CVE-2025-12588 - USB Qr Code Scanner For Woocommerce <= 1.0.0 - Cross-Site Request Forgery to Settings Update
CVE ID : CVE-2025-12588
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The USB Qr Code Scanner For Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on the settings page. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12588
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The USB Qr Code Scanner For Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on the settings page. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12589 - WP-Walla <= 0.5.3.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting
CVE ID : CVE-2025-12589
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The WP-Walla plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 0.5.3.5. This is due to missing nonce verification on the settings page and insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12589
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The WP-Walla plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 0.5.3.5. This is due to missing nonce verification on the settings page and insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12590 - YSlider <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting
CVE ID : CVE-2025-12590
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The YSlider plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 1.1. This is due to missing nonce verification on the content configuration page and insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages via a forged request granted they can trick an administrator into performing an action such as clicking on a link. The injected scripts will execute whenever a user accesses an injected page.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12590
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The YSlider plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 1.1. This is due to missing nonce verification on the content configuration page and insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages via a forged request granted they can trick an administrator into performing an action such as clicking on a link. The injected scripts will execute whenever a user accesses an injected page.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12631 - Squirrels Auto Inventory <= 1.0.3 - Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID : CVE-2025-12631
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The Squirrels Auto Inventory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity: 4.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12631
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The Squirrels Auto Inventory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity: 4.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12632 - RandomQuotr <= 1.0.4 - Authenticated (Admin+) Stored Cross-Site Scripting
CVE ID : CVE-2025-12632
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The RandomQuotr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12632
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The RandomQuotr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12637 - Elastic Theme Editor <= 0.0.3 - Authenticated (Subscriber+) Arbitrary File Upload
CVE ID : CVE-2025-12637
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The Elastic Theme Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a dynamic code generation feature in the process_theme function in all versions up to, and including, 0.0.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12637
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The Elastic Theme Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a dynamic code generation feature in the process_theme function in all versions up to, and including, 0.0.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12644 - Nonaki – Drag and Drop Email Template builder and Newsletter plugin for WordPress <= 1.0.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Fields
CVE ID : CVE-2025-12644
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The Nonaki – Drag and Drop Email Template builder and Newsletter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'nonaki' shortcode in all versions up to, and including, 1.0.11. This is due to insufficient input sanitization and output escaping on user supplied custom field values that are retrieved and rendered by the shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12644
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The Nonaki – Drag and Drop Email Template builder and Newsletter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'nonaki' shortcode in all versions up to, and including, 1.0.11. This is due to insufficient input sanitization and output escaping on user supplied custom field values that are retrieved and rendered by the shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12651 - Live Photos on WordPress <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID : CVE-2025-12651
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The Live Photos on WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'video_src', 'img_src', and 'class' parameters in the livephotos_photo shortcode in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute when a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12651
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The Live Photos on WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'video_src', 'img_src', and 'class' parameters in the livephotos_photo shortcode in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute when a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12652 - Ungapped Widgets <= 1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID : CVE-2025-12652
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The Ungapped Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'prefillvalues' parameter in the ungapped-form shortcode in all versions up to, and including, 1. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute when a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12652
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The Ungapped Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'prefillvalues' parameter in the ungapped-form shortcode in all versions up to, and including, 1. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute when a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12658 - Preload Current Images <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID : CVE-2025-12658
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The Preload Current Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'complete' parameter in the 'preload_progress_bar' shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12658
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The Preload Current Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'complete' parameter in the 'preload_progress_bar' shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12662 - Coon Google Maps <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID : CVE-2025-12662
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The Coon Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'height' parameter in the 'map' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12662
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The Coon Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'height' parameter in the 'map' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12663 - Jeba Cute forkit <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID : CVE-2025-12663
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The Jeba Cute forkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' parameter in the 'jeba_forkit' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12663
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The Jeba Cute forkit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' parameter in the 'jeba_forkit' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12665 - Ninja Countdown <= 1.5.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Countdown Deletion
CVE ID : CVE-2025-12665
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The Ninja Countdown | Fastest Countdown Builder plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ninja_countdown_admin_ajax' AJAX endpoint in all versions up to, and including, 1.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary countdowns.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12665
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The Ninja Countdown | Fastest Countdown Builder plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ninja_countdown_admin_ajax' AJAX endpoint in all versions up to, and including, 1.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary countdowns.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12667 - GitHub Gist Shortcode Plugin <= 0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID : CVE-2025-12667
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The GitHub Gist Shortcode Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'gist' shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12667
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The GitHub Gist Shortcode Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'gist' shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12668 - WP Count Down Timer <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID : CVE-2025-12668
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The WP Count Down Timer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters of the 'wp_countdown_timer' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12668
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The WP Count Down Timer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters of the 'wp_countdown_timer' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12671 - WP-Iconics <= 0.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID : CVE-2025-12671
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The WP-Iconics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters of the 'wp_iconics' shortcode in all versions up to, and including, 0.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12671
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The WP-Iconics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters of the 'wp_iconics' shortcode in all versions up to, and including, 0.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12672 - Flickr Show <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
CVE ID : CVE-2025-12672
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The Flickr Show plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'div_height' parameter of the 'flickrshow' shortcode in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12672
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The Flickr Show plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'div_height' parameter of the 'flickrshow' shortcode in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12711 - Share to Google Classroom <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via share_to_google Shortcode
CVE ID : CVE-2025-12711
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The Share to Google Classroom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the share_to_google shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12711
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The Share to Google Classroom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the share_to_google shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12753 - Chart Expert <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID : CVE-2025-12753
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The Chart Expert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pmzez_chart' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied shortcode attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12753
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The Chart Expert plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pmzez_chart' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied shortcode attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12754 - Geopost <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE ID : CVE-2025-12754
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The Geopost plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'height' parameter of the 'geopost' shortcode in all versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12754
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The Geopost plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'height' parameter of the 'geopost' shortcode in all versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12813 - Holiday class post calendar <= 7.1 - Unauthenticated Remote Code Execution via 'contents'
CVE ID : CVE-2025-12813
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The Holiday class post calendar plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.1 via the 'contents' parameter. This is due to a lack of sanitization of user-supplied data when creating a cache file. This makes it possible for unauthenticated attackers to execute code on the server.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12813
Published : Nov. 11, 2025, 4:15 a.m. | 2 hours, 33 minutes ago
Description : The Holiday class post calendar plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.1 via the 'contents' parameter. This is due to a lack of sanitization of user-supplied data when creating a cache file. This makes it possible for unauthenticated attackers to execute code on the server.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...