Our news and updates

In Job Postings plugin for WordPress versions prior to 2.7.11 a medium severity vulnerability CVE-2024-10105 was detected. This vulnerability occurs due to the plugin failing to sanitize and escape certain settings, which could allow high privilege users such as contributors to perform Stored Cross-Site Scripting attacks, even when the unfiltered_html capability is disallowed (e.g., in a multisite setup). To address this issue, users should upgrade Job Postings plugin to versions 2.7.11 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-10105.

In Mattermost Mobile Apps versions 2.25.0 and prior a medium severity vulnerability CVE-2025-1558 was detected. This vulnerability allows attackers to cause the Android application to crash by sending a message containing a maliciously crafted GIF due to improper validation prior to rendering. To address this issue, users should upgrade Mattermost Mobile Apps to versions 2.26.0, 2.25.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1558.

In Digital License Manager plugin for WordPress versions up to and including 1.7.3 a medium severity vulnerability CVE-2025-2635 was detected. This vulnerability allows attackers to inject arbitrary web scripts via reflected cross-site scripting (XSS) by exploiting the improper use of the remove_query_arg() function without appropriate URL escaping, tricking users into performing actions such as clicking on a malicious link. To address this issue, users should upgrade Digital License Manager plugin to versions 1.7.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2635.

In WP Church Donation plugin for WordPress versions 1.7 and prior a high severity vulnerability CVE-2024-13690 was detected. This vulnerability allows attackers to inject arbitrary web scripts via several donation form submission parameters, which execute whenever a user accesses the affected page due to insufficient input sanitization and output escaping. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13690.

In teachPress plugin for WordPress versions 9.0.9 and prior a medium severity vulnerability CVE-2025-1320 was detected. This vulnerability allows attackers to delete imports via a forged request by exploiting missing or incorrect nonce validation on the import.php page, tricking site administrators into performing actions such as clicking on a malicious link. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1320.

In DICOM Support plugin for WordPress versions 0.10.6 and prior a medium severity vulnerability CVE-2024-12623 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts via the plugin’s ‘dcm’ shortcode due to insufficient input sanitization and output escaping on user-supplied attributes, with the injected scripts executing whenever a user accesses the affected page. To address this issue, users should upgrade DICOM Support plugin to versions 0.10.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12623.

In Kubernetes k8s.io/kubernetes/cmd/kube-apiserver package versions 1.3.0 up to and including 1.32.3 a low severity vulnerability CVE-2024-7598 was detected. This vulnerability allows attackers to bypass network restrictions enforced by network policies during namespace deletion, as the undefined order of object deletion may result in network policies being removed before the pods they protect, creating a brief window where network policies are not enforced. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-7598.

In Next.js versions prior to 14.2.25 and 15.2.3 a critical severity vulnerability CVE-2025-29927 was detected. This vulnerability allows attackers to bypass authorization checks within a Next.js application if the authorization check occurs in middleware. To address this issue, users should upgrade Next.js to versions 14.2.25, 15.2.3, 15.3.0-canary.12 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-29927.

In CryoKey plugin for WordPress versions 2.4 and prior a medium severity vulnerability CVE-2025-2477 was detected. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts via the ‘ckemail’ parameter due to insufficient input sanitization and output escaping, which can be exploited by tricking users into performing actions, such as clicking on a malicious link. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-2477.