Business and Enterprise Solutions

In WP-Appbox plugin for WordPress versions 4.5. and prior a medium severity vulnerability CVE-2025-1489 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to exploit Stored Cross-Site Scripting (XSS) via the appbox shortcode due to insufficient input sanitization and output escaping. To address this issue, users should upgrade WP-Appbox plugin to version 4.5.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1489.

In Event Tickets and Registration plugin for WordPress versions 5.19.1.1 and prior a medium severity vulnerability CVE-2025-1402 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to delete arbitrary attendee tickets due to a missing capability check on the ‘ajax_ticket_delete’ function. To address this issue, users should upgrade Event Tickets and Registration plugin to version 5.19.1.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1402.

In Maps for WP plugin for WordPress versions 1.2.4 and prior a medium severity vulnerability CVE-2024-13648 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to exploit Stored Cross-Site Scripting (XSS) via the ‘MapOnePoint’ shortcode due to insufficient input sanitization and output escaping. Attackers can inject arbitrary web scripts that execute whenever a user accesses an affected page. To address this issue, users should upgrade Maps for WP plugin to version 1.2.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13648.

In Ziggeo plugin for WordPress versions 3.1 and prior a medium severity vulnerability CVE-2024-12452 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to exploit Stored Cross-Site Scripting (XSS) via the ‘ziggeo_event’ shortcode, enabling them to inject arbitrary web scripts that execute whenever a user accesses an affected page due to insufficient input sanitization and output escaping. To address this issue, users should upgrade Ziggeo plugin to version 3.1.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12452.

In Ajax Search Lite plugin for WordPress versions prior to 4.12.5 a medium severity vulnerability CVE-2024-13585 was detected. This vulnerability allows high-privilege users, such as administrators, to exploit Stored Cross-Site Scripting (XSS) due to improper sanitization and escaping of certain settings. This can be exploited even when the unfiltered_html capability is disallowed, such as in a multisite setup. Currently, there is no fix version for that issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13585.

In igumbi Online Booking plugin for WordPress versions 1.40 and prior a medium severity vulnerability CVE-2024-13455 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to exploit Stored Cross-Site Scripting (XSS) via the ‘igumbi_calendar’ shortcode by injecting arbitrary web scripts that execute whenever a user accesses an affected page due to insufficient input sanitization and output escaping. To address this issue, users should upgrade igumbi Online Booking plugin to version 1.41. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13455.

In Legoeso PDF Manager plugin for WordPress versions 1.2.2 and prior a medium severity vulnerability CVE-2025-0866 was detected. This vulnerability allows authenticated attackers with Author-level access and above to execute time-based SQL Injection via the `checkedVals` parameter, potentially extracting sensitive information from the database. Currently, there is no fix version for that issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-0866.

In Prime Addons for Elementor plugin for WordPress versions 2.0.1 and prior a medium severity vulnerability CVE-2024-13855 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to exploit an Insecure Direct Object Reference (IDOR) via the `pae_global_block` shortcode, enabling them to extract information from non-public posts, including drafts, private, password-protected, and restricted posts created with Elementor. Currently, there is no fix version for that issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13855.

In Cookie Notice Bar plugin for WordPress versions 1.3.0 and prior a medium severity vulnerability CVE-2024-13849 was detected. This vulnerability allows authenticated attackers with administrator-level access to exploit Stored Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping, enabling the injection of arbitrary web scripts into pages that execute whenever a user accesses an affected page, particularly impacting multi-site installations and setups where unfiltered_html is disabled. Currently, there is no fix version for that issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13849.