenever a user accesses the injected page, due to insufficient input sanitization and output escaping in the ‘auto_play_timeout’ parameter. To address this issue, users should upgrade WP Posts Carousel plugin to versions 1.3.8 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1491.

In GenerateBlocks plugin for WordPress versions 1.9.1 and prior a medium severity vulnerability CVE-2024-13546 was detected. This vulnerability allows attackers with Contributor-level access and above to extract sensitive information, including the content of private, draft, and scheduled posts and pages, via the ‘get_image_description’ function. To address this issue, users should upgrade GenerateBlocks plugin to versions 2.0.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13546.