{"id":2551,"date":"2025-05-02T07:14:19","date_gmt":"2025-05-02T07:14:19","guid":{"rendered":"http:\/\/localhost\/?p=2551"},"modified":"2025-05-02T07:14:19","modified_gmt":"2025-05-02T07:14:19","slug":"wordfence-intelligence-weekly-wordpress-vulnerability-report-april-21-2025-to-april-27-2025","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=2551","title":{"rendered":"Wordfence Intelligence Weekly WordPress Vulnerability Report (April 21, 2025 to April 27, 2025)"},"content":{"rendered":"
\n

Vulnerability Details<\/h2>\n
\n

Basic Information<\/h3>\n\n\n\n\n\n\n
Title<\/th>\nWordfence Intelligence Weekly WordPress Vulnerability Report (April 21, 2025 to April 27, 2025)<\/td>\n<\/tr>\n
Type<\/th>\nwordfence<\/td>\n<\/tr>\n
Published<\/th>\n2025-05-01T15:38:37<\/td>\n<\/tr>\n
Last Seen<\/th>\n2025-05-01T17:24:41<\/td>\n<\/tr>\n
CVSS Score<\/th>\n9.8 (CRITICAL)<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

CVSS v3 Details<\/h3>\n\n\n\n\n\n\n\n\n\n
Attack Vector<\/th>\nNETWORK<\/td>\n<\/tr>\n
Attack Complexity<\/th>\nLOW<\/td>\n<\/tr>\n
Privileges Required<\/th>\nNONE<\/td>\n<\/tr>\n
User Interaction<\/th>\nNONE<\/td>\n<\/tr>\n
Scope<\/th>\nUNCHANGED<\/td>\n<\/tr>\n
Confidentiality Impact<\/th>\nHIGH<\/td>\n<\/tr>\n
Integrity Impact<\/th>\nHIGH<\/td>\n<\/tr>\n
Availability Impact<\/th>\nHIGH<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

