In GiveWP – Donation Plugin and Fundraising Platform plugin versions up to and including 4.13.0 a high severity vulnerability CVE-2025-13206 was detected. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts via the name parameter due to insufficient input sanitization and output escaping, provided that avatars are enabled in the WordPress installation. These scripts will execute whenever a user views an affected page. To address this issue, users should upgrade the plugin to version 4.13.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13206.
Read more CMS
In WP Import – Ultimate CSV XML Importer plugin versions up to and including 7.33.1 a high severity vulnerability CVE-2025-13145 was detected. This vulnerability allows authenticated attackers with administrator-level access or higher to perform PHP Object Injection by supplying maliciously crafted data in CSV file imports processed by the import_single_post_as_csv function. If a POP chain is available through another plugin or theme on the system, this may lead to arbitrary file deletion, sensitive data exposure, or code execution. To address this issue, users should upgrade the plugin to version 7.33.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13145.
Read more CMS
In SiteSEO – SEO Simplified plugin versions up to and including 1.3.2 a medium severity vulnerability CVE-2025-13085 was detected. This vulnerability allows authenticated attackers with the siteseo_manage capability to read arbitrary post metadata from posts, pages, attachments, or WooCommerce orders they cannot edit due to missing object-level authorization checks in the resolve_variables() AJAX handler. In WooCommerce installations with legacy storage enabled, this may expose sensitive customer billing information such as names, emails, phone numbers, addresses, and payment methods. To address this issue, users should upgrade the plugin to version 1.3.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13085.
Read more CMS
In Mattermost versions 10.11.x through 10.11.3 and 10.5.x through 10.5.11 a low severity vulnerability CVE-2025-55074 was detected. This vulnerability causes Mattermost to fail to enforce access permissions on the Agents plugin, allowing other users to determine when users had read channels via channel member objects. Fixed versions include 11.0.0, 10.11.4, and 10.5.12. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-55074.
Read more Communication
In RTMKit Addons for Elementor plugin versions up to and including 1.6.1 a medium severity vulnerability CVE-2025-8609 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to perform Stored Cross-Site Scripting via the plugin’s Accordion Block attributes due to insufficient sanitization and escaping of user-supplied input, causing injected scripts to run when a user views an affected page. To address this issue, users should upgrade the plugin to version 1.6.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8609.
Read more CMS
In Gutenify – Visual Site Builder Blocks & Site Templates plugin versions up to and including 1.5.9 a medium severity vulnerability CVE-2025-8605 was detected. This vulnerability allows authenticated attackers with contributor-level access and above to perform Stored Cross-Site Scripting by abusing insufficient input sanitization and output escaping on block attributes, enabling malicious scripts to execute whenever a user accesses an affected page. To address this issue, users should upgrade the plugin to version 1.6.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8605.
Read more CMS
In AI Engine plugin versions up to and including 3.1.8 a medium severity vulnerability CVE-2025-8084 was detected. This vulnerability allows authenticated attackers with Editor-level access and above to perform Server-Side Request Forgery via the rest_helpers_create_images function, enabling them to make web requests to arbitrary locations from the web application. On Cloud instances, this can lead to metadata retrieval and unauthorized querying or modification of internal services. To address this issue, users should upgrade the plugin to version 3.1.9 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-8084.
Read more CMS
In Simple User Import Export plugin versions up to and including 1.1.7 a medium severity vulnerability CVE-2025-13133 was detected. This vulnerability allows authenticated attackers with Administrator-level access and above to perform CSV Injection via the ‘Import/export users’ function by embedding untrusted input into exported CSV files, which may lead to code execution when the files are opened on a local system with a vulnerable configuration. To address this issue, users should upgrade the plugin to version 1.1.8 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-13133.
Read more CMS
In Mattermost versions prior to 11 a medium severity vulnerability CVE-2025-11776 was identified. This vulnerability allows guest users to bypass access restrictions on the archived channel search API and discover archived public channels via the /api/v4/teams/{team_id}/channels/search_archived endpoint. To fix this vulnerability, users should upgrade Mattermost to version 11 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-11776.
Read more Communication