In the MediaPress plugin for WordPress versions up to and including 1.6.1 a medium severity vulnerability CVE-2025-14552 was detected. This vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts via the mpp-uploader shortcode, which execute whenever a user accesses the affected page. To address this issue, users should upgrade MediaPress plugin to version 1.6.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-14552.
Read more CMS Newsflash Business and Enterprise Solutions
In the Phlox theme for WordPress versions up to and including 2.17.7 a medium severity vulnerability CVE-2025-4776 was detected. This vulnerability allows attackers with Contributor-level access and above to perform stored cross-site scripting (XSS) by injecting malicious scripts via the `data-caption` HTML attribute, which execute whenever a user accesses an affected page. To address this issue, users should upgrade Phlox theme to version 2.17.11 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-4776.
Read more CMS Newsflash Business and Enterprise Solutions
In Gitea versions before 1.25.2 a medium severity vulnerability CVE-2025-69413 was detected. This vulnerability allows attackers to enumerate valid usernames by observing different responses from the /api/v1/user endpoint during failed authentication attempts, depending on whether a username exists. To address this issue, users should upgrade Gitea to version 1.25.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-69413.
Read more Newsflash Developer Tools
In the Branda plugin for WordPress versions up to and including 3.4.24 a critical severity vulnerability CVE-2025-14998 was detected. This vulnerability allows unauthenticated attackers to take over user accounts, including administrator accounts, by exploiting improper validation of a user’s identity during password update operations. To address this issue, users should upgrade Branda plugin to version 3.4.29 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-14998.
Read more CMS
In the Ninja Forms plugin for WordPress versions before 3.13.3 a high severity vulnerability CVE-2025-14072 was detected. This vulnerability allows unauthenticated attackers to generate valid access tokens through the REST API and use them to read sensitive form submissions. To address this issue, users should upgrade Ninja Forms to version 3.13.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-14072.
Read more CMS
In the Comments plugin for WordPress versions before 7.6.40 a high severity vulnerability CVE-2025-13820 was detected. This vulnerability allows attackers to bypass authentication and log in as arbitrary users by exploiting improper identity validation when using the disqus.com provider, provided the attacker knows the victim’s email address and the user does not yet have a Disqus account. To address this issue, users should upgrade Comments plugin to version 7.6.40 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13820.
Read more CMS
In the ShopBuilder plugin for WordPress versions before 3.2.2 a high severity vulnerability CVE-2025-13456 was detected. This vulnerability allows attackers to perform reflected cross-site scripting (XSS) by injecting malicious input that is not properly sanitized or escaped before being rendered in a page, potentially targeting high-privileged users such as administrators. To address this issue, users should upgrade ShopBuilder plugin to version 3.2.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13456.
Read more CMS
In Discourse versions prior to 3.5.4, 2025.11.2, 2025.12.1 and 2026.1.0 a high severity vulnerability CVE-2025-68479 was detected. This vulnerability allows attackers to take over subscriptions due to missing ownership checks in certain subscription-related endpoints. To address this issue, users should upgrade Discourse to versions 3.5.4, 2025.11.2, 2025.12.1 or 2026.1.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-68479.
Read more Communication
In Discourse versions prior to 3.5.4, 2025.11.2, 2025.12.1 and 2026.1.0 a medium severity vulnerability CVE-2025-67723 was detected. This vulnerability allows stored Cross-Site Scripting (XSS) attacks via the Discourse Math plugin when using the KaTeX renderer, despite content security policy mitigations. To address this issue, users should upgrade Discourse to versions 3.5.4, 2025.11.2, 2025.12.1 or 2026.1.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-67723.
Read more Communication