CVE Information<\/h3>\n\n\n\n\n
CVE IDs<\/th>\nCVE-2024-11299, CVE-2024-11917, CVE-2024-13307, CVE-2024-13808, CVE-2024-13812, CVE-2025-1054, CVE-2025-1279, CVE-2025-1284, CVE-2025-1294, CVE-2025-1458, CVE-2025-1565, CVE-2025-2101, CVE-2025-2105, CVE-2025-2238, CVE-2025-2470, CVE-2025-2543, CVE-2025-2579, CVE-2025-2580, CVE-2025-2801, CVE-2025-2839, CVE-2025-3058, CVE-2025-3065, CVE-2025-3101, CVE-2025-3280, CVE-2025-32921, CVE-2025-32924, CVE-2025-32925, CVE-2025-32926, CVE-2025-32927, CVE-2025-32928, CVE-2025-3300, CVE-2025-3435, CVE-2025-3457, CVE-2025-3458, CVE-2025-3472, CVE-2025-3491, CVE-2025-3529, CVE-2025-3530, CVE-2025-3603, CVE-2025-3604, CVE-2025-3607, CVE-2025-3616, CVE-2025-3743, CVE-2025-3749, CVE-2025-3752, CVE-2025-3761, CVE-2025-3775, CVE-2025-3776, CVE-2025-3793, CVE-2025-3814, CVE-2025-3832, CVE-2025-3861, CVE-2025-3866, CVE-2025-3867, CVE-2025-3868, CVE-2025-3870, CVE-2025-3906, CVE-2025-3912, CVE-2025-3914, CVE-2025-3915, CVE-2025-3923, CVE-2025-39348, CVE-2025-39349, CVE-2025-39350, CVE-2025-39352, CVE-2025-39354, CVE-2025-39355, CVE-2025-39356, CVE-2025-39357, CVE-2025-39359, CVE-2025-39360, CVE-2025-39365, CVE-2025-39366, CVE-2025-39369, CVE-2025-39370, CVE-2025-39371, CVE-2025-39372, CVE-2025-39373, CVE-2025-39374, CVE-2025-39375, CVE-2025-39376, CVE-2025-39377, CVE-2025-39378, CVE-2025-39379, CVE-2025-39380, CVE-2025-39382, CVE-2025-39383, CVE-2025-39384, CVE-2025-39386, CVE-2025-39387, CVE-2025-39389, CVE-2025-39391, CVE-2025-39393, CVE-2025-39397, CVE-2025-39398, CVE-2025-39399, CVE-2025-39400, CVE-2025-43833, CVE-2025-43834, CVE-2025-43835, CVE-2025-43840, CVE-2025-43841, CVE-2025-46225, CVE-2025-46226, CVE-2025-46227, CVE-2025-46228, CVE-2025-46229, CVE-2025-46230, CVE-2025-46231, CVE-2025-46232, CVE-2025-46233, CVE-2025-46234, CVE-2025-46235, CVE-2025-46236, CVE-2025-46237, CVE-2025-46238, CVE-2025-46239, CVE-2025-46240, CVE-2025-46241, CVE-2025-46242, CVE-2025-46243, CVE-2025-46244, CVE-2025-46245, CVE-2025-46246, CVE-2025-46247, CVE-2025-46248, CVE-2025-46249, CVE-2025-46250, CVE-2025-46251, CVE-2025-46252, CVE-2025-46253, CVE-2025-46254, CVE-2025-46260, CVE-2025-46261, CVE-2025-46262, CVE-2025-46263, CVE-2025-46435, CVE-2025-46436, CVE-2025-46437, CVE-2025-46438, CVE-2025-46439, CVE-2025-46442, CVE-2025-46443, CVE-2025-46445, CVE-2025-46446, CVE-2025-46447, CVE-2025-46448, CVE-2025-46449, CVE-2025-46450, CVE-2025-46451, CVE-2025-46452, CVE-2025-46453, CVE-2025-46455, CVE-2025-46457, CVE-2025-46459, CVE-2025-46460, CVE-2025-46461, CVE-2025-46462, CVE-2025-46463, CVE-2025-46465, CVE-2025-46466, CVE-2025-46467, CVE-2025-46468, CVE-2025-46469, CVE-2025-46470, CVE-2025-46471, CVE-2025-46472, CVE-2025-46473, CVE-2025-46474, CVE-2025-46475, CVE-2025-46476, CVE-2025-46477, CVE-2025-46478, CVE-2025-46479, CVE-2025-46480, CVE-2025-46481, CVE-2025-46482, CVE-2025-46483, CVE-2025-46484, CVE-2025-46485, CVE-2025-46489, CVE-2025-46490, CVE-2025-46491, CVE-2025-46492, CVE-2025-46495, CVE-2025-46496, CVE-2025-46497, CVE-2025-46498, CVE-2025-46499, CVE-2025-46501, CVE-2025-46502, CVE-2025-46503, CVE-2025-46504, CVE-2025-46505, CVE-2025-46506, CVE-2025-46507, CVE-2025-46508, CVE-2025-46509, CVE-2025-46510, CVE-2025-46511, CVE-2025-46512, CVE-2025-46513, CVE-2025-46514, CVE-2025-46516, CVE-2025-46517, CVE-2025-46519, CVE-2025-46520, CVE-2025-46521, CVE-2025-46522, CVE-2025-46523, CVE-2025-46524, CVE-2025-46525, CVE-2025-46526, CVE-2025-46528, CVE-2025-46529, CVE-2025-46530, CVE-2025-46531, CVE-2025-46532, CVE-2025-46533, CVE-2025-46534, CVE-2025-46535, CVE-2025-46536, CVE-2025-46538, CVE-2025-46539, CVE-2025-46540, CVE-2025-46541, CVE-2025-46542, CVE-2025-46543<\/td>\n<\/tr>\n
CWE<\/th>\n<\/td>\n<\/tr>\n
Bulletin Family<\/th>\ninfo<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

