Business and Enterprise Solutions

In Bandsintown Events plugin for WordPress versions 1.3.1 and prior a medium severity vulnerability CVE-2024-13802 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to exploit Stored Cross-Site Scripting (XSS) via the ‘bandsintown_events’ shortcode due to insufficient input sanitization and output escaping, enabling the injection of arbitrary web scripts that execute whenever a user accesses an affected page. Currently, there is no fix version for that issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13802.

In ravpage plugin for WordPress versions 2.31 and prior a medium severity vulnerability CVE-2024-13789 was detected. This vulnerability allows unauthenticated attackers to exploit PHP Object Injection via the ‘paramsv2’ parameter, which has no known POP chain but may enable file deletion, data access, or code execution if a vulnerable plugin or theme is present. Currently, there is no fix version for that issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13789.

In FormCraft plugin for WordPress versions 3.9.11 and prior a high severity vulnerability CVE-2025-0817 was detected. This vulnerability allows attackers to inject arbitrary web scripts via SVG file uploads, due to insufficient input sanitization and output escaping. To address this issue, users should upgrade FormCraft plugin to version 3.9.12 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-0817.

In ElementsKit Elementor addons plugin for WordPress versions 3.4.0 and prior a medium severity vulnerability CVE-2025-0968 was detected. This vulnerability allows unauthenticated attackers to view sensitive information, such as posts, pages, templates, drafts, trashed, and private items, due to missing capability checks on the get_megamenu_content() function. To address this issue, users should upgrade ElementsKit Elementor addons plugin to version 3.4.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-0968.

In Bit Assist plugin for WordPress versions 1.5.2 and prior a medium severity vulnerability CVE-2025-0822 was detected. This vulnerability allows authenticated attackers with Subscriber-level access and above to read arbitrary files on the server, potentially exposing sensitive information. To address this issue, users should upgrade Bit Assist plugin to version 1.5.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-0822.

In MemorialDay plugin for WordPress versions 1.0.4 and prior a medium severity vulnerability CVE-2024-13523 was detected. This vulnerability allows unauthenticated attackers to update settings and inject malicious scripts via a forged request if they can trick an administrator into clicking a link. To address this issue, users should upgrade MemorialDay plugin to version 1.1.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13523.

In Threepress plugin for WordPress versions 1.7.1 and prior a medium severity vulnerability CVE-2024-13395 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts via the ‘threepress’ shortcode, which execute whenever a user accesses an injected page. To address this issue, users should upgrade Threepress plugin to version 1.7.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13395.

In FormCraft plugin for WordPress versions 3.9.11 and prior a medium severity vulnerability CVE-2024-13783 was detected. This vulnerability allows authenticated attackers with Subscriber-level access and above to export all plugin data, potentially exposing sensitive form submissions. To address this issue, users should upgrade FormCraft plugin to version 3.9.12. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13783.

In Post SMTP plugin for WordPress versions 3.0.2 and prior a high severity vulnerability CVE-2025-0521 was detected. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts via the ‘from’ and ‘subject’ parameters, which execute whenever a user accesses an injected page. To address this issue, users should upgrade Post SMTP plugin to version 3.1.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-0521.