In Liferay Portal versions 7.4.0 through 7.4.3.128, and Liferay DXP versions 2024.Q3.0 through 2024.Q3.5, 2024.Q2.0 through 2024.Q2.12, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-43775 was detected. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the remote app title field, leading to stored cross-site scripting. To address this issue, users should upgrade Liferay Portal to version 7.4.3.129, or Liferay DXP to versions 2024.Q1.13, 2024.Q3.6 or 2024.Q4.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43775.
Read more CMSIn SonarQube Server and Cloud versions 4 through 5.3.0 a high severity vulnerability CVE-2025-58178 was detected. This vulnerability allows untrusted input arguments in the SonarQube Scan GitHub Action to be processed without proper sanitization, leading to command injection. To address this issue, users should upgrade SonarQube to version 5.3.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-58178.
Read more Developer ToolsIn Liferay Portal version 7.4.3.132, and Liferay DXP versions 2025.Q1.0 through 2025.Q1.17 a medium severity vulnerability CVE-2025-43774 was detected. This vulnerability allows a remote authenticated user to inject JavaScript code via the Style Book theme name. The malicious payload is then reflected and executed within the user’s browser. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to version 2025.Q1.18. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43774.
Read more CMSIn Liferay Portal versions 7.4.0 through 7.4.3.131, and Liferay DXP versions 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, and 2024.Q1.1 through 2024.Q1.20 a medium severity vulnerability CVE-2025-43763 was detected. This vulnerability affects custom object attachment fields and allows an attacker to manipulate the application into making unauthorized requests to other instances, creating new object entries that link to external resources. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2024.Q4.8, 2024.Q3.14, 2024.Q2.14, or 2024.Q1.21. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43763.
Read more CMSIn the WordPress Comments Import & Export plugin for WordPress, all versions up to and including 2.4.3 a medium severity vulnerability CVE-2025-3919 was detected. This vulnerability allows authenticated attackers with Subscriber-level access and above to inject arbitrary web scripts via the plugin settings page due to a missing capability check on the save_settings function and improper sanitization of FTP settings parameters. The injected scripts execute whenever an administrative user accesses the affected page. To address this issue, users should upgrade the plugin to version 2.4.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3919.
Read more CMSIn Liferay Portal versions 7.4.0 through 7.4.3.132, and Liferay DXP versions 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, and 2024.Q1.1 through 2024.Q1.19 a medium severity vulnerability CVE-2025-43777 was detected. This vulnerability causes an “Internal Server Error” to be returned in the response body when a login attempt is made using a deleted Client Secret. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2025.Q2.10, 2025.Q1.17, or 2024.Q1.20. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43777.
Read more CMSIn Optio Dentistry plugin for WordPress versions up to and including 2.2 a medium severity vulnerability CVE-2025-9853 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts via the ‘optio-lightbox’ shortcode, which will execute whenever a user accesses the affected page. To address this issue, users should upgrade Optio Dentistry plugin to versions 2.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-9853.
Read more CMSIn HTML Social Share Buttons plugin for WordPress versions up to and including 2.1.16 a medium severity vulnerability CVE-2025-9849 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts via the ‘zm_sh_btn’ shortcode, which will execute whenever a user accesses the affected page. To address this issue, users should upgrade HTML Social Share Buttons plugin to versions 2.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-9849.
Read more CMSIn Easy Timer plugin for WordPress versions up to and including 4.2.1 a high severity vulnerability CVE-2025-9519 was detected. This vulnerability allows authenticated attackers with Editor-level access and above to execute arbitrary code on the server via the plugin’s shortcodes due to insufficient restriction of shortcode attributes. To address this issue, users should upgrade Easy Timer plugin to versions 4.2.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-9519.
Read more CMS