In Prime Addons for Elementor plugin for WordPress versions 2.0.1 and prior a medium severity vulnerability CVE-2024-13855 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to exploit an Insecure Direct Object Reference (IDOR) via the `pae_global_block` shortcode, enabling them to extract information from non-public posts, including drafts, private, password-protected, and restricted posts created with Elementor. Currently, there is no fix version for that issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13855.
Read more CMS Newsflash Business and Enterprise Solutions
In Cookie Notice Bar plugin for WordPress versions 1.3.0 and prior a medium severity vulnerability CVE-2024-13849 was detected. This vulnerability allows authenticated attackers with administrator-level access to exploit Stored Cross-Site Scripting (XSS) due to insufficient input sanitization and output escaping, enabling the injection of arbitrary web scripts into pages that execute whenever a user accesses an affected page, particularly impacting multi-site installations and setups where unfiltered_html is disabled. Currently, there is no fix version for that issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13849.
Read more CMS Newsflash Business and Enterprise Solutions
In Bandsintown Events plugin for WordPress versions 1.3.1 and prior a medium severity vulnerability CVE-2024-13802 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to exploit Stored Cross-Site Scripting (XSS) via the ‘bandsintown_events’ shortcode due to insufficient input sanitization and output escaping, enabling the injection of arbitrary web scripts that execute whenever a user accesses an affected page. Currently, there is no fix version for that issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13802.
Read more CMS Newsflash Business and Enterprise Solutions
In ravpage plugin for WordPress versions 2.31 and prior a medium severity vulnerability CVE-2024-13789 was detected. This vulnerability allows unauthenticated attackers to exploit PHP Object Injection via the ‘paramsv2’ parameter, which has no known POP chain but may enable file deletion, data access, or code execution if a vulnerable plugin or theme is present. Currently, there is no fix version for that issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13789.
Read more CMS Newsflash Business and Enterprise Solutions
In FormCraft plugin for WordPress versions 3.9.11 and prior a high severity vulnerability CVE-2025-0817 was detected. This vulnerability allows attackers to inject arbitrary web scripts via SVG file uploads, due to insufficient input sanitization and output escaping. To address this issue, users should upgrade FormCraft plugin to version 3.9.12 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-0817.
Read more CMS Business and Enterprise Solutions
In ElementsKit Elementor addons plugin for WordPress versions 3.4.0 and prior a medium severity vulnerability CVE-2025-0968 was detected. This vulnerability allows unauthenticated attackers to view sensitive information, such as posts, pages, templates, drafts, trashed, and private items, due to missing capability checks on the get_megamenu_content() function. To address this issue, users should upgrade ElementsKit Elementor addons plugin to version 3.4.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-0968.
Read more CMS Business and Enterprise Solutions
In FormCraft plugin for WordPress versions 3.9.11 and prior a medium severity vulnerability CVE-2024-13783 was detected. This vulnerability allows authenticated attackers with Subscriber-level access and above to export all plugin data, potentially exposing sensitive form submissions. To address this issue, users should upgrade FormCraft plugin to version 3.9.12. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13783.
Read more CMS Newsflash Business and Enterprise Solutions
In Post SMTP plugin for WordPress versions 3.0.2 and prior a high severity vulnerability CVE-2025-0521 was detected. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts via the ‘from’ and ‘subject’ parameters, which execute whenever a user accesses an injected page. To address this issue, users should upgrade Post SMTP plugin to version 3.1.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-0521.
Read more CMS Newsflash Business and Enterprise Solutions
In Bit Assist plugin for WordPress versions 1.5.2 and prior a medium severity vulnerability CVE-2025-0822 was detected. This vulnerability allows authenticated attackers with Subscriber-level access and above to read arbitrary files on the server, potentially exposing sensitive information. To address this issue, users should upgrade Bit Assist plugin to version 1.5.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-0822.
Read more CMS Newsflash Business and Enterprise Solutions