CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2025-14110 The WP Js List Pages Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to, and including, 1.21 due to insufficient inp... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-14112 The Snillrik Restaurant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'menu_style' shortcode attribute in all versions up to, and including, 2.2.1 due to insufficient input... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-14113 The Viitor Button Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' shortcode attribute in all versions up to, and including, 3.0.0 due to insufficient input ... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-14114 The 1180px Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to, and including, 1.1.1 due to insufficient input saniti... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-14118 The Starred Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the PHP_SELF variable in all versions up to, and including, 1.4.2 due to insufficient input sanitization and... | 6.1 | MEDIUM | β | 0 |
| CVE-2025-14121 The EDD Download Info plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'edd_download_info_link' shortcode in all versions up to, and including, 1.1 due to insufficient input s... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-14122 The AD Sliding FAQ plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sliding_faq' shortcode in all versions up to, and including, 2.4 due to insufficient input sanitization an... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-14127 The Testimonial Master plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 0.2.1 due to insufficient inpu... | 6.1 | MEDIUM | β | 0 |
| CVE-2025-14128 The Stumble! for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.1.1 due to insufficient ... | 6.1 | MEDIUM | β | 0 |
| CVE-2025-14130 The Post Like Dislike plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0 due to insufficient input s... | 6.1 | MEDIUM | β | 0 |
| CVE-2025-14131 The WP Widget Changer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.2.5 due to insufficient input... | 6.1 | MEDIUM | β | 0 |
| CVE-2025-14144 The Mstoic Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'start' parameter of the ms_youtube_embeds shortcode in all versions up to, and including, 2.0 due to in... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-14145 The Niche Hero | Beautifully-designed blocks in seconds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'spacing' parameter of the nh_row shortcode in all versions up to, and... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-14147 The Easy GitHub Gist Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the gist shortcode in all versions up to, and including, 1.0 due to insuffic... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-14352 The Awesome Hotel Booking plugin for WordPress is vulnerable to unauthorized modification of data due to incorrect authorization in the room-single.php shortcode handler in all versions up to, and inc... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-14370 The Quote Comments plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.0.0. This is due to missing authorization checks in the quotecomments_add_admin f... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-14453 The My Album Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style_css' shortcode attribute in all versions up to, and including, 1.0.4 due to insufficient input san... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-14460 The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized order status modification in all versions up to, and including, 3.1.4. This is due to missing authorizat... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-14465 The Sticky Action Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the sabs_o... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-14468 The AMP for WP β Accelerated Mobile Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.9. This is due to inverted nonce verification logic in ... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-14614 Insecure Temporary File vulnerability in Altera Quartus Prime StandardΒ Installer (SFX) on Windows, Altera Quartus Prime LiteΒ Installer (SFX) on Windows allows Explore for Predictable Temporary... | 6.7 | MEDIUM | β | 0 |
| CVE-2025-14626 The QR Code for WooCommerce order emails, PDF invoices, packing slips plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in all versions up to, and including,... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-14719 The Relevanssi WordPress plugin before 4.26.0, Relevanssi Premium WordPress plugin before 2.29.0 do not sanitize and escape a parameter before using it in a SQL statement, allowing contributor and ab... | 4.9 | MEDIUM | β | 0 |
| CVE-2025-14792 The Key Figures plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the kf_field_figure_default_color_render function in all versions up to, and including, 1.1 due to insufficient in... | 4.4 | MEDIUM | β | 0 |
