CVE-2025-12172 - Mailchimp List Subscribe Form <= 2.0.0 - Cross-Site Request Forgery to Mailchimp List Change
CVE ID : CVE-2025-12172
Published : Feb. 19, 2026, 3:25 a.m. | 54 minutes ago
Description : The Mailchimp List Subscribe Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.0. This is due to missing or incorrect nonce validation on the mailchimp_sf_change_list_if_necessary() function. This makes it possible for unauthenticated attackers to change Mailchimp lists via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12172
Published : Feb. 19, 2026, 3:25 a.m. | 54 minutes ago
Description : The Mailchimp List Subscribe Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.0. This is due to missing or incorrect nonce validation on the mailchimp_sf_change_list_if_necessary() function. This makes it possible for unauthenticated attackers to change Mailchimp lists via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-11754 - Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent <= 4.1.2 - Missing Authorization to Sensitive Information Exposure
CVE ID : CVE-2025-11754
Published : Feb. 19, 2026, 3:25 a.m. | 54 minutes ago
Description : The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to retrieve sensitive plugin settings including API tokens, email addresses, account IDs, and site keys.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-11754
Published : Feb. 19, 2026, 3:25 a.m. | 54 minutes ago
Description : The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to retrieve sensitive plugin settings including API tokens, email addresses, account IDs, and site keys.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12451 - Easy SVG Support <= 4.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
CVE ID : CVE-2025-12451
Published : Feb. 19, 2026, 3:25 a.m. | 54 minutes ago
Description : The Easy SVG Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12451
Published : Feb. 19, 2026, 3:25 a.m. | 54 minutes ago
Description : The Easy SVG Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12375 - Printful Integration for WooCommerce <= 2.2.11 - Authenticated (Contributor+) Server-Side Request Forgery
CVE ID : CVE-2025-12375
Published : Feb. 19, 2026, 3:25 a.m. | 54 minutes ago
Description : The Printful Integration for WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.2.11 via the advanced size chart REST API endpoint. This is due to insufficient validation of user-supplied URLs before passing them to the download_url() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12375
Published : Feb. 19, 2026, 3:25 a.m. | 54 minutes ago
Description : The Printful Integration for WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.2.11 via the advanced size chart REST API endpoint. This is due to insufficient validation of user-supplied URLs before passing them to the download_url() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13079 - Popup Builder - Create highly converting, mobile friendly marketing popups. <= 4.4.2 - Improper Authorization to Unauthenticated Subscriber Removal via Predictable Tokens
CVE ID : CVE-2025-13079
Published : Feb. 19, 2026, 3:25 a.m. | 54 minutes ago
Description : The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.4.2. This is due to the plugin generating predictable unsubscribe tokens using deterministic data. This makes it possible for unauthenticated attackers to unsubscribe arbitrary subscribers from mailing lists via brute-forcing the unsubscribe token, granted they know the victim's email address
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13079
Published : Feb. 19, 2026, 3:25 a.m. | 54 minutes ago
Description : The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.4.2. This is due to the plugin generating predictable unsubscribe tokens using deterministic data. This makes it possible for unauthenticated attackers to unsubscribe arbitrary subscribers from mailing lists via brute-forcing the unsubscribe token, granted they know the victim's email address
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12707 - Library Management System <= 3.2.1 - Unauthenticated SQL Injection
CVE ID : CVE-2025-12707
Published : Feb. 19, 2026, 3:25 a.m. | 54 minutes ago
Description : The Library Management System plugin for WordPress is vulnerable to SQL Injection via the 'bid' parameter in all versions up to, and including, 3.2.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12707
Published : Feb. 19, 2026, 3:25 a.m. | 54 minutes ago
Description : The Library Management System plugin for WordPress is vulnerable to SQL Injection via the 'bid' parameter in all versions up to, and including, 3.2.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12882 - Clasifico Listing <= 2.0 - Unauthenticated Privilege Escalation
CVE ID : CVE-2025-12882
Published : Feb. 19, 2026, 3:25 a.m. | 54 minutes ago
Description : The Clasifico Listing plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.0. This is due to the plugin allowing users who are registering new accounts to set their own role by supplying the 'listing_user_role' parameter. This makes it possible for unauthenticated attackers to gain elevated privileges by registering an account with the administrator role.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12882
Published : Feb. 19, 2026, 3:25 a.m. | 54 minutes ago
Description : The Clasifico Listing plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.0. This is due to the plugin allowing users who are registering new accounts to set their own role by supplying the 'listing_user_role' parameter. This makes it possible for unauthenticated attackers to gain elevated privileges by registering an account with the administrator role.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12116 - Drift <= 1.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title
CVE ID : CVE-2025-12116
Published : Feb. 19, 2026, 3:25 a.m. | 54 minutes ago
Description : The Drift theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12116
Published : Feb. 19, 2026, 3:25 a.m. | 54 minutes ago
Description : The Drift theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12821 - NewsBlogger <= 0.2.5.6 - 0.2.6.1 - Cross-Site Request Forgery to Arbitrary Plugin Installation
CVE ID : CVE-2025-12821
Published : Feb. 19, 2026, 3:25 a.m. | 54 minutes ago
Description : The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 0.2.5.6 to 0.2.6.1. This is due to missing or incorrect nonce validation on the newsblogger_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This is due to a reverted fix of CVE-2025-1305.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12821
Published : Feb. 19, 2026, 3:25 a.m. | 54 minutes ago
