Search criteria
8378 vulnerabilities
CVE-2025-13393 (GCVE-0-2025-13393)
Vulnerability from cvelistv5 – Published: 2026-01-10 13:47 – Updated: 2026-01-10 13:47
VLAI?
Title
Featured Image from URL (FIFU) <= 5.3.1 - Authenticated (Contributor+) Server-Side Request Forgery via 'fifu_input_url'
Summary
The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.3.1. This is due to insufficient validation of user-supplied URLs before passing them to the getimagesize() function in the Elementor widget integration. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services via the fifu_input_url parameter in the FIFU Elementor widget granted they have permissions to use Elementor.
Severity ?
4.3 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| marceljm | Featured Image from URL (FIFU) |
Affected:
* , ≤ 5.3.1
(semver)
|
Credits
Dmitrii Ignatyev
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Featured Image from URL (FIFU)",
"vendor": "marceljm",
"versions": [
{
"lessThanOrEqual": "5.3.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.3.1. This is due to insufficient validation of user-supplied URLs before passing them to the getimagesize() function in the Elementor widget integration. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services via the fifu_input_url parameter in the FIFU Elementor widget granted they have permissions to use Elementor."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-10T13:47:35.750Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b7115070-b84d-4d69-993a-f512b9f9c081?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/featured-image-from-url/trunk/elementor/widgets/widget.php#L94"
},
{
"url": "https://plugins.trac.wordpress.org/browser/featured-image-from-url/trunk/elementor/widgets/widget.php#L121"
},
{
"url": "https://research.cleantalk.org/cve-2025-13393/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3428744/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-19T01:27:50.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-09T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Featured Image from URL (FIFU) \u003c= 5.3.1 - Authenticated (Contributor+) Server-Side Request Forgery via \u0027fifu_input_url\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13393",
"datePublished": "2026-01-10T13:47:35.750Z",
"dateReserved": "2025-11-19T01:08:40.615Z",
"dateUpdated": "2026-01-10T13:47:35.750Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12379 (GCVE-0-2025-12379)
Vulnerability from cvelistv5 – Published: 2026-01-10 13:47 – Updated: 2026-01-10 13:47
VLAI?
Title
Shortcodes and extra features for Phlox theme <= 2.17.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via Modern Heading Widget
Summary
The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a combination of the 'tag' and ‘title_tag’ parameters in all versions up to, and including, 2.17.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| averta | Shortcodes and extra features for Phlox theme |
Affected:
* , ≤ 2.17.13
(semver)
|
Credits
Abu Hurayra
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Shortcodes and extra features for Phlox theme",
"vendor": "averta",
"versions": [
{
"lessThanOrEqual": "2.17.13",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abu Hurayra"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a combination of the \u0027tag\u0027 and \u2018title_tag\u2019 parameters in all versions up to, and including, 2.17.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-10T13:47:35.146Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1144e0d9-692e-45a5-ac63-bcdd64a8bd8a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/auxin-elements/tags/2.17.12/includes/elementor/widgets/heading-modern.php#L1194"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3429103/auxin-elements/trunk/includes/elementor/widgets/heading-modern.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-28T00:54:27.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-09T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Shortcodes and extra features for Phlox theme \u003c= 2.17.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via Modern Heading Widget"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12379",
"datePublished": "2026-01-10T13:47:35.146Z",
"dateReserved": "2025-10-28T00:38:54.310Z",
"dateUpdated": "2026-01-10T13:47:35.146Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14555 (GCVE-0-2025-14555)
Vulnerability from cvelistv5 – Published: 2026-01-10 12:23 – Updated: 2026-01-10 12:23
VLAI?
Title
Countdown Timer - Widget Countdown <= 2.7.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Summary
The Countdown Timer – Widget Countdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpdevart_countdown' shortcode in all versions up to, and including, 2.7.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpdevart | Countdown Timer – Widget Countdown |
Affected:
* , ≤ 2.7.7
(semver)
|
Credits
Muhammad Yudha - DJ
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Countdown Timer \u2013 Widget Countdown",
"vendor": "wpdevart",
"versions": [
{
"lessThanOrEqual": "2.7.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Countdown Timer \u2013 Widget Countdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027wpdevart_countdown\u0027 shortcode in all versions up to, and including, 2.7.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-10T12:23:16.588Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ee84c720-7997-4c09-a2f9-5e1a28bd1100?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/widget-countdown/trunk/includes/front_end.php#L167"
},
{
"url": "https://plugins.trac.wordpress.org/browser/widget-countdown/trunk/includes/front_end.php#L48"
},
{
"url": "https://plugins.trac.wordpress.org/browser/widget-countdown/trunk/includes/front_end.php#L30"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3425959/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-09T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Countdown Timer - Widget Countdown \u003c= 2.7.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14555",
"datePublished": "2026-01-10T12:23:16.588Z",
"dateReserved": "2025-12-12T02:00:33.513Z",
"dateUpdated": "2026-01-10T12:23:16.588Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14506 (GCVE-0-2025-14506)
Vulnerability from cvelistv5 – Published: 2026-01-10 11:22 – Updated: 2026-01-10 11:22
VLAI?
Title
ConvertForce Popup Builder <= 0.0.7 - Stored Cross-Site Scripting via entrance_animation
Summary
The ConvertForce Popup Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gutenberg block's `entrance_animation` attribute in all versions up to, and including, 0.0.7. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| imtiazrayhan | ConvertForce Popup Builder |
Affected:
* , ≤ 0.0.7
(semver)
|
Credits
Athiwat Tiprasaharn
Itthidej Aramsri
Powpy
Waris Damkham
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ConvertForce Popup Builder",
"vendor": "imtiazrayhan",
"versions": [
{
"lessThanOrEqual": "0.0.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
},
{
"lang": "en",
"type": "finder",
"value": "Itthidej Aramsri"
},
{
"lang": "en",
"type": "finder",
"value": "Powpy"
},
{
"lang": "en",
"type": "finder",
"value": "Waris Damkham"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ConvertForce Popup Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gutenberg block\u0027s `entrance_animation` attribute in all versions up to, and including, 0.0.7. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-10T11:22:38.947Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c57b9a78-53f4-40bb-ae6a-c5242b41329f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/convertforce-popup-builder/trunk/inc/Blocks/Conversion.php#L47"
},
{
"url": "https://plugins.trac.wordpress.org/browser/convertforce-popup-builder/trunk/inc/Blocks/Conversion.php#L66"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3419678/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-11T18:29:42.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-09T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "ConvertForce Popup Builder \u003c= 0.0.7 - Stored Cross-Site Scripting via entrance_animation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14506",
"datePublished": "2026-01-10T11:22:38.947Z",
"dateReserved": "2025-12-11T00:01:18.282Z",
"dateUpdated": "2026-01-10T11:22:38.947Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0831 (GCVE-0-2026-0831)
Vulnerability from cvelistv5 – Published: 2026-01-10 09:22 – Updated: 2026-01-10 09:22
VLAI?
