In Discourse prior to version 3.4.4 (stable branch), 3.5.0.beta5 (beta branch) and 3.5.0.beta6-dev (tests-passed branch) a high severity vulnerability CVE-2025-48877 was detected. This vulnerability allows attackers to execute arbitrary JavaScript through Codepen iframes included in the default allowed_iframes site setting. To address this issue, users should upgrade Discourse to versions 3.4.4 (stable branch), 3.5.0.beta5 (beta branch) and 3.5.0.beta6-dev (tests-passed branch). For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-48877.
Read more Communication
In Hide It plugin for WordPress versions up to and including 1.0.1 a medium severity vulnerability CVE-2025-5565 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject malicious scripts via the plugin’s hideit shortcode due to insufficient input sanitization and output escaping. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5565.
Read more CMS
In WP-Addpub plugin for WordPress versions up to and including 1.2.8 a medium severity vulnerability CVE-2025-5563 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to extract sensitive information from the database via SQL Injection through the wp-addpub shortcode, due to insufficient input escaping and improper SQL query preparation. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5563.
Read more CMS
In Runners Log plugin for WordPress versions up to and including 3.9.2 a medium severity vulnerability CVE-2025-5541 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject malicious scripts via the runnerslog shortcode due to insufficient input sanitization and output escaping. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5541.
Read more CMS
In BNS Featured Category plugin for WordPress versions up to and including 2.8.2 a medium severity vulnerability CVE-2025-5538 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject malicious scripts via the bnsfc shortcode due to insufficient input sanitization and output escaping. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5538.
Read more CMS
In Freemind Viewer plugin for WordPress versions up to and including 1.0 a medium severity vulnerability CVE-2025-5536 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject malicious scripts via the freemind shortcode due to insufficient input sanitization and output escaping. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5536.
Read more CMS
In Paged Gallery plugin for WordPress versions up to and including 0.7 a medium severity vulnerability CVE-2025-5686 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject malicious scripts via the gallery shortcode due to insufficient input sanitization and output escaping. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5686.
Read more CMS
In Simple History plugin for WordPress versions 5.8.1 and prior a medium severity vulnerability CVE-2025-5760 was detected. This vulnerability allows sensitive data exposure via Detective Mode due to improper sanitization in the append_debug_info_to_context() function, causing user passwords to be logged in cleartext. To address this issue, users should upgrade Simple History plugin to versions 5.8.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5760.
Read more CMS
In Domain For Sale plugin for WordPress versions up to and including 3.0.10 a medium severity vulnerability CVE-2025-5239 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject malicious scripts via the class_name parameter due to insufficient input sanitization and output escaping. To address this issue, users should upgrade Domain For Sale plugin to versions 3.0.11 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-5239.
Read more CMS