Description : The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 0.2.5.6 to 0.2.6.1. This is due to missing or incorrect nonce validation on the newsblogger_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This is due to a reverted fix of CVE-2025-1305.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12884 - Advanced Ads – Ad Manager & AdSense <= 2.0.14 - Missing Authorization to Authenticated (Subscriber+) Ad Placements Update
CVE ID : CVE-2025-12884
Published : Feb. 19, 2026, 3:25 a.m. | 53 minutes ago
Description : The Advanced Ads – Ad Manager & AdSense plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 2.0.14. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `placement_update_item()` function. This makes it possible for authenticated attackers, with subscriber-level access and above, to update ad placements, allowing them to change which ad or ad group a placement serves.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12884
Published : Feb. 19, 2026, 3:25 a.m. | 53 minutes ago
Description : The Advanced Ads – Ad Manager & AdSense plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 2.0.14. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `placement_update_item()` function. This makes it possible for authenticated attackers, with subscriber-level access and above, to update ad placements, allowing them to change which ad or ad group a placement serves.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12845 - Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent 0.5.4 - 1.2.1 - Missing Authorization to Authenticated (Subscriber+) Information Exposure and Privilege Escalation
CVE ID : CVE-2025-12845
Published : Feb. 19, 2026, 3:25 a.m. | 53 minutes ago
Description : The Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to unauthorized access of data that leads to privilege escalation due to a missing capability check on the get_table_data() function in versions 0.5.4 to 1.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve plugin table data that can expose email log information. Attackers can leverage this on sites where the table log is enabled in order to trigger a password reset and obtain the reset key.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12845
Published : Feb. 19, 2026, 3:25 a.m. | 53 minutes ago
Description : The Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to unauthorized access of data that leads to privilege escalation due to a missing capability check on the get_table_data() function in versions 0.5.4 to 1.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve plugin table data that can expose email log information. Attackers can leverage this on sites where the table log is enabled in order to trigger a password reset and obtain the reset key.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13113 - Web Accessibility by accessiBe <= 2.11 - Unauthenticated Sensitive Information Exposure
CVE ID : CVE-2025-13113
Published : Feb. 19, 2026, 3:25 a.m. | 53 minutes ago
Description : The Web Accessibility by accessiBe plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11. This is due to the `accessibe_render_js_in_footer()` function logging the complete plugin options array to the browser console on public pages, without restricting output to privileged users or checking for debug mode. This makes it possible for unauthenticated attackers to view sensitive configuration data, including email addresses, accessiBe user IDs, account IDs, and license information, via the browser console when the widget is disabled.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13113
Published : Feb. 19, 2026, 3:25 a.m. | 53 minutes ago
Description : The Web Accessibility by accessiBe plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11. This is due to the `accessibe_render_js_in_footer()` function logging the complete plugin options array to the browser console on public pages, without restricting output to privileged users or checking for debug mode. This makes it possible for unauthenticated attackers to view sensitive configuration data, including email addresses, accessiBe user IDs, account IDs, and license information, via the browser console when the widget is disabled.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12117 - Renden <= 1.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title
CVE ID : CVE-2025-12117
Published : Feb. 19, 2026, 3:25 a.m. | 53 minutes ago
Description : The Renden theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12117
Published : Feb. 19, 2026, 3:25 a.m. | 53 minutes ago
Description : The Renden theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13048 - Official StatCounter Plugin <= 2.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Nickname
CVE ID : CVE-2025-13048
Published : Feb. 19, 2026, 3:25 a.m. | 53 minutes ago
Description : The StatCounter – Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user's Nickname in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13048
Published : Feb. 19, 2026, 3:25 a.m. | 53 minutes ago
Description : The StatCounter – Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user's Nickname in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12081 - ACF Photo Gallery Field <= 3.0 - Missing Authorization to Authenticated (Subscriber+) Attachment Metadata Modification
CVE ID : CVE-2025-12081
Published : Feb. 19, 2026, 3:25 a.m. | 53 minutes ago
Description : The ACF Photo Gallery Field plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the "acf_photo_gallery_edit_save" function in all versions up to, and including, 3.0. This makes it possible for authenticated attackers, with subscriber level access and above, to modify the title, caption, and custom metadata of arbitrary media attachments.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12081
Published : Feb. 19, 2026, 3:25 a.m. | 53 minutes ago
Description : The ACF Photo Gallery Field plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the "acf_photo_gallery_edit_save" function in all versions up to, and including, 3.0. This makes it possible for authenticated attackers, with subscriber level access and above, to modify the title, caption, and custom metadata of arbitrary media attachments.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12500 - Checkout Field Manager (Checkout Manager) for WooCommerce <= 7.8.1 - Unauthenticated Limited File Upload
CVE ID : CVE-2025-12500
Published : Feb. 19, 2026, 3:25 a.m. | 53 minutes ago
Description : The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to unauthenticated limited file upload in all versions up to, and including, 7.8.1. This is due to the plugin not properly verifying that a user is authorized to perform file upload actions via the "ajax_checkout_attachment_upload" function. This makes it possible for unauthenticated attackers to upload files to the server, though file types are limited to WordPress's default allowed MIME types (images, documents, etc.).
