CVE-2025-5539 – WordPress WP Easy Contact Stored Cross-Site Scripting

June 4, 2025

CVE ID : CVE-2025-5539

Published : June 4, 2025, 5:15 a.m. | 2 hours, 18 minutes ago

Description : The Simple Contact Form Plugin for WordPress – WP Easy Contact plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ’emd_mb_meta’ shortcode in all versions up to, and including, 4.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Source: Read More

Previous ArticleCVE-2025-5562 – PHPGurukul Curfew SQL Injection Vulnerability

Next Article CVE-2025-5561 – PHPGurukul Curfew e-Pass Management System SQL Injection Vulnerability

Highlights

CVE-2025-47781 – Rallly Token Brute Force Vulnerability

May 14, 2025

CVE ID : CVE-2025-47781

Published : May 14, 2025, 4:15 p.m. | 17 minutes ago

Description : Rallly is an open-source scheduling and collaboration tool. Versions up to and including 3.22.1 of the application features token based authentication. When a user attempts to login to the application, they insert their email and a 6 digit code is sent to their email address to complete the authentication. A token that consists of 6 digits only presents weak entropy however and when coupled with no token brute force protection, makes it possible for an unauthenticated attacker with knowledge of a valid email address to successfully brute force the token within 15 minutes (token expiration time) and take over the account associated with the targeted email address. All users on the Rallly applications are impacted. As long as an attacker knows the user’s email address they used to register on the app, they can systematically take over any user account. For the authentication mechanism to be safe, the token would need to be assigned a complex high entropy value that cannot be bruteforced within reasonable time, and ideally rate limiting the /api/auth/callback/email endpoint to further make brute force attempts unreasonable within the 15 minutes time. As of time of publication, no patched versions are available.

Severity: 9.8 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

The Case For Minimal WordPress Setups: A Contrarian View On Theme Frameworks

How To Fix Largest Contentful Paint Issues With Subpart Analysis

How To Prevent WordPress SQL Injection Attacks

In MCP era API discoverability is now more important than ever

Black Myth: Wukong is coming to Xbox exactly one year after launching on PlayStation

Reddit wants to sue Anthropic for stealing its data, but the Claude AI manufacturers vow to “defend ourselves vigorously”

Satya Nadella says Microsoft makes money every time you use ChatGPT: “Every day that ChatGPT succeeds is a fantastic day”

Multiple reports suggest a Persona 4 Remake from Atlus will be announced during the Xbox Games Showcase

TC39 advances numerous proposals at latest meeting

TC39 advances numerous proposals at latest meeting

TypeBridge – zero ceremony, compile time rpc for client and server com

Simplify Cloud-Native Development with Quarkus Extensions

Black Myth: Wukong is coming to Xbox exactly one year after launching on PlayStation

Black Myth: Wukong is coming to Xbox exactly one year after launching on PlayStation

Reddit wants to sue Anthropic for stealing its data, but the Claude AI manufacturers vow to “defend ourselves vigorously”

Satya Nadella says Microsoft makes money every time you use ChatGPT: “Every day that ChatGPT succeeds is a fantastic day”

CVE-2025-5539 – WordPress WP Easy Contact Stored Cross-Site Scripting

Leadership, Trust, and Cyber Hygiene: NCSC’s Guide to Security Culture in Action

CVE-2025-4318 Critical RCE in AWS Amplify Codegen UI

Ransomware Extortion Drops to $813.5M in 2024, Down from $1.25B in 2023

Google AI Introduces Proofread: A Novel Gboard Feature Enabling Seamless Sentence-Level And Paragraph-Level Corrections With A Single Tap

Understanding the Differences Between WebSocket and Socket.IO

Adobe’s New AI Is So Good You Might Ditch Other Tools

CVE-2025-47781 – Rallly Token Brute Force Vulnerability

Symbiotic Security launches AI tool for detecting and fixing vulnerabilities in code

GitHub Action Compromise Puts CI/CD Secrets at Risk in Over 23,000 Repositories

Did Russia Cyber Army Team Target Liechtenstein Telecom? Website Down, Cause Unclear

CVE-2025-5539 – WordPress WP Easy Contact Stored Cross-Site Scripting

Related Posts