CVE ID : CVE-2025-4177
Published : May 2, 2025, 3:15 a.m. | 4 hours, 5 minutes ago
Description : The Flynax Bridge plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deleteUser() function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to delete arbitrary users.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-4131
Published : May 2, 2025, 3:15 a.m. | 4 hours, 5 minutes ago
Description : The GmapsMania plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s gmap shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-4179
Published : May 2, 2025, 3:15 a.m. | 4 hours, 5 minutes ago
Description : The Flynax Bridge plugin for WordPress is vulnerable to limited Privilege Escalation due to a missing capability check on the registerUser() function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to register new user accounts as authors.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2024-13322
Published : May 2, 2025, 4:15 a.m. | 3 hours, 5 minutes ago
Description : The Ads Pro Plugin – Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to SQL Injection via the ‘a_id’ parameter in all versions up to, and including, 4.88 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2024-12023
Published : May 2, 2025, 4:15 a.m. | 3 hours, 5 minutes ago
Description : The FULL – Cliente plugin for WordPress is vulnerable to SQL Injection via the ‘formId’ parameter in all versions 3.1.5 to 3.1.25 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is only exploitable when the PRO version of the plugin is activated, along with Elementor Pro and Elementor CRM.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2024-13344
Published : May 2, 2025, 4:15 a.m. | 3 hours, 5 minutes ago
Description : The Advance Seat Reservation Management for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the ‘profileId’ parameter in all versions up to, and including, 3.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2024-13418
Published : May 2, 2025, 4:15 a.m. | 3 hours, 5 minutes ago
Description : Multiple plugins and/or themes for WordPress are vulnerable to Arbitrary File Uploads due to a missing capability check on the ajaxUploadFonts() function in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files that can make remote code execution possible. This issue was escalated to Envato over two months from the date of this disclosure and the issue, while partially patched, is still vulnerable.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2024-13419
Published : May 2, 2025, 4:15 a.m. | 3 hours, 5 minutes ago
Description : Multiple plugins and/or themes for WordPress using Smart Framework are vulnerable to Stored Cross-Site Scripting due to a missing capability check on the saveOptions() and importThemeOptions() functions in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin’s settings which includes custom JavaScript that is enabled site-wide. This issue was escalated to Envato over two months from the date of this disclosure and the issue is still vulnerable.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-1327
Published : May 2, 2025, 4:15 a.m. | 3 hours, 5 minutes ago
Description : The Homey theme for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.4 via the ‘homey_delete_user_account’ action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete other user’s accounts.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-1326
Published : May 2, 2025, 4:15 a.m. | 3 hours, 5 minutes ago
Description : The Homey theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the homey_reservation_del() function in all versions up to, and including, 2.4.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary reservations and posts.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-3510
Published : May 2, 2025, 4:15 a.m. | 3 hours, 5 minutes ago
Description : The tagDiv Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2024-13420
Published : May 2, 2025, 4:15 a.m. | 3 hours, 5 minutes ago
Description : Multiple plugins and/or themes for WordPress are vulnerable to unauthorized access due to a missing capability check on several AJAX actions like ‘gsf_reset_section_options’, ‘gsf_reset_section_options’, ‘gsf_create_preset_options’ and more in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset and modify some of the plugin/theme settings. This issue was escalated to Envato over two months from the date of this disclosure and the issues, while partially patched, are still vulnerable.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-3709
Published : May 2, 2025, 4:15 a.m. | 4 hours, 59 minutes ago
Description : Agentflow from Flowring Technology has an Account Lockout Bypass vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to perform password brute force attack.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-3708
Published : May 2, 2025, 4:15 a.m. | 4 hours, 59 minutes ago
Description : Le-show medical practice management system from Le-yan has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-3707
Published : May 2, 2025, 4:15 a.m. | 3 hours, 5 minutes ago
Description : The eHDR CTMS from Sunnet has a SQL Injection vulnerability, allowing remote attackers with regular privileges to inject arbitrary SQL command to read database contents.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-3748
Published : May 2, 2025, 4:15 a.m. | 3 hours, 5 minutes ago
Description : The Taxonomy Chain Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s pn_chain_menu shortcode in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-3858
Published : May 2, 2025, 4:15 a.m. | 3 hours, 5 minutes ago
Description : The Formality plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘align’ parameter in all versions up to, and including, 1.5.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-3438
Published : May 2, 2025, 6:15 a.m. | 1 hour, 5 minutes ago
Description : The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 4.17.4. This is due to a lack of restriction of role when registering. This makes it possible for unauthenticated attackers to to register with the ‘wcfm_vendor’ role, which is a Store Vendor role in the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress. The vulnerability can only be exploited if the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin is installed and activated. The vulnerability was partially patched in version 4.17.3.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-3514
Published : May 2, 2025, 6:15 a.m. | 1 hour, 5 minutes ago
Description : The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-3488
Published : May 2, 2025, 6:15 a.m. | 1 hour, 5 minutes ago
Description : The WPML plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s wpml_language_switcher shortcode in versions 3.6.0 – 4.7.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…