In the Dreamer Blog WordPress theme versions up to and including 1.2 a high severity vulnerability CVE-2025-10915 was detected. This vulnerability allows attackers to perform arbitrary installations due to a missing capability check, potentially enabling unauthorized actions that should be restricted to privileged users. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-10915.
Read more CMS NewsflashIn the Featured Image from URL (FIFU) plugin for WordPress versions up to and including 5.3.1 a medium severity vulnerability CVE-2025-13393 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to perform Server-Side Request Forgery (SSRF) attacks by supplying crafted URLs via the <code>fifu_input_url</code> parameter in the Elementor widget. The issue occurs due to insufficient validation of user-supplied URLs before they are passed to the <code>getimagesize()</code> function, allowing attackers to initiate arbitrary web requests from the server, including requests to internal services. To address this issue, users should upgrade the Featured Image from URL (FIFU) plugin to version 5.3.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13393.
Read more CMS NewsflashIn Templately plugin for WordPress versions up to and including 3.4.8 a medium severity vulnerability CVE-2026-0831 was detected. This vulnerability allows attackers to write arbitrary `.ai.json` files to the uploads directory by exploiting insufficient input validation in the `save_template_to_file()` function, which uses user-controlled parameters to construct file paths without proper sanitization. To address this issue, users should upgrade Templately plugin to version 3.4.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-0831.
Read more CMS NewsflashIn the FS Registration Password plugin for WordPress versions up to and including 1.0.1 a critical severity vulnerability CVE-2025-15001 was detected. This vulnerability allows unauthenticated attackers to change arbitrary user passwords, including administrators, by exploiting improper identity validation, potentially gaining access to affected accounts. To address this issue, users should upgrade FS Registration Password plugin to version 2.0.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-15001.
Read more CMS Newsflash Business and Enterprise SolutionsIn the MediaPress plugin for WordPress versions up to and including 1.6.1 a medium severity vulnerability CVE-2025-14552 was detected. This vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts via the mpp-uploader shortcode, which execute whenever a user accesses the affected page. To address this issue, users should upgrade MediaPress plugin to version 1.6.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-14552.
Read more CMS Newsflash Business and Enterprise SolutionsIn the Phlox theme for WordPress versions up to and including 2.17.7 a medium severity vulnerability CVE-2025-4776 was detected. This vulnerability allows attackers with Contributor-level access and above to perform stored cross-site scripting (XSS) by injecting malicious scripts via the `data-caption` HTML attribute, which execute whenever a user accesses an affected page. To address this issue, users should upgrade Phlox theme to version 2.17.11 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4776.
Read more CMS Newsflash Business and Enterprise SolutionsIn the FlexTable plugin for WordPress versions before 3.19.2 a low severity vulnerability CVE-2025-9543 was detected. This vulnerability allows attackers to perform stored cross-site scripting (XSS) by injecting malicious content through imported links from Google Sheet cells, potentially targeting high-privileged users such as administrators even when the `unfiltered_html` capability is disallowed. To address this issue, users should upgrade FlexTable plugin to version 3.19.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-9543.
Read more CMS NewsflashIn the Branda plugin for WordPress versions up to and including 3.4.24 a critical severity vulnerability CVE-2025-14998 was detected. This vulnerability allows unauthenticated attackers to take over user accounts, including administrator accounts, by exploiting improper validation of a user’s identity during password update operations. To address this issue, users should upgrade Branda plugin to version 3.4.29 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-14998.
Read more CMSIn the Ninja Forms plugin for WordPress versions before 3.13.3 a high severity vulnerability CVE-2025-14072 was detected. This vulnerability allows unauthenticated attackers to generate valid access tokens through the REST API and use them to read sensitive form submissions. To address this issue, users should upgrade Ninja Forms to version 3.13.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-14072.
Read more CMS