In Image Gallery plugin for WordPress versions up to and including 1.0.0 a medium severity vulnerability CVE-2025-8400 was detected. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts due to insufficient input sanitization and output escaping, which execute when a user accesses the injected page. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8400.
Read more CMS
In Mmm Unity Loader plugin for WordPress versions up to and including 1.0 a medium severity vulnerability CVE-2025-8399 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the ‘attributes’ parameter due to insufficient input sanitization and output escaping. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8399.
Read more CMS
In Custom Word Cloud plugin for WordPress versions up to and including 0.3 a medium severity vulnerability CVE-2025-8317 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the ‘angle’ parameter due to insufficient input sanitization and output escaping. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8317.
Read more CMS
In Qi Addons For Elementor plugin for WordPress versions up to and including 1.9.2, a medium severity vulnerability CVE-2025-8146 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the TypeOut Text widget due to insufficient input sanitization and output escaping. The injected scripts execute when a user accesses the affected page. To address this issue, users should upgrade Qi Addons For Elementor plugin to versions 1.9.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8146.
Read more CMS
In Use-your-Drive | Google Drive plugin for WordPress versions up to and including 3.3.1 a high severity vulnerability CVE-2025-7050 was detected. This vulnerability allows attackers to inject arbitrary web scripts via the ‘title’ parameter in file metadata due to insufficient input sanitization and output escaping, and can be exploited by the lowest-level authenticated users, if a file upload shortcode is published on a publicly accessible post. To address this issue, users should upgrade Use-your-Drive | Google Drive plugin to versions 3.3.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-7050.
Read more CMS
In the Advanced Custom Fields (ACF) plugin for WordPress versions up to and including 3.5.1 a low severity vulnerability CVE-2012-10025 was detected. This vulnerability allows unauthenticated attackers to achieve remote code execution by exploiting insufficient validation in core/actions/export.php, enabling remote file inclusion via the acf_abspath POST parameter when allow_url_include is enabled in the PHP configuration, potentially leading to full compromise of the host. To address this issue, users should upgrade the Advanced Custom Fields (ACF) plugin to versions 3.5.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2012-10025.
Read more CMS
In the Asset-Manager plugin for WordPress versions up to and including 2.0 a critical severity vulnerability CVE-2012-10026 was detected. This vulnerability allows unauthenticated attackers to upload and execute arbitrary PHP scripts via the upload.php endpoint due to insufficient validation of uploaded files. The uploaded files are placed in a predictable temporary directory and can be triggered via direct HTTP requests, resulting in remote code execution under the web server’s context. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2012-10026.
Read more CMS
In Ocean Social Sharing plugin for WordPress versions up to and including 2.2.1 a medium severity vulnerability CVE-2025-7500 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via social icon titles, due to insufficient input sanitization and output escaping. To address this issue, users should upgrade Ocean Social Sharing plugin to versions 2.2.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-7500.
Read more CMS
In Campus Directory plugin for WordPress versions up to and including 1.9.1 a medium severity vulnerability CVE-2025-8313 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the ‘noaccess_msg’ parameter due to insufficient input sanitization and output escaping. To address this issue, users should upgrade Campus Directory plugin to versions 1.9.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8313.
Read more CMS