Title
Templately <= 3.4.8 - Unauthenticated Limited Arbitrary JSON File Write
Summary
The Templately plugin for WordPress is vulnerable to Arbitrary File Write in all versions up to, and including, 3.4.8. This is due to inadequate input validation in the `save_template_to_file()` function where user-controlled parameters like `session_id`, `content_id`, and `ai_page_ids` are used to construct file paths without proper sanitization. This makes it possible for unauthenticated attackers to write arbitrary `.ai.json` files to locations within the uploads directory.
Severity ?
5.3 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpdevteam | Templately – Elementor & Gutenberg Template Library: 6500+ Free & Pro Ready Templates And Cloud! |
Affected:
* , ≤ 3.4.8
(semver)
|
Credits
M Indra Purnama
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Templately \u2013 Elementor \u0026 Gutenberg Template Library: 6500+ Free \u0026 Pro Ready Templates And Cloud!",
"vendor": "wpdevteam",
"versions": [
{
"lessThanOrEqual": "3.4.8",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "M Indra Purnama"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Templately plugin for WordPress is vulnerable to Arbitrary File Write in all versions up to, and including, 3.4.8. This is due to inadequate input validation in the `save_template_to_file()` function where user-controlled parameters like `session_id`, `content_id`, and `ai_page_ids` are used to construct file paths without proper sanitization. This makes it possible for unauthenticated attackers to write arbitrary `.ai.json` files to locations within the uploads directory."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-10T09:22:18.126Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/778242f4-5dfa-4d72-a032-8b5521c5b8ce?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/templately/tags/3.4.5/includes/Core/Importer/Utils/AIUtils.php#L414"
},
{
"url": "https://plugins.trac.wordpress.org/browser/templately/tags/3.4.5/includes/API/AIContent.php#L38"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3426051/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-19T23:25:34.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-09T20:32:57.000+00:00",
"value": "Disclosed"
}
],
"title": "Templately \u003c= 3.4.8 - Unauthenticated Limited Arbitrary JSON File Write"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0831",
"datePublished": "2026-01-10T09:22:18.126Z",
"dateReserved": "2026-01-09T20:31:20.483Z",
"dateUpdated": "2026-01-10T09:22:18.126Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14976 (GCVE-0-2025-14976)
Vulnerability from cvelistv5 – Published: 2026-01-10 08:22 – Updated: 2026-01-10 08:22
VLAI?
Title
User Registration & Membership <= 4.4.8 - Cross-Site Request Forgery to Arbitrary Post Deletion
Summary
The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.4.8. This is due to missing or incorrect nonce validation on the 'process_row_actions' function with the 'delete' action. This makes it possible for unauthenticated attackers to delete arbitrary post via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
5.4 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpeverest | User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin |
Affected:
* , ≤ 4.4.8
(semver)
|
Credits
Youcef Hamdani
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "User Registration \u0026 Membership \u2013 Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction \u0026 Membership Plugin",
"vendor": "wpeverest",
"versions": [
{
"lessThanOrEqual": "4.4.8",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Youcef Hamdani"
}
],
"descriptions": [
{
"lang": "en",
"value": "The User Registration \u0026 Membership \u2013 Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction \u0026 Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.4.8. This is due to missing or incorrect nonce validation on the \u0027process_row_actions\u0027 function with the \u0027delete\u0027 action. This makes it possible for unauthenticated attackers to delete arbitrary post via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-10T08:22:57.183Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e5495b4c-a1ac-4860-83a7-686d9436d983?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/user-registration/tags/4.4.8/includes/abstracts/abstract-ur-list-table.php#L290"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3435099/user-registration"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-19T16:05:16.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-09T20:16:56.000+00:00",
"value": "Disclosed"
}
],
"title": "User Registration \u0026 Membership \u003c= 4.4.8 - Cross-Site Request Forgery to Arbitrary Post Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14976",
"datePublished": "2026-01-10T08:22:57.183Z",
"dateReserved": "2025-12-19T15:49:21.390Z",
"dateUpdated": "2026-01-10T08:22:57.183Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14948 (GCVE-0-2025-14948)
Vulnerability from cvelistv5 – Published: 2026-01-10 07:03 – Updated: 2026-01-10 07:03
VLAI?
Title
miniOrange OTP Verification and SMS Notification for WooCommerce <= 4.3.8 - Missing Authorization to Unauthenticated Notification Settings Modification
Summary
The miniOrange OTP Verification and SMS Notification for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `enable_wc_sms_notification` AJAX action in all versions up to, and including, 4.3.8. This makes it possible for unauthenticated attackers to enable or disable SMS notification settings for WooCommerce orders.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cyberlord92 | miniOrange OTP Verification and SMS Notification for WooCommerce |
Affected:
* , ≤ 4.3.8
(semver)
|
Credits
Abdualrhman Muzamil
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "miniOrange OTP Verification and SMS Notification for WooCommerce",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "4.3.8",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abdualrhman Muzamil"
}
],
"descriptions": [
{
"lang": "en",
"value": "The miniOrange OTP Verification and SMS Notification for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `enable_wc_sms_notification` AJAX action in all versions up to, and including, 4.3.8. This makes it possible for unauthenticated attackers to enable or disable SMS notification settings for WooCommerce orders."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-10T07:03:55.561Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f84ddc83-2079-45b9-8354-51094581b1f8?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/miniorange-sms-order-notification-otp-verification/tags/4.3.8/notifications/wcsmsnotification/handler/class-woocommercenotifications.php#L138"
},
{
"url": "https://plugins.trac.wordpress.org/browser/miniorange-sms-order-notification-otp-verification?rev=3423647"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-19T04:30:06.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-09T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "miniOrange OTP Verification and SMS Notification for WooCommerce \u003c= 4.3.8 - Missing Authorization to Unauthenticated Notification Settings Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14948",
"datePublished": "2026-01-10T07:03:55.561Z",
"dateReserved": "2025-12-19T04:14:38.233Z",
"dateUpdated": "2026-01-10T07:03:55.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14943 (GCVE-0-2025-14943)
Vulnerability from cvelistv5 – Published: 2026-01-10 06:32 – Updated: 2026-01-10 06:32
VLAI?
