Business and Enterprise Solutions

In the Comments plugin for WordPress versions before 7.6.40 a high severity vulnerability CVE-2025-13820 was detected. This vulnerability allows attackers to bypass authentication and log in as arbitrary users by exploiting improper identity validation when using the disqus.com provider, provided the attacker knows the victim’s email address and the user does not yet have a Disqus account. To address this issue, users should upgrade Comments plugin to version 7.6.40 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13820.

In the ShopBuilder plugin for WordPress versions before 3.2.2 a high severity vulnerability CVE-2025-13456 was detected. This vulnerability allows attackers to perform reflected cross-site scripting (XSS) by injecting malicious input that is not properly sanitized or escaped before being rendered in a page, potentially targeting high-privileged users such as administrators. To address this issue, users should upgrade ShopBuilder plugin to version 3.2.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13456.

In the Drupal Form Builder module versions from 7.x-1.0 through 7.x-1.22 a medium severity vulnerability CVE-2026-0749 was detected. This vulnerability allows attackers to inject and execute arbitrary scripts in a victim’s browser due to improper neutralization of user-supplied input during web page generation. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-0749.

In the Helpdesk Integration plugin for WordPress versions up to 5.8.10 a high severity vulnerability CVE-2025-9990 was detected. This vulnerability allows unauthenticated attackers to include and execute arbitrary .php files via the portal_type parameter, potentially bypassing access controls, obtaining sensitive data, or executing code. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-9990.

In Calendar plugin for WordPress versions up to 1.3.16 a medium severity vulnerability CVE-2025-14548 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts via the ‘event_desc’ parameter, which execute when other users access the affected pages. To address this issue, users should upgrade Calendar plugin to versions 1.3.17 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-14548.

In ContentStudio plugin for WordPress versions up to and including 1.3.7 a medium severity vulnerability CVE-2025-13144 was identified. This vulnerability occurs due to missing or insufficient nonce validation on the add_cstu_settings function, allowing unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. To address this issue, users should upgrade the plugin to version 1.4.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13144.

In Timetable and Event Schedule by MotoPress plugin for WordPress versions before 2.4.16 a low severity vulnerability CVE-2025-12954 was identified. This vulnerability arises because the plugin does not verify that a user has access to a specific event when duplicating events, allowing users with as low privileges as Contributor to duplicate and thereby access arbitrary event data. To address this issue, users should upgrade the plugin to version 2.4.16 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-12954.

In Custom Post Type UI plugin for WordPress versions up to and including 1.18.0 a medium severity vulnerability CVE-2025-12826 was identified. This vulnerability occurs because the plugin fails to verify that a user has the required capability in the cptui_process_post_type function, allowing authenticated users with low privileges (e.g. Subscriber) to add, edit, or delete custom post types. To address this issue, users should upgrade the plugin to version 1.18.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-12826.

In Booking Calendar plugin for WordPress versions up to and including 10.14.6 a medium severity vulnerability CVE-2025-12804 was identified. This vulnerability occurs due to insufficient input sanitization and output escaping on user supplied attributes in the ‘bookingcalendar’ shortcode, allowing authenticated attackers with contributor-level access and above to inject arbitrary web scripts that execute whenever a user accesses an injected page. To address this issue, users should upgrade the plugin to version 10.14.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-12804.