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12500
Published : Feb. 19, 2026, 3:25 a.m. | 53 minutes ago
Description : The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to unauthenticated limited file upload in all versions up to, and including, 7.8.1. This is due to the plugin not properly verifying that a user is authorized to perform file upload actions via the "ajax_checkout_attachment_upload" function. This makes it possible for unauthenticated attackers to upload files to the server, though file types are limited to WordPress's default allowed MIME types (images, documents, etc.).
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-2702 - Beetel 777VR1 WPA2 PSK hard-coded credentials
CVE ID : CVE-2026-2702
Published : Feb. 19, 2026, 3:32 a.m. | 47 minutes ago
Description : A security flaw has been discovered in Beetel 777VR1 up to 01.00.09. This issue affects some unknown processing of the component WPA2 PSK. Performing a manipulation results in hard-coded credentials. The attacker must have access to the local network to execute the attack. The complexity of an attack is rather high. The exploitability is assessed as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-2702
Published : Feb. 19, 2026, 3:32 a.m. | 47 minutes ago
Description : A security flaw has been discovered in Beetel 777VR1 up to 01.00.09. This issue affects some unknown processing of the component WPA2 PSK. Performing a manipulation results in hard-coded credentials. The attacker must have access to the local network to execute the attack. The complexity of an attack is rather high. The exploitability is assessed as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-15586 - Apache OGP Authentication Bypass
CVE ID : CVE-2025-15586
Published : Feb. 19, 2026, 3:41 a.m. | 38 minutes ago
Description : OGP-Website installs prior git commit 52f865a4fba763594453068acf8fa9e3fc38d663 are affected by a type juggling flaw which if exploited can result in authentication bypass without knowledge of the victim account's password.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-15586
Published : Feb. 19, 2026, 3:41 a.m. | 38 minutes ago
Description : OGP-Website installs prior git commit 52f865a4fba763594453068acf8fa9e3fc38d663 are affected by a type juggling flaw which if exploited can result in authentication bypass without knowledge of the victim account's password.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-2703 - xlnt-community xlnt Encrypted XLSX File base64.cpp decode_base64 off-by-one
CVE ID : CVE-2026-2703
Published : Feb. 19, 2026, 4:02 a.m. | 17 minutes ago
Description : A weakness has been identified in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::detail::decode_base64 of the file source/detail/cryptography/base64.cpp of the component Encrypted XLSX File Parser. Executing a manipulation can lead to off-by-one. The attack requires local access. The exploit has been made available to the public and could be used for attacks. This patch is called f2d7bf494e5c52706843cf7eb9892821bffb0734. Applying a patch is advised to resolve this issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-2703
Published : Feb. 19, 2026, 4:02 a.m. | 17 minutes ago
Description : A weakness has been identified in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::detail::decode_base64 of the file source/detail/cryptography/base64.cpp of the component Encrypted XLSX File Parser. Executing a manipulation can lead to off-by-one. The attack requires local access. The exploit has been made available to the public and could be used for attacks. This patch is called f2d7bf494e5c52706843cf7eb9892821bffb0734. Applying a patch is advised to resolve this issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-13563 - Lizza LMS Pro <= 1.0.3 - Unauthenticated Privilege Escalation
CVE ID : CVE-2025-13563
Published : Feb. 19, 2026, 4:36 a.m. | 3 hours, 46 minutes ago
Description : The Lizza LMS Pro plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the 'lizza_lms_pro_register_user_front_end' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-13563
Published : Feb. 19, 2026, 4:36 a.m. | 3 hours, 46 minutes ago
Description : The Lizza LMS Pro plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the 'lizza_lms_pro_register_user_front_end' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-14270 - OneClick Chat to Order <= 1.0.9 - Missing Authorization to Authenticated (Editor+) Plugin Settings Update
CVE ID : CVE-2025-14270
Published : Feb. 19, 2026, 4:36 a.m. | 3 hours, 46 minutes ago
Description : The OneClick Chat to Order plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.0.9. This is due to the plugin not properly verifying that a user is authorized to perform an action in the wa_order_number_save_number_field function. This makes it possible for authenticated attackers, with Editor-level access and above, to modify WhatsApp phone numbers used by the plugin, redirecting customer orders and messages to attacker-controlled phone numbers.
Severity: 2.7 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-14270
Published : Feb. 19, 2026, 4:36 a.m. | 3 hours, 46 minutes ago
Description : The OneClick Chat to Order plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.0.9. This is due to the plugin not properly verifying that a user is authorized to perform an action in the wa_order_number_save_number_field function. This makes it possible for authenticated attackers, with Editor-level access and above, to modify WhatsApp phone numbers used by the plugin, redirecting customer orders and messages to attacker-controlled phone numbers.
Severity: 2.7 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...