Title
Blog2Social: Social Media Auto Post & Scheduler <= 8.7.2 - Incorrect Authorization to Authenticated (Subscriber+) Sensitive Information Exposure
Summary
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.7.2. This is due to a misconfigured authorization check on the 'getShipItemFullText' function which only verifies that a user has the 'read' capability (Subscriber-level) and a valid nonce, but fails to verify whether the user has permission to access the specific post being requested. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract data from password-protected, private, or draft posts.
Severity ?
4.3 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pr-gateway | Blog2Social: Social Media Auto Post & Scheduler |
Affected:
* , ≤ 8.7.2
(semver)
|
Credits
Youcef Hamdani
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Blog2Social: Social Media Auto Post \u0026 Scheduler",
"vendor": "pr-gateway",
"versions": [
{
"lessThanOrEqual": "8.7.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Youcef Hamdani"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Blog2Social: Social Media Auto Post \u0026 Scheduler plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.7.2. This is due to a misconfigured authorization check on the \u0027getShipItemFullText\u0027 function which only verifies that a user has the \u0027read\u0027 capability (Subscriber-level) and a valid nonce, but fails to verify whether the user has permission to access the specific post being requested. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract data from password-protected, private, or draft posts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-10T06:32:34.320Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7374db91-4e7d-4db2-9c58-bb9bdda5c85d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Get.php#L243"
},
{
"url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Get.php?rev=3423620#L252"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-19T00:13:49.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-09T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Blog2Social: Social Media Auto Post \u0026 Scheduler \u003c= 8.7.2 - Incorrect Authorization to Authenticated (Subscriber+) Sensitive Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14943",
"datePublished": "2026-01-10T06:32:34.320Z",
"dateReserved": "2025-12-18T23:57:47.575Z",
"dateUpdated": "2026-01-10T06:32:34.320Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13457 (GCVE-0-2025-13457)
Vulnerability from cvelistv5 – Published: 2026-01-10 03:21 – Updated: 2026-01-10 03:21
VLAI?
Title
WooCommerce Square <= 5.1.1 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure in get_token_by_id
Summary
The WooCommerce Square plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.1 via the get_token_by_id function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to expose arbitrary Square "ccof" (credit card on file) values and leverage this value to potentially make fraudulent charges on the target site.
Severity ?
7.5 (High)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| woocommerce | WooCommerce Square |
Affected:
4.2.0 , < 4.2.3
(semver)
Affected: 4.3.0 , < 4.3.2 (semver) Affected: 4.4.0 , < 4.4.2 (semver) Affected: 4.5.0 , < 4.5.2 (semver) Affected: 4.6.0 , < 4.6.4 (semver) Affected: 4.7.0 , < 4.7.4 (semver) Affected: 4.8.0 , < 4.8.8 (semver) Affected: 4.9.0 , < 4.9.9 (semver) Affected: 5.0.0 , < 5.0.1 (semver) Affected: 5.1.0 , < 5.1.2 (semver) |
Credits
German
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WooCommerce Square",
"vendor": "woocommerce",
"versions": [
{
"lessThan": "4.2.3",
"status": "affected",
"version": "4.2.0",
"versionType": "semver"
},
{
"lessThan": "4.3.2",
"status": "affected",
"version": "4.3.0",
"versionType": "semver"
},
{
"lessThan": "4.4.2",
"status": "affected",
"version": "4.4.0",
"versionType": "semver"
},
{
"lessThan": "4.5.2",
"status": "affected",
"version": "4.5.0",
"versionType": "semver"
},
{
"lessThan": "4.6.4",
"status": "affected",
"version": "4.6.0",
"versionType": "semver"
},
{
"lessThan": "4.7.4",
"status": "affected",
"version": "4.7.0",
"versionType": "semver"
},
{
"lessThan": "4.8.8",
"status": "affected",
"version": "4.8.0",
"versionType": "semver"
},
{
"lessThan": "4.9.9",
"status": "affected",
"version": "4.9.0",
"versionType": "semver"
},
{
"lessThan": "5.0.1",
"status": "affected",
"version": "5.0.0",
"versionType": "semver"
},
{
"lessThan": "5.1.2",
"status": "affected",
"version": "5.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "German"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WooCommerce Square plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.1 via the get_token_by_id function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to expose arbitrary Square \"ccof\" (credit card on file) values and leverage this value to potentially make fraudulent charges on the target site."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-10T03:21:01.113Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c7f4f726-7e53-4397-8d8b-7a574326adc6?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3415850/woocommerce-square"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-25T19:04:33.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-09T14:05:48.000+00:00",
"value": "Disclosed"
}
],
"title": "WooCommerce Square \u003c= 5.1.1 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure in get_token_by_id"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13457",
"datePublished": "2026-01-10T03:21:01.113Z",
"dateReserved": "2025-11-19T20:13:41.577Z",
"dateUpdated": "2026-01-10T03:21:01.113Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11453 (GCVE-0-2025-11453)
Vulnerability from cvelistv5 – Published: 2026-01-09 11:15 – Updated: 2026-01-09 17:03
VLAI?
