CVE-2025-5933 – WordPress RD Contacto CSRF Vulnerability

CVE ID : CVE-2025-5933

Published : July 4, 2025, 3:15 a.m. | 22 minutes ago

Description : The RD Contacto plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the rdWappUpdateData() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Severity: 4.3 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Read More

CVE-2025-5956 – WP Human Resource Management Plugin Arbitrary User Deletion Vulnerability

CVE ID : CVE-2025-5956

Published : July 4, 2025, 3:15 a.m. | 22 minutes ago

Description : The WP Human Resource Management plugin for WordPress is vulnerable to Arbitrary User Deletion due to a missing authorization within the ajax_delete_employee() function in versions 2.0.0 through 2.2.17. The plugin’s deletion handler reads the client-supplied $_POST[‘delete’] array and passes each ID directly to wp_delete_user() without verifying that the caller has the delete_users capability or limiting which user IDs may be removed. This makes it possible for authenticated attackers, with Employee-level access and above, to delete arbitrary accounts, including administrators.

Severity: 6.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Read More

CVE-2025-6039 – WordPress ProcessingJS Stored Cross-Site Scripting

CVE ID : CVE-2025-6039

Published : July 4, 2025, 3:15 a.m. | 22 minutes ago

Description : The ProcessingJS for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘pjs4wp’ shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Read More

CVE-2025-5953 – WordPress WP Human Resource Management Privilege Escalation

CVE ID : CVE-2025-5953

Published : July 4, 2025, 3:15 a.m. | 22 minutes ago

Description : The WP Human Resource Management plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization in the ajax_insert_employee() and update_empoyee() functions in versions 2.0.0 through 2.2.17. The AJAX handler reads the client-supplied $_POST[‘role’] and, after basic cleaning via hrm_clean(), passes it directly to wp_insert_user() and later to $user->set_role() without verifying that the current user is allowed to assign that role. This makes it possible for authenticated attackers, with Employee-level access and above, to elevate their privileges to administrator.

Severity: 8.8 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Read More