In CRM Memberships plugin for WordPress versions up to and including 2.5 a critical severity vulnerability CVE-2025-13313 was identified. This vulnerability is caused by missing authorization and authentication checks on the ntzcrm_changepassword AJAX action, allowing unauthenticated attackers to reset arbitrary user passwords and gain unauthorized access to user accounts if they can obtain or enumerate a target user’s email address. Additionally, the plugin exposes the ntzcrm_get_users endpoint without authentication, enabling attackers to enumerate subscriber email addresses, which facilitates exploitation of the password reset vulnerability. To address this issue, users should upgrade the plugin to version 2.6 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13313.
Read more CMS
In Quantic Social Image Hover plugin for WordPress versions up to and including 1.0.8 a medium severity vulnerability CVE-2025-13360 was identified. This vulnerability is due to missing nonce validation on the settings update functionality, which allows unauthenticated attackers to update the plugin’s settings and inject malicious web scripts via a forged request if they can trick a site administrator into performing an action such as clicking on a link. To address this issue, users should upgrade the plugin to version 1.0.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13360.
Read more CMS
In OpenVPN versions 2.5.0 through 2.7_rc2 a low severity vulnerability CVE-2025-13751 was identified. This vulnerability allows a local authenticated user on Windows to connect to the Interactive Service Agent and trigger an error causing a local denial of service. To address this issue, users should upgrade OpenVPN to versions 2.6.17, 2.7_rc3, or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13751.
Read more Security
In OpenVPN versions 2.6.0 through 2.7_rc1 a medium severity vulnerability CVE-2025-13086 was identified. This vulnerability stems from improper validation of source IP addresses, allowing an attacker to initiate a session from an IP address different from the one that originally established the connection. This vulnerability can result in session hijacking and denial of service for the legitimate originating client. To address this issue, users should upgrade OpenVPN to versions 2.6.16, 2.7_rc2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13086.
Read more Security
In React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 (react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack) a critical severity vulnerability CVE-2025-55182 was detected. This vulnerability allows pre-authentication remote code execution via unsafe deserialization of payloads sent to Server Function endpoints. To address this issue, users should upgrade to versions 19.0.1, 19.1.2, 19.2.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-55182.
Read more Application Development
In SureMail – SMTP and Email Logs plugin for WordPress versions up to and including 1.9.0 a high severity vulnerability CVE-2025-13516 was detected. This vulnerability is due to unrestricted upload of files with dangerous types via the save_file() function, which saves email attachments to a web-accessible directory without proper validation. Although the plugin attempts to prevent PHP execution using an Apache .htaccess file, this protection is ineffective on nginx, IIS, Lighttpd, or misconfigured Apache servers. This flaw allows unauthenticated attackers to upload malicious PHP files and execute arbitrary code by accessing the files via predictable filenames. To address this issue, users should upgrade the plugin to version 1.9.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13516.
Read more CMS
In HUSKY – Products Filter Professional for WooCommerce plugin for WordPress versions up to and including 1.3.7.2 a medium severity vulnerability CVE-2025-13109 was detected. This vulnerability allows authenticated attackers with subscriber-level access and above to exploit missing validation in the woof_add_query and woof_remove_query functions. Successful exploitation enables attackers to insert or remove arbitrary saved search queries in any user’s profile, including administrators, leading to unauthorized modification of user data. To address this issue, users should upgrade the plugin to version 1.3.8 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13109.
Read more CMS
In Mattermost versions 10.11.x through 10.11.4 and 10.5.x through 10.5.12 a low severity vulnerability CVE-2025-13870 was identified. This vulnerability allows authenticated users to bypass permission validation when accessing files and subscribing to blocks in Boards. As a result, users can access files and subscribe to blocks on other boards they do not have permission to view. To address this issue, users should upgrade Mattermost to versions 10.11.5, 10.5.13 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13870.
Read more Communication
In Mautic versions 4.0 through 4.4.17, 5.0 through 5.2.8, and 6.0 through 6.0.6 a low critical vulnerability CVE-2025-13828 was detected. This vulnerability allows a non-privileged user without access to the Marketplace to install and uninstall arbitrary composer packages, even when the “enable composer based update” setting is disabled. This can lead to malicious code installation, enabling privilege escalation on the platform. To address this issue, users should upgrade Mautic to versions 4.4.18, 5.2.9, 6.0.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13828.
Read more Marketing Automation