Title
Header and Footer Scripts <= 2.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Summary
The Header and Footer Scripts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _inpost_head_script parameter in all versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| anand_kumar | Header and Footer Scripts |
Affected:
* , ≤ 2.2.2
(semver)
|
Credits
Powpy
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11453",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T17:03:20.997063Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T17:03:41.270Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Header and Footer Scripts",
"vendor": "anand_kumar",
"versions": [
{
"lessThanOrEqual": "2.2.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Powpy"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Header and Footer Scripts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _inpost_head_script parameter in all versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T11:15:36.142Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d658e087-8cc7-4653-af3c-407b6f73fb7b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/header-and-footer-scripts/tags/2.2.2/shfs.php#L119"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-25T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-01-08T21:20:03.000+00:00",
"value": "Disclosed"
}
],
"title": "Header and Footer Scripts \u003c= 2.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-11453",
"datePublished": "2026-01-09T11:15:36.142Z",
"dateReserved": "2025-10-07T17:26:44.860Z",
"dateUpdated": "2026-01-09T17:03:41.270Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13908 (GCVE-0-2025-13908)
Vulnerability from cvelistv5 – Published: 2026-01-09 11:15 – Updated: 2026-01-09 16:47
VLAI?
Title
The Tooltip <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Summary
The The Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'the_tooltip' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| alobaidi | The Tooltip |
Affected:
* , ≤ 1.0.2
(semver)
|
Credits
Gilang Asra Bilhadi
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13908",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T16:47:05.257189Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T16:47:29.688Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "The Tooltip",
"vendor": "alobaidi",
"versions": [
{
"lessThanOrEqual": "1.0.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gilang Asra Bilhadi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The The Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027the_tooltip\u0027 shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T11:15:35.698Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d2bac05e-ecd0-427b-90a0-6cf78175cd19?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/the-tooltip/trunk/the-tooltip.php#L92"
},
{
"url": "https://plugins.trac.wordpress.org/browser/the-tooltip/tags/1.0.2/the-tooltip.php#L92"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:20:51.000+00:00",
"value": "Disclosed"
}
],
"title": "The Tooltip \u003c= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13908",
"datePublished": "2026-01-09T11:15:35.698Z",
"dateReserved": "2025-12-02T16:44:05.173Z",
"dateUpdated": "2026-01-09T16:47:29.688Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13862 (GCVE-0-2025-13862)
Vulnerability from cvelistv5 – Published: 2026-01-09 11:15 – Updated: 2026-01-09 16:48
VLAI?
Title
Menu Card <= 0.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Summary
The Menu Card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `category` parameter in all versions up to, and including, 0.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| furqan-khanzada | Menu Card |
Affected:
* , ≤ 0.8.0
(semver)
|
Credits
Youcef Hamdani
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13862",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T16:48:34.484753Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T16:48:52.340Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Menu Card",
"vendor": "furqan-khanzada",
"versions": [
{
"lessThanOrEqual": "0.8.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Youcef Hamdani"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Menu Card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `category` parameter in all versions up to, and including, 0.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T11:15:35.321Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cec428cd-0fa1-4bc4-b7f6-faf90c31f306?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/menu-card/trunk/menu-card.php#L102"
},
{
"url": "https://plugins.trac.wordpress.org/browser/menu-card/tags/0.8.0/menu-card.php#L102"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:22:42.000+00:00",
"value": "Disclosed"
}
],
"title": "Menu Card \u003c= 0.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13862",
"datePublished": "2026-01-09T11:15:35.321Z",
"dateReserved": "2025-12-01T21:06:33.942Z",
"dateUpdated": "2026-01-09T16:48:52.340Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14172 (GCVE-0-2025-14172)
Vulnerability from cvelistv5 – Published: 2026-01-09 11:15 – Updated: 2026-01-09 16:58
VLAI?
Title
WP Page Permalink Extension <= 1.5.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Rewrite Rules Flush
Summary
The WP Page Permalink Extension plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.4. This is due to missing authorization checks on the `cwpp_trigger_flush_rewrite_rules` function hooked to `wp_ajax_cwpp_trigger_flush_rewrite_rules`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to flush the site's rewrite rules via the `action` parameter.
Severity ?
6.5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| infosatech | WP Page Permalink Extension |
Affected:
* , ≤ 1.5.4
(semver)
|
Credits
Abhirup Konwar
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14172",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T16:50:38.330576Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T16:58:27.051Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Page Permalink Extension",
"vendor": "infosatech",
"versions": [
{
"lessThanOrEqual": "1.5.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abhirup Konwar"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Page Permalink Extension plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.4. This is due to missing authorization checks on the `cwpp_trigger_flush_rewrite_rules` function hooked to `wp_ajax_cwpp_trigger_flush_rewrite_rules`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to flush the site\u0027s rewrite rules via the `action` parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T11:15:34.916Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c5ba37d7-8fde-4ee3-93db-d2459da34bc4?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/change-wp-page-permalinks/trunk/change-wp-page-permalinks.php#L188"
},
{
"url": "https://plugins.trac.wordpress.org/browser/change-wp-page-permalinks/tags/1.5.4/change-wp-page-permalinks.php#L188"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:56:04.000+00:00",
"value": "Disclosed"
}
],
"title": "WP Page Permalink Extension \u003c= 1.5.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Rewrite Rules Flush"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14172",
"datePublished": "2026-01-09T11:15:34.916Z",
"dateReserved": "2025-12-05T22:12:02.972Z",
"dateUpdated": "2026-01-09T16:58:27.051Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13717 (GCVE-0-2025-13717)
Vulnerability from cvelistv5 – Published: 2026-01-09 11:15 – Updated: 2026-01-09 17:44
VLAI?
