In the bSecure plugin for WordPress versions 1.3.7 through 1.7.9 a critical severity vulnerability CVE-2025-6187 was detected. This vulnerability allows unauthenticated attackers who know any user’s email address to obtain a valid login cookie and fully impersonate that account, due to missing authorization within the order_info REST endpoint, where the /webhook/v2/order_info/ route is registered with a permission_callback that always returns true, effectively bypassing all authentication. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6187.
Read more CMSIn the Birth Chart Compatibility plugin for WordPress versions up to and including 2.0 a medium severity vulnerability CVE-2025-6082 was detected. This vulnerability allows unauthenticated attackers to retrieve the full path of the web application, which can aid in further attacks, due to insufficient protection against direct access to the plugin’s index.php file that triggers an error exposing the full path. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6082.
Read more CMSIn the Orion Login with SMS plugin for WordPress versions up to and including 1.0.5 a high severity vulnerability CVE-2025-7692 was detected. This vulnerability allows unauthenticated attackers to log in as other users, including administrators, if they have access to their phone number, due to the olws_handle_verify_phone() function using a weak OTP value, exposing the hash used to generate it, and lacking restrictions on OTP submission attempts. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-7692.
Read more CMSIn Node.js versions 4.0 prior to 20.19.4, 22 prior to 22.17.1, 24 prior to 24.4.1 a medium severity vulnerability CVE-2025-27210 was detected affecting the path.join API on Windows systems. This vulnerability allows unauthenticated attackers to exploit reserved Windows device names such as CON, PRN, and AUX due to an incomplete fix for CVE-2025-23084, potentially causing unexpected behavior or security issues on affected systems. To address this issue, users should upgrade Node.js to versions 20.19.4, 22.17.1 or 24.4.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27210.
Read more Application DevelopmentIn WPLMS theme for WordPress versions 1.5.2 to 1.8.4.1 a high severity vulnerability CVE-2015-10139 was detected. This vulnerability allows authenticated attackers to escalate privileges by exploiting the unprotected wp_ajax_import_data AJAX action, enabling them to modify restricted settings and potentially create a new administrator account. To address this issue, users should upgrade WPLMS theme to versions 1.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2015-10139.
Read more CMSIn Work The Flow File Upload plugin for WordPress versions up to and including 2.5.2 a critical severity vulnerability CVE-2015-10138 was detected. This vulnerability allows unauthenticated attackers to upload arbitrary files due to missing file type validation in the jQuery-File-Upload-9.5.0 server and test files, potentially leading to remote code execution. To address this issue, users should upgrade Work The Flow File Upload plugin to versions 2.5.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2015-10138.
Read more CMSIn WP Mobile Detector plugin for WordPress versions up to and including 3.5 a critical severity vulnerability CVE-2016-15043 was detected. This vulnerability allows unauthenticated attackers to upload arbitrary files due to missing file type validation in the resize.php file, potentially leading to remote code execution. To address this issue, users should upgrade WP Mobile Detector plugin to versions 3.6 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2016-15043.
Read more CMSIn GI-Media Library plugin for WordPress versions prior to 3.0 a high severity vulnerability CVE-2015-10136 was detected. This vulnerability allows unauthenticated attackers to read the contents of arbitrary files on the server via directory traversal using the fileid parameter, potentially exposing sensitive information. To address this issue, users should upgrade GI-Media Library plugin to version 3.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2015-10136.
Read more CMSIn Grafana versions 11.5.0 and later a medium severity vulnerability CVE-2025-6197 was detected. This vulnerability allows attackers to perform open redirects during organization switching when multiple organizations exist and the victim belongs to a different organization than the one specified in the URL. To address this issue users should upgrade Grafana to versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 or 11.3.8+security-01. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-6197.
Read more Data Analytics