🚨 CVE-2025-11841
The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Chart Data attributes in all versions up to, and including, 12.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
🎖@cveNotify
The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Chart Data attributes in all versions up to, and including, 12.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
🎖@cveNotify
🚨 CVE-2025-12324
The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `table` shortcode attributes in all versions up to, and including, 3.2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
🎖@cveNotify
The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `table` shortcode attributes in all versions up to, and including, 3.2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
🎖@cveNotify
🚨 CVE-2025-11007
The CE21 Suite plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the wp_ajax_nopriv_ce21_single_sign_on_save_api_settings AJAX action in versions 2.2.1 to 2.3.1. This makes it possible for unauthenticated attackers to update the plugin's API settings including a secret key used for authentication. This allows unauthenticated attackers to create new admin accounts on an affected site.
🎖@cveNotify
The CE21 Suite plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the wp_ajax_nopriv_ce21_single_sign_on_save_api_settings AJAX action in versions 2.2.1 to 2.3.1. This makes it possible for unauthenticated attackers to update the plugin's API settings including a secret key used for authentication. This allows unauthenticated attackers to create new admin accounts on an affected site.
🎖@cveNotify
WordPress.org
CE21 Suite
CE21 Suite is a plugin that allow the addition of CE21 components to you WordPress site.
🚨 CVE-2025-11008
The CE21 Suite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.3.1 via the log file. This makes it possible for unauthenticated attackers to extract sensitive data including authentication credentials, which can be used to log in as other users as long as they have used the plugin's custom authentication feature before. This may include administrators, which makes a complete site takeover possible.
🎖@cveNotify
The CE21 Suite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.3.1 via the log file. This makes it possible for unauthenticated attackers to extract sensitive data including authentication credentials, which can be used to log in as other users as long as they have used the plugin's custom authentication feature before. This may include administrators, which makes a complete site takeover possible.
🎖@cveNotify
WordPress.org
CE21 Suite
CE21 Suite is a plugin that allow the addition of CE21 components to you WordPress site.
🚨 CVE-2025-12069
The WP Global Screen Options plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2. This is due to missing nonce validation on the `updatewpglobalscreenoptions` action handler. This makes it possible for unauthenticated attackers to modify global screen options for all users via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
🎖@cveNotify
The WP Global Screen Options plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2. This is due to missing nonce validation on the `updatewpglobalscreenoptions` action handler. This makes it possible for unauthenticated attackers to modify global screen options for all users via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
🎖@cveNotify
🚨 CVE-2025-12070
The ViaAds plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing nonce validation on the `ViaAds_pluginHandler` function. This makes it possible for unauthenticated attackers to modify the plugin's API key and cookie consent settings via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
🎖@cveNotify
The ViaAds plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing nonce validation on the `ViaAds_pluginHandler` function. This makes it possible for unauthenticated attackers to modify the plugin's API key and cookie consent settings via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
🎖@cveNotify
🚨 CVE-2025-12401
The Label Plugins plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5. This is due to missing or incorrect nonce validation on the label_plugins_options() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
🎖@cveNotify
The Label Plugins plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5. This is due to missing or incorrect nonce validation on the label_plugins_options() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
🎖@cveNotify
🚨 CVE-2025-27064
Information disclosure while registering commands from clients with diag through diagHal.
🎖@cveNotify
Information disclosure while registering commands from clients with diag through diagHal.
🎖@cveNotify
🚨 CVE-2025-47357
Information Disclosure when a user-level driver performs QFPROM read or write operations on Fuse regions.
🎖@cveNotify
Information Disclosure when a user-level driver performs QFPROM read or write operations on Fuse regions.
🎖@cveNotify
🚨 CVE-2025-47360
Memory corruption while processing client message during device management.
🎖@cveNotify
Memory corruption while processing client message during device management.
🎖@cveNotify
🚨 CVE-2025-47361
Memory corruption when triggering a subsystem crash with an out-of-range identifier.
🎖@cveNotify
Memory corruption when triggering a subsystem crash with an out-of-range identifier.
🎖@cveNotify
🚨 CVE-2025-47362
Information disclosure while processing message from client with invalid payload.
🎖@cveNotify
Information disclosure while processing message from client with invalid payload.
🎖@cveNotify
🚨 CVE-2025-47365
Memory corruption while processing large input data from a remote source via a communication interface.
🎖@cveNotify
Memory corruption while processing large input data from a remote source via a communication interface.
🎖@cveNotify
🚨 CVE-2025-47368
Memory corruption when dereferencing an invalid userspace address in a user buffer during MCDM IOCTL processing.
🎖@cveNotify
Memory corruption when dereferencing an invalid userspace address in a user buffer during MCDM IOCTL processing.
🎖@cveNotify
🚨 CVE-2025-47370
Transient DOS when a remote device sends an invalid connection request during BT connectable LE scan.
🎖@cveNotify
Transient DOS when a remote device sends an invalid connection request during BT connectable LE scan.
🎖@cveNotify
🔥1