Title
Contact Form vCard Generator <= 2.4 - Missing Authorization to Unauthenticated Sensitive Information Exposure via 'wp-gvc-cf-download-id' Parameter
Summary
The Contact Form vCard Generator plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wp_gvccf_check_download_request' function in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to export sensitive Contact Form 7 submission data via the 'wp-gvc-cf-download-id' parameter, including names, phone numbers, email addresses, and messages.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ashishajani | Contact Form vCard Generator |
Affected:
* , ≤ 2.4
(semver)
|
Credits
Sopon Tangpathum (SoNaJaa)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13717",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T17:43:47.192497Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T17:44:09.501Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Contact Form vCard Generator",
"vendor": "ashishajani",
"versions": [
{
"lessThanOrEqual": "2.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sopon Tangpathum (SoNaJaa)"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Contact Form vCard Generator plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the \u0027wp_gvccf_check_download_request\u0027 function in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to export sensitive Contact Form 7 submission data via the \u0027wp-gvc-cf-download-id\u0027 parameter, including names, phone numbers, email addresses, and messages."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T11:15:34.501Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bdde4399-af90-4528-92a4-5176dfa5e453?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/trunk/includes/wp-gvc-cf-settings.php#L13"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/tags/2.4/includes/wp-gvc-cf-settings.php#L13"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/trunk/includes/wp-gvc-cf-settings.php#L105"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/tags/2.4/includes/wp-gvc-cf-settings.php#L105"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:36:46.000+00:00",
"value": "Disclosed"
}
],
"title": "Contact Form vCard Generator \u003c= 2.4 - Missing Authorization to Unauthenticated Sensitive Information Exposure via \u0027wp-gvc-cf-download-id\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13717",
"datePublished": "2026-01-09T11:15:34.501Z",
"dateReserved": "2025-11-25T21:54:45.575Z",
"dateUpdated": "2026-01-09T17:44:09.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13704 (GCVE-0-2025-13704)
Vulnerability from cvelistv5 – Published: 2026-01-09 11:15 – Updated: 2026-01-09 17:52
VLAI?
Title
Autogen Headers Menu <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'head_class' Shortcode Parameter
Summary
The Autogen Headers Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'head_class' parameter of the 'autogen_menu' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| amirshk | Autogen Headers Menu |
Affected:
* , ≤ 1.0.1
(semver)
|
Credits
Youcef Hamdani
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13704",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T17:51:02.116475Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T17:52:39.497Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Autogen Headers Menu",
"vendor": "amirshk",
"versions": [
{
"lessThanOrEqual": "1.0.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Youcef Hamdani"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Autogen Headers Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027head_class\u0027 parameter of the \u0027autogen_menu\u0027 shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T11:15:34.128Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a63bf106-78cf-441b-a1b3-77ec1cf6c22b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/autogen-headers-menu/trunk/index.php#L115"
},
{
"url": "https://plugins.trac.wordpress.org/browser/autogen-headers-menu/tags/1.0.1/index.php#L115"
},
{
"url": "https://plugins.trac.wordpress.org/browser/autogen-headers-menu/trunk/index.php#L53"
},
{
"url": "https://plugins.trac.wordpress.org/browser/autogen-headers-menu/tags/1.0.1/index.php#L53"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:56:23.000+00:00",
"value": "Disclosed"
}
],
"title": "Autogen Headers Menu \u003c= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027head_class\u0027 Shortcode Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13704",
"datePublished": "2026-01-09T11:15:34.128Z",
"dateReserved": "2025-11-25T21:45:09.181Z",
"dateUpdated": "2026-01-09T17:52:39.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13892 (GCVE-0-2025-13892)
Vulnerability from cvelistv5 – Published: 2026-01-09 11:15 – Updated: 2026-01-09 17:53
VLAI?
Title
MG AdvancedOptions <= 1.2 - Reflected Cross-Site Scripting
Summary
The MG AdvancedOptions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| mountaingrafix | MG AdvancedOptions |
Affected:
* , ≤ 1.2
(semver)
|
Credits
Abdulsamad Yusuf
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13892",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T17:53:26.718485Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T17:53:55.148Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MG AdvancedOptions",
"vendor": "mountaingrafix",
"versions": [
{
"lessThanOrEqual": "1.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abdulsamad Yusuf"
}
],
"descriptions": [
{
"lang": "en",
"value": "The MG AdvancedOptions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER[\u0027PHP_SELF\u0027]` variable in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T11:15:33.718Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/86358a01-bf69-4a7f-8b78-a0d42d362d96?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mg-advancedoptions/trunk/mg-advancedoptions/MG_AdvancedOptions.php#L96"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mg-advancedoptions/trunk/mg-advancedoptions/MG_AdvancedOptions.php#L58"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:35:53.000+00:00",
"value": "Disclosed"
}
],
"title": "MG AdvancedOptions \u003c= 1.2 - Reflected Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13892",
"datePublished": "2026-01-09T11:15:33.718Z",
"dateReserved": "2025-12-02T15:36:54.355Z",
"dateUpdated": "2026-01-09T17:53:55.148Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13897 (GCVE-0-2025-13897)
Vulnerability from cvelistv5 – Published: 2026-01-09 11:15 – Updated: 2026-01-09 18:19
VLAI?
Title
Client Testimonial Slider <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'aft_testimonial_meta_name' Metabox Field
Summary
The Client Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aft_testimonial_meta_name' custom field in the Client Information metabox in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected administrative page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| amu02aftab | Client Testimonial Slider |
Affected:
* , ≤ 2.0
(semver)
|
Credits
Muhammad Yudha - DJ
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13897",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T18:08:48.271169Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T18:19:16.062Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Client Testimonial Slider",
"vendor": "amu02aftab",
"versions": [
{
"lessThanOrEqual": "2.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Client Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027aft_testimonial_meta_name\u0027 custom field in the Client Information metabox in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected administrative page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T11:15:33.126Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5bf12608-4e02-4b3a-9363-991dca5ee11b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-client-testimonial/trunk/wp-client-testimonial.php#L117"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-client-testimonial/tags/2.0/wp-client-testimonial.php#L117"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:37:12.000+00:00",
"value": "Disclosed"
}
],
"title": "Client Testimonial Slider \u003c= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027aft_testimonial_meta_name\u0027 Metabox Field"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13897",
"datePublished": "2026-01-09T11:15:33.126Z",
"dateReserved": "2025-12-02T16:11:34.987Z",
"dateUpdated": "2026-01-09T18:19:16.062Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13854 (GCVE-0-2025-13854)
Vulnerability from cvelistv5 – Published: 2026-01-09 11:15 – Updated: 2026-01-09 19:30
VLAI?
