In the Ultra Addons for Contact Form 7 plugin for WordPress versions up to and including 3.5.12 a high severity vulnerability CVE-2025-6220 was detected. This vulnerability allows authenticated attackers with Administrator-level access and above to upload arbitrary files to the affected site’s server due to missing file type validation in the save_options function, potentially leading to remote code execution. To address this issue, users should upgrade the Ultra Addons for Contact Form 7 plugin to versions 3.5.13 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6220.
Read more CMS
In WPBakery Page Builder plugin for WordPress versions up to and including 8.4.1 a medium severity vulnerability CVE-2025-4965 was detected. This vulnerability allows authenticated attackers with Author-level access and above to perform Stored Cross-Site Scripting (XSS) attacks via the Grid Builder feature due to insufficient input sanitization and output escaping on user-supplied attributes. To address this issue, users should upgrade WPBakery Page Builder plugin to versions 8.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4965.
Read more CMS
In Football Pool plugin for WordPress versions up to and including 2.12.4 a medium severity vulnerability CVE-2025-5490 was detected. This vulnerability allows authenticated attackers with Administrator-level access and above to inject arbitrary web scripts into admin settings, leading to Stored Cross-Site Scripting (XSS) attacks in multi-site installations or setups where the unfiltered_html capability is disabled. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5490.
Read more CMS
In Download Manager plugin for WordPress versions up to and including 3.3.18 a medium severity vulnerability CVE-2025-4367 was detected. This vulnerability allows authenticated attackers with Author-level access and above to inject arbitrary web scripts via the wpdm_user_dashboard shortcode, due to insufficient input sanitization and output escaping. To address this issue, users should upgrade Download Manager plugin to versions 3.3.19 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4367.
Read more CMS
In Gutenverse News plugin for WordPress versions up to and including 1.0.4 a medium severity vulnerability CVE-2025-5234 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to perform Stored Cross-Site Scripting (XSS) attacks via the ‘elementId’ parameter due to insufficient input sanitization and output escaping. To address this issue, users should upgrade Gutenverse News plugin to versions 2.0.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5234.
Read more CMS
In AI Engine plugin for WordPress versions 2.8.0 through 2.8.3 a high severity vulnerability CVE-2025-5071 was detected. This vulnerability allows authenticated attackers with Subscriber-level access and above to gain unauthorized access to the MCP, enabling them to execute various commands such as `wp_create_user`, `wp_update_user`, `wp_update_option`, `wp_update_post`, and others. These actions can lead to privilege escalation and data loss. To address this issue, users should upgrade AI Engine plugin to versions 2.8.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5071.
Read more CMS
In Grafana versions before 11.6.2 a low severity vulnerability CVE-2025-1088 was detected. This vulnerability allows excessively long dashboard titles or panel names to cause Chromium-based browsers to become unresponsive due to improper input validation. To address this issue, users should upgrade Grafana to versions 11.6.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1088.
Read more Data Analytics
In Portainer Community Edition versions prior to STS 2.31.0 and LTS 2.27.7 a medium severity vulnerability CVE-2025-49593 was detected. This vulnerability allows HTTP headers – including registry authentication credentials or Portainer session tokens – to be leaked if a Portainer administrator registers a malicious container registry or if an existing registry is compromised. To address this issue, users should upgrade Portainer CE or BE version 2.31.0 or later for STS, or version 2.27.7 or later for LTS. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-49593.
Read more Developer Tools
In CSV Me plugin for WordPress versions up to and including 2.0 a high severity vulnerability CVE-2025-6086 was detected. This vulnerability allows authenticated attackers with Administrator-level access and above to upload arbitrary files due to insufficient file type validation, potentially leading to remote code execution. Currently, there is no fixed version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6086.
Read more CMS