In IP2Location Country Blocker plugin for WordPress versions 2.38.8 and prior a medium severity vulnerability CVE-2025-1361 was detected. This vulnerability allows unauthenticated attackers to access and view the plugin’s settings due to missing capability checks on the admin_init() function. To address this issue, users should upgrade IP2Location Country Blocker plugin to version 2.38.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1361.
Read more CMS
In Post Grid and Gutenberg Blocks – ComboBlocks plugin for WordPress versions 2.3.5 and prior a medium severity vulnerability CVE-2024-13798 was detected. This vulnerability allows unauthenticated attackers to create new orders for products and mark them as paid without completing a payment due to insufficient verification on form fields. To address this issue, users should upgrade Post Grid and Gutenberg Blocks – ComboBlocks plugin to version 2.3.6. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13798.
Read more CMS
In WP-Appbox plugin for WordPress versions 4.5. and prior a medium severity vulnerability CVE-2025-1489 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to exploit Stored Cross-Site Scripting (XSS) via the appbox shortcode due to insufficient input sanitization and output escaping. To address this issue, users should upgrade WP-Appbox plugin to version 4.5.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1489.
Read more CMS Newsflash Business and Enterprise Solutions
In Event Tickets and Registration plugin for WordPress versions 5.19.1.1 and prior a medium severity vulnerability CVE-2025-1402 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to delete arbitrary attendee tickets due to a missing capability check on the ‘ajax_ticket_delete’ function. To address this issue, users should upgrade Event Tickets and Registration plugin to version 5.19.1.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1402.
Read more CMS Newsflash Business and Enterprise Solutions
In Maps for WP plugin for WordPress versions 1.2.4 and prior a medium severity vulnerability CVE-2024-13648 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to exploit Stored Cross-Site Scripting (XSS) via the ‘MapOnePoint’ shortcode due to insufficient input sanitization and output escaping. Attackers can inject arbitrary web scripts that execute whenever a user accesses an affected page. To address this issue, users should upgrade Maps for WP plugin to version 1.2.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13648.
Read more CMS Newsflash Business and Enterprise Solutions
In Ziggeo plugin for WordPress versions 3.1 and prior a medium severity vulnerability CVE-2024-12452 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to exploit Stored Cross-Site Scripting (XSS) via the ‘ziggeo_event’ shortcode, enabling them to inject arbitrary web scripts that execute whenever a user accesses an affected page due to insufficient input sanitization and output escaping. To address this issue, users should upgrade Ziggeo plugin to version 3.1.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12452.
Read more CMS Newsflash Business and Enterprise Solutions
In Ajax Search Lite plugin for WordPress versions prior to 4.12.5 a medium severity vulnerability CVE-2024-13585 was detected. This vulnerability allows high-privilege users, such as administrators, to exploit Stored Cross-Site Scripting (XSS) due to improper sanitization and escaping of certain settings. This can be exploited even when the unfiltered_html capability is disallowed, such as in a multisite setup. Currently, there is no fix version for that issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13585.
In igumbi Online Booking plugin for WordPress versions 1.40 and prior a medium severity vulnerability CVE-2024-13455 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to exploit Stored Cross-Site Scripting (XSS) via the ‘igumbi_calendar’ shortcode by injecting arbitrary web scripts that execute whenever a user accesses an affected page due to insufficient input sanitization and output escaping. To address this issue, users should upgrade igumbi Online Booking plugin to version 1.41. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13455.
Read more CMS Newsflash Business and Enterprise Solutions
In Legoeso PDF Manager plugin for WordPress versions 1.2.2 and prior a medium severity vulnerability CVE-2025-0866 was detected. This vulnerability allows authenticated attackers with Author-level access and above to execute time-based SQL Injection via the `checkedVals` parameter, potentially extracting sensitive information from the database. Currently, there is no fix version for that issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-0866.
Read more CMS Newsflash Business and Enterprise Solutions