Title
Curved Text <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Summary
The Curved Text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'radius' parameter of the arctext shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| soniz | Curved Text |
Affected:
* , ≤ 0.1
(semver)
|
Credits
Gilang Asra Bilhadi
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13854",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T18:38:12.215529Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T19:30:10.397Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Curved Text",
"vendor": "soniz",
"versions": [
{
"lessThanOrEqual": "0.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gilang Asra Bilhadi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Curved Text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027radius\u0027 parameter of the arctext shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T11:15:32.678Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/48514fdb-20c6-4a7f-8f60-e532ddd8853e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/curved-text/trunk/curved-text.php#L32"
},
{
"url": "https://plugins.trac.wordpress.org/browser/curved-text/tags/0.1/curved-text.php#L32"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:22:18.000+00:00",
"value": "Disclosed"
}
],
"title": "Curved Text \u003c= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13854",
"datePublished": "2026-01-09T11:15:32.678Z",
"dateReserved": "2025-12-01T20:23:34.658Z",
"dateUpdated": "2026-01-09T19:30:10.397Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13701 (GCVE-0-2025-13701)
Vulnerability from cvelistv5 – Published: 2026-01-09 11:15 – Updated: 2026-01-09 19:32
VLAI?
Title
Shabat Keeper <= 0.4.4 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']
Summary
The Shabat Keeper plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $_SERVER['PHP_SELF'] parameter in all versions up to, and including, 0.4.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| beshkin | Shabat Keeper |
Affected:
* , ≤ 0.4.4
(semver)
|
Credits
Abdulsamad Yusuf
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13701",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T19:30:31.345323Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T19:32:49.805Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Shabat Keeper",
"vendor": "beshkin",
"versions": [
{
"lessThanOrEqual": "0.4.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abdulsamad Yusuf"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Shabat Keeper plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $_SERVER[\u0027PHP_SELF\u0027] parameter in all versions up to, and including, 0.4.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T11:15:32.224Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3aa73be6-0836-4540-8a80-e1da34c0ee0d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/shabat-keeper/trunk/shabat-keeper.php#L148"
},
{
"url": "https://plugins.trac.wordpress.org/browser/shabat-keeper/tags/0.4.4/shabat-keeper.php#L148"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:55:43.000+00:00",
"value": "Disclosed"
}
],
"title": "Shabat Keeper \u003c= 0.4.4 - Reflected Cross-Site Scripting via $_SERVER[\u0027PHP_SELF\u0027]"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13701",
"datePublished": "2026-01-09T11:15:32.224Z",
"dateReserved": "2025-11-25T21:40:55.256Z",
"dateUpdated": "2026-01-09T19:32:49.805Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13967 (GCVE-0-2025-13967)
Vulnerability from cvelistv5 – Published: 2026-01-09 11:15 – Updated: 2026-01-09 14:47
VLAI?
Title
Woodpecker for WordPress <= 3.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'form_name' Shortcode Attribute
Summary
The Woodpecker for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_name' parameter of the [woodpecker-connector] shortcode in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| woodpeckerleadform | Woodpecker for WordPress |
Affected:
* , ≤ 3.0.4
(semver)
|
Credits
Gilang Asra Bilhadi
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13967",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T14:47:08.833406Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T14:47:19.902Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Woodpecker for WordPress",
"vendor": "woodpeckerleadform",
"versions": [
{
"lessThanOrEqual": "3.0.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gilang Asra Bilhadi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Woodpecker for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027form_name\u0027 parameter of the [woodpecker-connector] shortcode in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T11:15:31.734Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1d99c8a8-daeb-402b-990d-6bacf6e9a780?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woodpecker/trunk/public/class-wfw-public.php#L109"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woodpecker/tags/3.0.4/public/class-wfw-public.php#L109"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woodpecker/trunk/public/partials/wfw-public-shortcode.php#L39"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woodpecker/tags/3.0.4/public/partials/wfw-public-shortcode.php#L39"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:54:57.000+00:00",
"value": "Disclosed"
}
],
"title": "Woodpecker for WordPress \u003c= 3.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027form_name\u0027 Shortcode Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13967",
"datePublished": "2026-01-09T11:15:31.734Z",
"dateReserved": "2025-12-03T15:28:00.300Z",
"dateUpdated": "2026-01-09T14:47:19.902Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13852 (GCVE-0-2025-13852)
Vulnerability from cvelistv5 – Published: 2026-01-09 11:15 – Updated: 2026-01-09 14:48
VLAI?
Title
Debt.com Business in a Box <= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Summary
The Debt.com Business in a Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'configuration' parameter of the lead_form shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| debtcom | Debt.com Business in a Box |
Affected:
* , ≤ 4.1.0
(semver)
|
Credits
Youcef Hamdani
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13852",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T14:47:55.256448Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T14:48:04.310Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Debt.com Business in a Box",
"vendor": "debtcom",
"versions": [
{
"lessThanOrEqual": "4.1.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Youcef Hamdani"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Debt.com Business in a Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027configuration\u0027 parameter of the lead_form shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T11:15:31.249Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1bb58556-29be-4272-85fc-bb2b7c72abf4?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/debtcom-business-in-a-box/trunk/inc/bib_form.php#L256"
},
{
"url": "https://plugins.trac.wordpress.org/browser/debtcom-business-in-a-box/tags/4.1.0/inc/bib_form.php#L256"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:36:17.000+00:00",
"value": "Disclosed"
}
],
"title": "Debt.com Business in a Box \u003c= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13852",
"datePublished": "2026-01-09T11:15:31.249Z",
"dateReserved": "2025-12-01T20:20:30.422Z",
"dateUpdated": "2026-01-09T14:48:04.310Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13893 (GCVE-0-2025-13893)
Vulnerability from cvelistv5 – Published: 2026-01-09 11:15 – Updated: 2026-01-09 14:51
VLAI?
Title
Lesson Plan Book <= 1.3 - Reflected Cross-Site Scripting
Summary
The Lesson Plan Book plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| burtrw | Lesson Plan Book |
Affected:
* , ≤ 1.3
(semver)
|
Credits
Abdulsamad Yusuf
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13893",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T14:51:11.292290Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T14:51:20.686Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Lesson Plan Book",
"vendor": "burtrw",
"versions": [
{
"lessThanOrEqual": "1.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abdulsamad Yusuf"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Lesson Plan Book plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER[\u0027PHP_SELF\u0027]` variable in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T11:15:30.823Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/18696937-5cc5-4e14-940d-fc25468377a3?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/lesson-plan-book/trunk/lesson.php#L719"
},
{
"url": "https://plugins.trac.wordpress.org/browser/lesson-plan-book/trunk/lesson.php#L1776"
},
{
"url": "https://plugins.trac.wordpress.org/browser/lesson-plan-book/trunk/lesson.php#L1910"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:37:35.000+00:00",
"value": "Disclosed"
}
],
"title": "Lesson Plan Book \u003c= 1.3 - Reflected Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13893",
"datePublished": "2026-01-09T11:15:30.823Z",
"dateReserved": "2025-12-02T15:38:02.335Z",
"dateUpdated": "2026-01-09T14:51:20.686Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13903 (GCVE-0-2025-13903)
Vulnerability from cvelistv5 – Published: 2026-01-09 11:15 – Updated: 2026-01-09 19:11
VLAI?