Description<\/h3>\n
\n * * *<\/p>\n

_![\ud83d\udce2](https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72×72\/1f4e2.png)**In case you missed it, Wordfence just published itsannual WordPress security report for 2024. Read it now to learn more about the evolving risk landscape of WordPress so you can keep your sites protected in 2025 and beyond. **_<\/p>\n

* * *<\/p>\n

Last week, there were 229 vulnerabilities disclosed in 196 WordPress Plugins and 14 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 53 Vulnerability Researchers that contributed to WordPress Security last week. **Review those vulnerabilities in this report now to ensure your site is not affected.**<\/p>\n

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data**to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies.** That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.<\/p>\n

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our **database of over 26,000 vulnerabilities** and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, **all for free**.<\/p>\n

_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published._<\/p>\n

* * *<\/p>\n

### New Firewall Rules Deployed Last Week<\/p>\n

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.<\/p>\n

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:<\/p>\n

* My Tickets \u2013 Accessible Event Ticketing <= 2.0.16 - Authenticated (Subscriber+) Privilege Escalation\n * WAF-RULE-822 - Data redacted while we work with the vendor on a patch.\n * WAF-RULE-824 - Data redacted while we work with the vendor on a patch.\n\n\n\nWordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.\n\n* * *\n\n### Total Unpatched & Patched Vulnerabilities Last Week\n\nPatch Status | Number of Vulnerabilities \n---|--- \nPatched | 81 \nUnpatched | 148 \n \n* * *\n\n### Total Vulnerabilities by CVSS Severity Last Week\n\nSeverity Rating | Number of Vulnerabilities \n---|--- \nMedium Severity | 170 \nHigh Severity | 34 \nCritical Severity | 25 \n \n* * *\n\n### Total Vulnerabilities by CWE Type Last Week\n\nVulnerability Type by CWE | Number of Vulnerabilities \n---|--- \nImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 91 \nCross-Site Request Forgery (CSRF) | 42 \nMissing Authorization | 20 \nImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 17 \nImproper Control of Filename for Include\/Require Statement in PHP Program ('PHP Remote File Inclusion') | 15 \nDeserialization of Untrusted Data | 10 \nImproper Control of Generation of Code ('Code Injection') | 6 \nServer-Side Request Forgery (SSRF) | 5 \nImproper Privilege Management | 4 \nUnrestricted Upload of File with Dangerous Type | 4 \nImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 3 \nUnverified Password Change | 3 \nExposure of Sensitive Information to an Unauthorized Actor | 2 \nExternal Control of Assumed-Immutable Web Parameter | 2 \nAuthorization Bypass Through User-Controlled Key | 1 \nImproper Authentication | 1 \nIncorrect Authorization | 1 \nIncorrect Privilege Assignment | 1 \nInsertion of Sensitive Information Into Sent Data | 1 \n \n* * *\n\n### Researchers That Contributed to WordPress Security Last Week\n\nResearcher Name | Number of Vulnerabilities \n---|--- \n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g) johska | 49 \n![](https:\/\/www.gravatar.com\/avatar\/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g) Nabil Irawan | 16 \n![](https:\/\/www.gravatar.com\/avatar\/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g) muhammad