In the WordPress Comments Import & Export plugin for WordPress, all versions up to and including 2.4.3 a medium severity vulnerability CVE-2025-3919 was detected. This vulnerability allows authenticated attackers with Subscriber-level access and above to inject arbitrary web scripts via the plugin settings page due to a missing capability check on the save_settings function and improper sanitization of FTP settings parameters. The injected scripts execute whenever an administrative user accesses the affected page. To address this issue, users should upgrade the plugin to version 2.4.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3919.
Read more CMS
In Liferay Portal versions 7.4.0 through 7.4.3.132, and Liferay DXP versions 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, and 2024.Q1.1 through 2024.Q1.19 a medium severity vulnerability CVE-2025-43777 was detected. This vulnerability causes an “Internal Server Error” to be returned in the response body when a login attempt is made using a deleted Client Secret. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2025.Q2.10, 2025.Q1.17, or 2024.Q1.20. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43777.
Read more CMS
In Optio Dentistry plugin for WordPress versions up to and including 2.2 a medium severity vulnerability CVE-2025-9853 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts via the ‘optio-lightbox’ shortcode, which will execute whenever a user accesses the affected page. To address this issue, users should upgrade Optio Dentistry plugin to versions 2.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-9853.
Read more CMS
In HTML Social Share Buttons plugin for WordPress versions up to and including 2.1.16 a medium severity vulnerability CVE-2025-9849 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts via the ‘zm_sh_btn’ shortcode, which will execute whenever a user accesses the affected page. To address this issue, users should upgrade HTML Social Share Buttons plugin to versions 2.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-9849.
Read more CMS
In Easy Timer plugin for WordPress versions up to and including 4.2.1 a high severity vulnerability CVE-2025-9519 was detected. This vulnerability allows authenticated attackers with Editor-level access and above to execute arbitrary code on the server via the plugin’s shortcodes due to insufficient restriction of shortcode attributes. To address this issue, users should upgrade Easy Timer plugin to versions 4.2.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-9519.
Read more CMS
In TablePress plugin for WordPress versions up to and including 3.2 a medium severity vulnerability CVE-2025-9500 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the ‘shortcode_debug’ parameter, which execute whenever a user accesses an injected page. To address this issue, users should upgrade TablePress plugin to versions 3.2.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-9500.
Read more CMS
In Ocean Extra plugin for WordPress versions up to and including 2.4.9 a medium severity vulnerability CVE-2025-9499 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the ‘oceanwp_library’ shortcode, which execute whenever a user accesses an injected page. To address this issue, users should upgrade Ocean Extra plugin to versions 2.5.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-9499.
Read more CMS
In Liferay Portal versions 7.0.0 through 7.4.3.4, and Liferay DXP versions 7.4 GA, 7.3 GA through update 27, and older unsupported versions a high severity vulnerability CVE-2025-43772 was detected. This vulnerability allows an attacker to consume system memory by saving request parameters in the portlet session, which leads to denial-of-service (DoS) conditions. To address this issue, users should upgrade Liferay Portal to versions 7.4.3.5 and Liferay DXP 7.4 update 1 or 7.3 update 28. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43772.
Read more CMS
In Mautic versions 4.4.0 and later, including 5.0.0-alpha and 6.0.0-alpha a medium severity vulnerability CVE-2025-9824 was detected. This vulnerability allows attackers to determine if a username exists by measuring login response times, potentially enabling brute-force attacks. To address this issue, users should upgrade Mautic to versions 4.4.17, 5.2.8 or 6.0.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-9824.
Read more Marketing Automation