Title
PullQuote <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Summary
The PullQuote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pullquote' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Credits
Gilang Asra Bilhadi
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13903",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T19:05:42.637969Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T19:11:59.849Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PullQuote",
"vendor": "ctietze",
"versions": [
{
"lessThanOrEqual": "1.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gilang Asra Bilhadi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The PullQuote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027pullquote\u0027 shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T11:15:30.170Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0a0ee752-7fc4-46d3-9e0f-8b9317b0ea72?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/pullquote/trunk/includes/core.php#L12"
},
{
"url": "https://plugins.trac.wordpress.org/browser/pullquote/tags/1.0/includes/core.php#L12"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:54:08.000+00:00",
"value": "Disclosed"
}
],
"title": "PullQuote \u003c= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13903",
"datePublished": "2026-01-09T11:15:30.170Z",
"dateReserved": "2025-12-02T16:34:18.320Z",
"dateUpdated": "2026-01-09T19:11:59.849Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13895 (GCVE-0-2025-13895)
Vulnerability from cvelistv5 – Published: 2026-01-09 09:19 – Updated: 2026-01-09 18:01
VLAI?
Title
Top Position Google Finance <= 0.1.0 - Reflected Cross-Site Scripting
Summary
The Top Position Google Finance plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 0.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| top-position | Top Position Google Finance |
Affected:
* , ≤ 0.1.0
(semver)
|
Credits
Abdulsamad Yusuf
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13895",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T18:01:45.357613Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T18:01:53.355Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Top Position Google Finance",
"vendor": "top-position",
"versions": [
{
"lessThanOrEqual": "0.1.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abdulsamad Yusuf"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Top Position Google Finance plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER[\u0027PHP_SELF\u0027]` variable in all versions up to, and including, 0.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T09:19:48.081Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fcbf81f8-8b33-4b83-91fb-626b7b5f3bb2?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/top-position-google-finance/trunk/top-position-google-finance.php#L78"
},
{
"url": "https://plugins.trac.wordpress.org/browser/top-position-google-finance/trunk/top-position-google-finance.php#L56"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:19:22.000+00:00",
"value": "Disclosed"
}
],
"title": "Top Position Google Finance \u003c= 0.1.0 - Reflected Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13895",
"datePublished": "2026-01-09T09:19:48.081Z",
"dateReserved": "2025-12-02T15:40:16.609Z",
"dateUpdated": "2026-01-09T18:01:53.355Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13900 (GCVE-0-2025-13900)
Vulnerability from cvelistv5 – Published: 2026-01-09 09:19 – Updated: 2026-01-09 18:02
VLAI?
Title
WP Popup Magic <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'name' Shortcode Attribute
Summary
The WP Popup Magic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter of the [wppum_end] shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| themelocation | WP Popup Magic |
Affected:
* , ≤ 1.0.0
(semver)
|
Credits
Muhammad Yudha - DJ
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13900",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T18:02:12.630387Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T18:02:20.631Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Popup Magic",
"vendor": "themelocation",
"versions": [
{
"lessThanOrEqual": "1.0.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Popup Magic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027name\u0027 parameter of the [wppum_end] shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T09:19:47.637Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c11a5f07-de89-47ec-a92e-2adc75965648?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wppopupmagic/trunk/class-wppum-frontend.php#L622"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wppopupmagic/tags/1.0.0/class-wppum-frontend.php#L622"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:19:37.000+00:00",
"value": "Disclosed"
}
],
"title": "WP Popup Magic \u003c= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027name\u0027 Shortcode Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13900",
"datePublished": "2026-01-09T09:19:47.637Z",
"dateReserved": "2025-12-02T16:15:13.624Z",
"dateUpdated": "2026-01-09T18:02:20.631Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13853 (GCVE-0-2025-13853)
Vulnerability from cvelistv5 – Published: 2026-01-09 09:19 – Updated: 2026-01-09 17:06
VLAI?
Title
Nearby Now Reviews <= 5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Summary
The Nearby Now Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data_tech' parameter of the nn-tech shortcode in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| lnbadmin1 | Nearby Now Reviews |
Affected:
* , ≤ 5.2
(semver)
|
Credits
Gilang Asra Bilhadi
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13853",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T17:06:21.298630Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T17:06:28.658Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Nearby Now Reviews",
"vendor": "lnbadmin1",
"versions": [
{
"lessThanOrEqual": "5.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gilang Asra Bilhadi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Nearby Now Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027data_tech\u0027 parameter of the nn-tech shortcode in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T09:19:47.232Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8dc991ea-0d00-4734-9b9a-5af759e83540?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/nearby-now-reviews/trunk/nn-reviews.php#L160"
},
{
"url": "https://plugins.trac.wordpress.org/browser/nearby-now-reviews/tags/5.2/nn-reviews.php#L160"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:19:01.000+00:00",
"value": "Disclosed"
}
],
"title": "Nearby Now Reviews \u003c= 5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13853",
"datePublished": "2026-01-09T09:19:47.232Z",
"dateReserved": "2025-12-01T20:21:37.258Z",
"dateUpdated": "2026-01-09T17:06:28.658Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13729 (GCVE-0-2025-13729)
Vulnerability from cvelistv5 – Published: 2026-01-09 09:19 – Updated: 2026-01-09 18:02
VLAI?
