In Qi Addons For Elementor plugin for WordPress versions up to and including 1.9.2, a medium severity vulnerability CVE-2025-8146 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via the TypeOut Text widget due to insufficient input sanitization and output escaping. The injected scripts execute when a user accesses the affected page. To address this issue, users should upgrade Qi Addons For Elementor plugin to versions 1.9.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8146.
Read more CMSIn Advanced Custom Fields plugin for WordPress versions prior to 6.4.3 a medium severity vulnerability CVE-2025-54940 was detected. This vulnerability allows attackers to inject crafted HTML code, potentially tampering with page display due to insufficient input sanitization. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-54940.
Read more CMSIn Image Gallery plugin for WordPress versions up to and including 1.0.0 a medium severity vulnerability CVE-2025-8400 was detected. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts due to insufficient input sanitization and output escaping, which execute when a user accesses the injected page. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8400.
Read more CMSIn Use-your-Drive | Google Drive plugin for WordPress versions up to and including 3.3.1 a high severity vulnerability CVE-2025-7050 was detected. This vulnerability allows attackers to inject arbitrary web scripts via the ‘title’ parameter in file metadata due to insufficient input sanitization and output escaping, and can be exploited by the lowest-level authenticated users, if a file upload shortcode is published on a publicly accessible post. To address this issue, users should upgrade Use-your-Drive | Google Drive plugin to versions 3.3.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-7050.
Read more CMSIn the Advanced Custom Fields (ACF) plugin for WordPress versions up to and including 3.5.1 a low severity vulnerability CVE-2012-10025 was detected. This vulnerability allows unauthenticated attackers to achieve remote code execution by exploiting insufficient validation in core/actions/export.php, enabling remote file inclusion via the acf_abspath POST parameter when allow_url_include is enabled in the PHP configuration, potentially leading to full compromise of the host. To address this issue, users should upgrade the Advanced Custom Fields (ACF) plugin to versions 3.5.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2012-10025.
Read more CMSIn the Asset-Manager plugin for WordPress versions up to and including 2.0 a critical severity vulnerability CVE-2012-10026 was detected. This vulnerability allows unauthenticated attackers to upload and execute arbitrary PHP scripts via the upload.php endpoint due to insufficient validation of uploaded files. The uploaded files are placed in a predictable temporary directory and can be triggered via direct HTTP requests, resulting in remote code execution under the web server’s context. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2012-10026.
Read more CMSIn Ocean Social Sharing plugin for WordPress versions up to and including 2.2.1 a medium severity vulnerability CVE-2025-7500 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts via social icon titles, due to insufficient input sanitization and output escaping. To address this issue, users should upgrade Ocean Social Sharing plugin to versions 2.2.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-7500.
Read more CMSIn Vault Community Edition versions from 1.10.0 up to 1.20.1 and Vault Enterprise versions from 1.10.0 up to 1.20.1, 1.19.7, 1.18.12, 1.16.23, 1.15.16 a medium severity vulnerability CVE-2025-6013 was found in the LDAP auth method. When username_as_alias was set to true, Vault could fail to enforce MFA if a user had multiple CNs that were identical except for leading or trailing spaces. This could allow an MFA bypass under certain conditions. To address this issue, users should upgrade Vault Community Edition to version 1.20.2 and Vault Enterprise versions 1.20.2, 1.19.8, 1.18.13 and 1.16.24. For more information, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6013.
Read more SecurityIn the Zakra theme for WordPress versions up to and including 4.1.5 a medium severity vulnerability CVE-2025-8595 was detected. This vulnerability allows authenticated attackers with Subscriber-level access or higher to modify data by importing demo settings, due to a missing capability check in the welcome_notice_import_handler() function. To address this issue, users should upgrade Zakra theme to version 4.1.6 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8595.