| CVE-2025-14796 The My Album Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image titles in all versions up to, and including, 1.0.4. This is due to insufficient input sanitization and ... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-14802 The LearnPress β WordPress LMS Plugin for WordPress is vulnerable to unauthorized file deletion in versions up to, and including, 4.3.2.2 via the /wp-json/lp/v1/material/{file_id} REST API endpoint. T... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-14804 The Frontend File Manager Plugin WordPress plugin before 23.5 did not validate a path parameter and ownership of the file, allowing any authenticated users, such as subscribers to delete arbitrary fil... | 7.7 | HIGH | β | 0 |
| CVE-2025-14835 The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the βshortcodeβ parameter in all versions up to, and including, 9.1.05.008 due to insufficient input sa... | 7.1 | HIGH | β | 0 |
| CVE-2025-14888 The Simple User Meta Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user meta value field in all versions up to, and including, 1.0.0 due to insufficient input saniti... | 4.4 | MEDIUM | β | 0 |
| CVE-2025-14842 The Drag and Drop Multiple File Upload β Contact Form 7 plugin for WordPress is vulnerable to limited upload of files with a dangerous type in all versions up to, and including, 1.3.9.2. This is due t... | 6.1 | MEDIUM | β | 0 |
| CVE-2025-14845 The NS IE Compatibility Fixer plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to, and including, 2.1.5. This is due to missing nonce validation on the settin... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-14867 The Flashcard plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 0.9 via the 'source' attribute of the 'flashcard' shortcode. This makes it possible for authent... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-14875 The HBLPAY Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the βcusdataβ parameter in all versions up to, and including, 5.0.0 due to insuffici... | 6.1 | MEDIUM | β | 0 |
| CVE-2025-14887 The twinklesmtp β Email Service Provider For WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's sender settings in all versions up to, and including, 1.03 due to ... | 4.4 | MEDIUM | β | 0 |
| CVE-2025-14891 The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'displayName' parameter in all versions up to, and including, 5.93.1 due to insufficient ... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-14901 The Bit Form β Contact Form Plugin plugin for WordPress is vulnerable to unauthorized workflow execution due to missing authorization in the triggerWorkFlow function in all versions up to, and includi... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-14904 The Newsletter Email Subscribe plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4. This is due to incorrect nonce validation on the nels_settings_pa... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-14999 The Latest Tabs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the settings update ... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-15000 The Page Keys plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the βpage_keyβ parameter in all versions up to, and including, 1.3.3 due to insufficient input sanitization and outp... | 4.4 | MEDIUM | β | 0 |
| CVE-2025-15018 The Optional Email plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in all versions up to, and including, 1.3.11. This is due to the plugin not restricting its 'random_p... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-47552 Deserialization of Untrusted Data vulnerability in Digital zoom studio DZS Video Gallery allows Object Injection.This issue affects DZS Video Gallery: from n/a through 12.37. | 9.8 | CRITICAL | β | 0 |
| CVE-2025-15058 The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'table_currency' parameter in all versions up to, and including, 5.1.12 due to insufficient input... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-15158 The WP Enable WebP plugin for WordPress is vulnerable to arbitrary file uploads due to improper file type validation in the 'wpse_file_and_ext_webp' function in all versions up to, and including, 1.0.... | 8.8 | HIGH | β | 0 |
| CVE-2025-15472 A flaw has been found in TRENDnet TEW-811DRU 1.0.2.0. This affects the function setDeviceURLΒ of the file uapply.cgi of the component httpdΒ . This manipulation of the argument DeviceURL causes os comm... | 7.2 | HIGH | β | 0 |
| CVE-2025-15474 AuntyFey Smart Combination Lock firmware versions as of 2025-12-24 contain a vulnerability that allows an unauthenticated attacker within Bluetooth Low Energy (BLE) range to cause a denial of service ... | N/A | NONE | β | 0 |
| CVE-2025-31643 Incorrect Privilege Assignment vulnerability in Dasinfomedia WPCHURCH allows Privilege Escalation.This issue affects WPCHURCH: from n/a through 2.7.0. | 8.8 | HIGH | β | 0 |
| CVE-2025-31962 Insufficient session expiration in the Web UI authentication component in HCL BigFix IVR version 4.2 allows an authenticated attacker to gain prolonged unauthorized access to protected API endpoints d... | 2.0 | LOW | β | 0 |
| CVE-2025-32300 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Digital zoom studio DZS Video Gallery allows Reflected XSS.This issue affects DZS Video Gallery: f... | 7.1 | HIGH | β | 0 |
| CVE-2025-47343 Memory corruption while processing a video session to set video parameters. | 7.8 | HIGH | β | 0 |
| CVE-2023-7343 HiSecOS web server versions 05.0.00 to 08.3.01 prior to 08.3.02 contains a privilege escalation vulnerability that allows authenticated users with operator or auditor roles to escalate privileges to t... | 7.8 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.