Title
Entry Views <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Summary
The Entry Views plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'entry-views' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| greenshady | Entry Views |
Affected:
* , ≤ 1.0.0
(semver)
|
Credits
Muhammad Yudha - DJ
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13729",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T18:02:41.300502Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T18:02:49.336Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Entry Views",
"vendor": "greenshady",
"versions": [
{
"lessThanOrEqual": "1.0.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Entry Views plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027entry-views\u0027 shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T09:19:46.607Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e7e9fcc-804a-46a8-95cd-b358ba7681ec?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/entry-views/tags/1.0.0/inc/shortcodes.php#L25"
},
{
"url": "https://plugins.trac.wordpress.org/browser/entry-views/tags/1.0.0/inc/shortcodes.php#L36"
},
{
"url": "https://plugins.trac.wordpress.org/browser/entry-views/tags/1.0.0/inc/template.php#L35"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:18:42.000+00:00",
"value": "Disclosed"
}
],
"title": "Entry Views \u003c= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13729",
"datePublished": "2026-01-09T09:19:46.607Z",
"dateReserved": "2025-11-25T23:26:23.223Z",
"dateUpdated": "2026-01-09T18:02:49.336Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0627 (GCVE-0-2026-0627)
Vulnerability from cvelistv5 – Published: 2026-01-09 08:20 – Updated: 2026-01-09 18:03
VLAI?
Title
AMP for WP <= 1.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG File Upload
Summary
The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file content that only removes `<script>` tags while allowing other XSS vectors such as event handlers (onload, onerror, onmouseover), foreignObject elements, and SVG animation attributes. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts via malicious SVG file uploads that will execute whenever a user views the uploaded file.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| mohammed_kaludi | AMP for WP – Accelerated Mobile Pages |
Affected:
* , ≤ 1.1.10
(semver)
|
Credits
andrea bocchetti
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0627",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T18:03:23.177288Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T18:03:30.677Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "AMP for WP \u2013 Accelerated Mobile Pages",
"vendor": "mohammed_kaludi",
"versions": [
{
"lessThanOrEqual": "1.1.10",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "andrea bocchetti"
}
],
"descriptions": [
{
"lang": "en",
"value": "The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file content that only removes `\u003cscript\u003e` tags while allowing other XSS vectors such as event handlers (onload, onerror, onmouseover), foreignObject elements, and SVG animation attributes. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts via malicious SVG file uploads that will execute whenever a user views the uploaded file."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T08:20:46.258Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4ed23318-3b47-4336-a3aa-6b09f3911926?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/trunk/templates/features.php#L10373"
},
{
"url": "https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/tags/1.1.10/templates/features.php#L10373"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3434946/accelerated-mobile-pages/trunk/templates/features.php?old=3426181\u0026old_path=accelerated-mobile-pages%2Ftrunk%2Ftemplates%2Ffeatures.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T19:34:15.000+00:00",
"value": "Disclosed"
}
],
"title": "AMP for WP \u003c= 1.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG File Upload"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0627",
"datePublished": "2026-01-09T08:20:46.258Z",
"dateReserved": "2026-01-05T22:04:46.579Z",
"dateUpdated": "2026-01-09T18:03:30.677Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14657 (GCVE-0-2025-14657)
Vulnerability from cvelistv5 – Published: 2026-01-09 07:22 – Updated: 2026-01-09 18:07
VLAI?
Title
Eventin – Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered) <= 4.0.51 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting via 'post_settings'
Summary
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
Severity ?
7.2 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| arraytics | Eventin – Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered) |
Affected:
* , ≤ 4.0.51
(semver)
|
Credits
Sarawut Poolkhet
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14657",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T18:07:15.776405Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T18:07:23.696Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Eventin \u2013 Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered)",
"vendor": "arraytics",
"versions": [
{
"lessThanOrEqual": "4.0.51",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sarawut Poolkhet"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Eventin \u2013 Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027post_settings\u0027 function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the \u0027etn_primary_color\u0027 setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T07:22:12.728Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e4188b26-80f8-41b8-be19-1ddcbd7e39f5?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3429942/wp-event-solution/trunk/base/Enqueue/register.php?old=3390273\u0026old_path=wp-event-solution%2Ftrunk%2Fbase%2FEnqueue%2Fregister.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3429942/wp-event-solution/trunk/base/api-handler.php?old=3390273\u0026old_path=wp-event-solution%2Ftrunk%2Fbase%2Fapi-handler.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3429942/wp-event-solution/trunk/core/event/api.php?old=3390273\u0026old_path=wp-event-solution%2Ftrunk%2Fcore%2Fevent%2Fapi.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-11T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-12-13T12:42:56.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-08T18:45:19.000+00:00",
"value": "Disclosed"
}
],
"title": "Eventin \u2013 Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered) \u003c= 4.0.51 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting via \u0027post_settings\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14657",
"datePublished": "2026-01-09T07:22:12.728Z",
"dateReserved": "2025-12-13T12:25:43.872Z",
"dateUpdated": "2026-01-09T18:07:23.696Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13753 (GCVE-0-2025-13753)
Vulnerability from cvelistv5 – Published: 2026-01-09 07:22 – Updated: 2026-01-09 18:09
VLAI?
Title
WP Table Builder <= 2.0.19 - Incorrect Authorization to Authenticated (Subscriber+) Arbitrary Table Creation
Summary
The WP Table Builder – Drag & Drop Table Builder plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect authorization check on the save_table() function in all versions up to, and including, 2.0.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new wptb-table posts.
Severity ?
4.3 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wptb | WP Table Builder – Drag & Drop Table Builder |
Affected:
* , ≤ 2.0.19
(semver)
|
Credits
Dmitrii Ignatyev
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13753",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T18:09:36.894537Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T18:09:45.205Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Table Builder \u2013 Drag \u0026 Drop Table Builder",
"vendor": "wptb",
"versions": [
{
"lessThanOrEqual": "2.0.19",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Table Builder \u2013 Drag \u0026 Drop Table Builder plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect authorization check on the save_table() function in all versions up to, and including, 2.0.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new wptb-table posts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T07:22:12.280Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/95f49080-2263-4f6d-9372-30137efd8e10?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3432381/wp-table-builder"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-01T18:20:23.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-08T18:58:47.000+00:00",
"value": "Disclosed"
}
],
"title": "WP Table Builder \u003c= 2.0.19 - Incorrect Authorization to Authenticated (Subscriber+) Arbitrary Table Creation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13753",
"datePublished": "2026-01-09T07:22:12.280Z",
"dateReserved": "2025-11-26T18:34:46.579Z",
"dateUpdated": "2026-01-09T18:09:45.205Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}