yudha | 15 \n![](https:\/\/www.gravatar.com\/avatar\/f1b68a12f61846b7fbcd7f1338106a1f.jpg?s=32&d=mp&r=g) Dimas Maulana | 12 \n![](https:\/\/www.gravatar.com\/avatar\/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g) Nguyen Xuan Chien | 10 \n![](https:\/\/www.gravatar.com\/avatar\/dfc42784669accf02da36cb658a6a355.jpg?s=32&d=mp&r=g) ch4r0n | 10 \n![](https:\/\/www.gravatar.com\/avatar\/11dfabc58a06f06c9123a7e17a41cecb.jpg?s=32&d=mp&r=g) Aiden (Th\u00e1i An) | 7 \n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) Bonds | 7 \n![](https:\/\/www.gravatar.com\/avatar\/15c7bc3e71963fdd7c656346bcf8b159.jpg?s=32&d=mp&r=g) Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | 6 \n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) Ananda Dhakal | 6 \n![](https:\/\/www.gravatar.com\/avatar\/e97952602dfd17f0532ab6202b1dd0db.jpg?s=32&d=mp&r=g) kr0d | 6 \n![](https:\/\/www.gravatar.com\/avatar\/b9c98f876000c488fa1e815fe093a085.jpg?s=32&d=mp&r=g) Nguyen Ngoc Quang Bach (maysbachs) | 5 \n![](https:\/\/www.gravatar.com\/avatar\/c48b8b9be22c8d030834699df0d43897.jpg?s=32&d=mp&r=g) Tonn | 5 \n![](https:\/\/www.gravatar.com\/avatar\/f894d5600bcba5e947d6dde37a3cec1b.jpg?s=32&d=mp&r=g) stealthcopter | 4 \n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) astra.r3verii | 4 \n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) timomangcut | 4 \n![](https:\/\/www.gravatar.com\/avatar\/a07a4a4ddd21367fd4d51d2d3105e7ef.jpg?s=32&d=mp&r=g) Avraham Shemesh | 4 \n![](https:\/\/www.gravatar.com\/avatar\/258c774aecd81b7d1fa67abf3b576b33.jpg?s=32&d=mp&r=g) Peter Thaleikis | 4 \n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) Skalucy | 3 \n![](https:\/\/www.gravatar.com\/avatar\/7b8cd550e860295a0dcf86632e3c79be.jpg?s=32&d=mp&r=g) Phat RiO - BlueRock | 3 \n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) Dave Jong | 3 \n![](https:\/\/www.gravatar.com\/avatar\/8f9a99fa0333fc8418c837d7e0883c3b.jpg?s=32&d=mp&r=g) Lucio S\u00e1 | 3 \n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) 0x1ceKing | 3 \n![](https:\/\/www.gravatar.com\/avatar\/305fb970257c915652a3c990285e766e.jpg?s=32&d=mp&r=g) Chuck | 3 \n![](https:\/\/www.gravatar.com\/avatar\/7abadae46f0b063bdd43911a30a87f65.jpg?s=32&d=mp&r=g) mikemyers | 2 \n![](https:\/\/www.gravatar.com\/avatar\/01dce303f1fab51371215f21992679d9.jpg?s=32&d=mp&r=g) theviper17y | 2 \n![](https:\/\/www.gravatar.com\/avatar\/37cc74b0e1957fee81825154abeae540.jpg?s=32&d=mp&r=g) nquangit | 2 \n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) Michael | 2 \n![](https:\/\/www.gravatar.com\/avatar\/385d41daf781fbf4dbac2a1ff894d7fc.jpg?s=32&d=mp&r=g) Le Ngoc Anh | 2 \n![](https:\/\/www.gravatar.com\/avatar\/cd164c6348ca2048a891d26c4106e94a.jpg?s=32&d=mp&r=g) Jack Taylor | 2 \n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) haudayroi | 2 \n![](https:\/\/www.gravatar.com\/avatar\/ef74f4dbe7907a62f177592f647c1afa.jpg?s=32&d=mp&r=g) Webbernaut | 2 \n![](https:\/\/www.gravatar.com\/avatar\/585bd77d4bbe100a43b04223fd09a74f.jpg?s=32&d=mp&r=g) Jo\u00e3o Pedro Soares de Alc\u00e2ntara | 1 \n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) 0xVenus | 1 \n![](https:\/\/www.gravatar.com\/avatar\/b52f0ed9bfd356ab8119b9ee6d7d040a.jpg?s=32&d=mp&r=g) 0xbro | 1 \n![](https:\/\/www.gravatar.com\/avatar\/e9ce52728f69df70f9bafa79a7a6b548.jpg?s=32&d=mp&r=g) Amin Beheshti | 1 \n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) Gab | 1 \n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) Ngo Bui Truong Vu | 1 \n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) domiee13 | 1 \n![](https:\/\/www.gravatar.com\/avatar\/0ad8993a904e3c0dcdc8928248485fd6.jpg?s=32&d=mp&r=g) shaman0x01 | 1 \n![](https:\/\/www.gravatar.com\/avatar\/0c476cecff9cf0286378f2943694146f.jpg?s=32&d=mp&r=g) Foxyyy | 1 \n![](https:\/\/www.gravatar.com\/avatar\/c36a7211a54c34d3d52be3b1bd8d253e.jpg?s=32&d=mp&r=g) lucky_buddy | 1 \n![](https:\/\/www.gravatar.com\/avatar\/563db10a8ff7243299139da63e0d17f7.jpg?s=32&d=mp&r=g) Francesco Carlucci | 1 \n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) LVT-tholv2k | 1 \n![](https:\/\/www.gravatar.com\/avatar\/a964068aac6d7229783a0ea643877251.jpg?s=32&d=mp&r=g) zer0gh0st | 1 \n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) Psai | 1 \n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) Khalid Yusuf | 1 \n![](https:\/\/www.gravatar.com\/avatar\/2b99835f57008d2a5ee94f41555327d4.jpg?s=32&d=mp&r=g) Alyudin Nafiie | 1 \n![](https:\/\/www.gravatar.com\/avatar\/fe75f0e802ed3b22dcf3fc8fa6402026.jpg?s=32&d=mp&r=g) p4 | 1 \n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) Hiro | 1 \n![](https:\/\/www.gravatar.com\/avatar\/328ff846493345d2b275183f36281a9d.jpg?s=32&d=mp&r=g) Tom Broucke | 1 \n![](https:\/\/www.gravatar.com\/avatar\/106e34cffb07e9ff1371d99d90540fca.jpg?s=32&d=mp&r=g) Dhabaleshwar Das | 1 \n![](https:\/\/www.gravatar.com\/avatar\/4c2bd6964b38518385c4e8d1791fd762.jpg?s=32&d=mp&r=g) zaim | 1 \n \n_Are you a security researcher who would like to be featured in our weekly vulnerability report?_ You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.\n\n* * *\n\n### WordPress Plugins with Reported Vulnerabilities Last Week\n\nSoftware Name | Software Slug \n---|--- \n1 Decembrie 1918 | 1-decembrie-1918 \n360 View | 360-view \nAble Player, accessible HTML5 media player | ableplayer \nAbsolute Links | absolute-links \nACF: Google Font Selector | acf-google-font-selector-field \nAdd custom page template | add-custom-page-template \nAdd Google +1 (Plus one) social share Button | add-google-plus-one-social-share-button \nAdvanced Accordion Gutenberg Block | advanced-accordion-block \nAdvanced lazy load | advanced-lazy-load \nAdvanced Linked Variations for Woocommerce | linked-variation \nAeropage Sync for Airtable | aeropage-sync-for-airtable \naffiliate-toolkit \u2013 WP Affiliate Plugin with Amazon | affiliate-toolkit-starter \nAjax Comment Form CST | ajax-comment-form-cst \nAll in One Time Clock Lite \u2013 Tracking Employee Time Has Never Been Easier | aio-time-clock-lite \nAlt Text AI \u2013 Automatically generate image alt text for SEO and accessibility | alttext-ai \nAnalyticsWP | analyticswp \nAnimate | animate \nAnps Theme plugin | anps_theme_plugin \nAnything Popup | anything-popup \nAppointment Booking Calendar | appointment-booking-calendar \nAppsero Helper | appsero-helper \nAuthor Box After Posts | author-box-after-posts \nAuthor Box Plugin With Different Description | author-box-with-different-description \nAvailability Calendar | availability \nAwesome Wp Image Gallery | awesome-wp-image-gallery \nBBCode Deluxe | bbcode-deluxe \nBeerXML Shortcode | beerxml-shortcode \nBest Posts Summary | best-posts-summary \nBest Quiz Plugin for WordPress: WP Quiz | wp-quiz \nBlog Manager WP | blog-manager-wp \nBM Content Builder | bm-builder \nBreeze Display | wt-display-breeze \nBuddypress Force Password Change | buddy-press-force-password-change \nBulk Assign Linked Products For WooCommerce | wc-bulk-assign-linked-products \nBusiness Contact Widget | business-contact-widget \nCall Now PHT Blog | call-now-coccoc-pht-blog \nCapturly | capturly-optimize-your-website \nCar Park Booking System for WordPress | car-park-booking-system-for-wordpress \nCarousel-of-post-images | carousel-of-post-images \nCheckBot | checkbot \nCheckout Field Visibility for WooCommerce | checkout-field-visibility-for-woocommerce \nCM Ad Changer \u2013 A simple tool to control and optimize your site's banners | cm-ad-changer \nCM Answers \u2013 Easy-to-use forum to grow your WP community | cm-answers \nConfigurator Theme Core | amz-configurator-core \nConfirm User Registration | confirm-user-registration \nContact Form 7 Calendar | cf7-calendar \nContact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder | bit-form \nControl Listings \u2013 Classifieds Ads Directory Portal Manager | control-listings \ncookieBAR | cookiebar \nCOVID-19 (Coronavirus) Update Your Customers | covid-19-alert \nCreate custom forms for WordPress with a smart form plugin for smart businesses \u2013 Form builder for WordPress | abcsubmit \nCrossword Compiler Puzzles | crossword-compiler-puzzles \nCustom Admin-Bar Favorites | admin-bookmarks \nCustom Functions Plugin | custom-functions \nCustom Login and Registration | ms-registration \nCustom Related Posts | custom-related-posts \nDatabase Toolset | database-toolset \nDocument Management System | dms \nDrop Caps | drop-caps \nDropdown Content | dropdown-content \nEasy Child Theme Creator | easy-child-theme-creator \neForm - WordPress Form Builder | wp-fsqm-pro \nElement Pack Addons for Elementor \u2013 Best Elementor addons with Ready Templates, Blocks, Widgets and WooCommerce Builder | bdthemes-element-pack-lite \nELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes | elex-bulk-edit-products-prices-attributes-for-woocommerce-basic \nEnhanced Paypal Shortcodes | enhanced-paypal-shortcodes \nEvent post | event-post \nExternal Markdown | external-markdown \nFable Extra | fable-extra \nFAT Services Booking | fat-services-booking \nFlickr Shortcode Importer | flickr-shortcode-importer \nFloating Social Bar | floating-social-bar \nFlynax Bridge | flynax-bridge \nFoodbakery Sticky Cart | foodbakery-sticky-cart \nFrontend Dashboard | frontend-dashboard \nFrontend Login and Registration Blocks | frontend-login-and-registration-blocks \nFuseDesk | fusedesk \nGNA Search Shortcode | gna-search-shortcode \nGoogle News | google-news \nGrand Conference | Event WordPress | grandconference \nGreenshift \u2013 animation and page builder blocks | greenshift-animation-and-page-builder-blocks \nGTDB Guitar Tuners | guitar-tuner \nGutenKit \u2013 Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor | gutenkit-blocks-addon \nHacklog Remote Attachment | hacklog-remote-attachment \nHospital Management System for WordPress | hospital-management \nHTML Forms \u2013 Simple WordPress Forms Plugin | html-forms \niCafe Library | icafe-library \nImage Hover Effects For WPBakery Page Builder | image-hover-effects-for-visual-composer \nImage Optimizer, Resizer and CDN \u2013 Sirv | sirv \nImage Style Hover \u2013 Displays content when you hover on image | image-content-show-hover \nInline Text Popup | inline-text-popup \nIntegra\u00e7\u00e3o entre Eduzz e Woocommerce | integracao-entre-eduzz-e-wc-powers \nJobSearch WP Job Board | wp-jobsearch \nJupiter X Core | jupiterx-core \nLanding pages and Domain aliases for WordPress | landing-pages-and-domain-aliases \nLibro de Reclamaciones | libro-de-reclamaciones \nLicense For Envato | license-envato \nLifetime free Drag & Drop Contact Form Builder for WordPress VForm | v-form \nLink Library | link-library \nList Last Changes | list-last-changes \nLoan Calculator | repayment-calculator \nLottie Player- Great Lottie Player Solution | embed-lottie-player \nLSD Custom taxonomy and category meta | custom-taxonomy-category-and-term-fields \nMad Mimi for WordPress | mad-mimi \nMailing Group Listserv | wp-mailing-group \nMang Board WP | mangboard \nMayosis Core | mayosis-core \nMedia Library Downloader | media-library-downloader \nMemberpress | memberpress \nMessage Filter for Contact Form 7 | cf7-message-filter \nMilat jQuery Automatic Popup | milat-jquery-automatic-popup \nMini twitter feed | mini-twitter-feed \nMixcloud Embed | mixcloud-embed \nModern Polls | modern-polls \nMPL-Publisher \u2014 Ebook & Audiobook Creator | mpl-publisher \nMulti-Column Taxonomy List | multi-column-taxonomy-list \nMy Custom Widgets | mycustomwidget \nMy Tickets \u2013 Accessible Event Ticketing | my-tickets \nNavegg Analytics | navegg \nNepali Post Date | nepali-post-date \noccupancyplan | occupancyplan \nOcean Extra | ocean-extra \nPayPal Express Checkout | paypal-express-checkout \nPeadig\u2019s Google +1 Button | google-1 \nPeekaboo | peekaboo \nPlugin Central | plugin-central \nPopup Builder | easy-notify-lite \nPost in page for Elementor | post-in-page-for-elementor \nPosts for Page | posts-for-page \nPrevent Direct Access \u2013 Protect WordPress Files | prevent-direct-access \nPrint Science Designer | print-science-designer \nProduct Lister for eBay | product-lister-ebay \nRAphicon | raphicon \nRecover abandoned cart for WooCommerce | recover-wc-abandoned-cart \nRelated Posts via Taxonomies | related-posts-via-taxonomies \nRevy | revy \nRRSSB | rrssb \nSCSS-Library | scss-library \nSend From | send-from \nSeriously Simple Podcasting | seriously-simple-podcasting \nService Finder Bookings | sf-booking \nSEUR Oficial | seur \nShopLentor \u2013 WooCommerce Builder for Elementor & Gutenberg +20 Modules \u2013 All in One Solution (formerly WooLentor) | woolentor-addons \nSimple calendar for Elementor | simple-calendar-for-elementor \nSimple Download Counter | simple-download-counter \nSimple Google Photos Grid | simple-google-photos-grid \nSKT Blocks \u2013 Gutenberg based Page Builder | skt-blocks \nSky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blog, Video Gallery) | sky-elementor-addons \nSmart Hashtags [#hashtagger] | hashtagger \nSocial Counter | social-counter \nSpreadsheet Price Changer for WooCommerce and WP E-commerce \u2013 Light | excel-like-price-change-for-woocommerce-and-wp-e-commerce-light \nSUMO Reward Points for WooCommerce | rewardsystem \nTax Switch for WooCommerce | tax-switch-for-woocommerce \nTayori Form Plugin | tayori \nTextmetrics | webtexttool \nThe Pack Elementor addon | the-pack-addon \nTheme Switcha \u2013 Easily Switch Themes for Development and Testing | theme-switcha \nTime Based Greeting | time-based-greeting \nTwitter Card Generator | twitter-card-generator \nUiCore Elements \u2013 Free Elementor widgets and templates | uicore-elements \nUnsafe Mimetypes | unsafe-mimetypes \nUpsell Funnel Builder for WooCommerce | upsell-order-bump-offer-for-woocommerce \nUser Registration & Membership \u2013 Custom Registration Form, Login Form, and User Profile | user-registration \nVasaio QR Code | vasaio-qr-code \nVerification SMS with TargetSMS | verification-sms-targetsms \nVikRestaurants Table Reservations and Take-Away | vikrestaurants \nVisual Composer Website Builder | visualcomposer \nWatu Quiz | watu \nWoocommerce Automatic Order Printing | ( Formerly WooCommerce Google Cloud Print) | xc-woo-google-cloud-print \nWordPress Easy Guide | wp-easy-guide \nWordPress Events Calendar Registration & Tickets | wpeventplus \nWordPress Simple Shopping Cart | wordpress-simple-paypal-shopping-cart \nWordPress Tabs | gt-tabs \nWordPress Tooltip | wp-tooltip \nWoWHead Tooltips | wowhead-tooltips \nWP AVCL Automation Helper (formerly WPFlyLeads) | woozap \nWP Cookie Consent | wp-cookie-consent \nWp Custom CMS Block | wp-custom-cms-block \nWP Custom Post Popup | custom-post-popup \nWP Customize Login Page | wp-customize-login-page \nWP Filter Post Category | wp-filter-post-categories \nWP Foodbakery | wp-foodbakery \nWP HRM LITE | wp-hrm-lite-human-resource-management-system \nWP Import Export Lite | wp-import-export-lite \nWP Vegas | vegas-fullscreen-background-slider \nwp-cyr-cho | \u041a\u043e\u043d\u0432\u0435\u0440\u0442\u0438\u0440\u0430 \u043a\u0438\u0440\u0438\u043b\u0441\u043a\u0438 \u0441\u0438\u043c\u0432\u043e\u043b\u0438 \u0432 \u043b\u0430\u0442\u0438\u043d\u0438\u0441\u043a\u0438 | wp-cyr-cho \nWP-reCAPTCHA-bp | wp-recaptcha-bp \nWPMasterToolKit (WPMTK) \u2013 All in one plugin | wpmastertoolkit \nWPVN \u2013 Username Changer | wpvn-username-changer \nWpZon \u2013 Amazon Affiliate Plugin | wpzon \nWS Force Login Page | ws-force-login-page \nWS Form LITE \u2013 Drag & Drop Contact Form Builder for WordPress | ws-form \nXelion Webchat | xelion-webchat \nXpert Tab | xpert-tab \nXpro Elementor Addons - Pro | xpro-elementor-addons-pro \nZalo Official Live Chat | zalo-official-live-chat \nZoho Creator Forms | zohocreator \n \n* * *\n\n### WordPress Themes with Reported Vulnerabilities Last Week\n\nSoftware Name | Software Slug \n---|--- \nAltair | altair \nArrival | arrival \nbellevuex | bellevuex \nCiyaShop - Multipurpose WooCommerce Theme | ciyashop \nCWW Portfolio | cww-portfolio \nEduMall - Professional LMS Education Center WordPress Theme | edumall \nGrace Mag | grace-mag \nGrand Restaurant WordPress | grandrestaurant \nJNews - WordPress Newspaper Magazine Blog AMP Theme | jnews \nOpstore | opstore \nReales WP - Real Estate WordPress Theme | reales-wp-real-estate-wordpress-theme \nVikinger | vikinger \nwProject | wproject \nXews Lite | xews-lite \n \n* * *\n\n### Vulnerability Details\n\nPlease note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should\u2019ve already been notified if your site was affected by any of these vulnerabilities. If you'd like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.\n\n#### Altair <= 5.2.2 - Unauthenticated PHP Object Injection\n\n9.8\n\nCVSS Rating \n**Critical (9.8)**\n\nCVE-ID \n**CVE-2025-32928**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 21, 2025**\n\n**Affected Software** \nAltair\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Bonds\n\nMore Details ><\/p>\n

#### Arrival <= 1.4.5 - Unauthenticated Local File Inclusion\n\n9.8\n\nCVSS Rating \n**Critical (9.8)**\n\nCVE-ID \n**CVE-2025-32921**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 21, 2025**\n\n**Affected Software** \nArrival\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/f1b68a12f61846b7fbcd7f1338106a1f.jpg?s=32&d=mp&r=g)Dimas Maulana\n\nMore Details ><\/p>\n

#### Capturly <= 2.0.1 - Unauthenticated Local File Inclusion\n\n9.8\n\nCVSS Rating \n**Critical (9.8)**\n\nCVE-ID \n**CVE-2025-39379**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 21, 2025**\n\n**Affected Software** \nCapturly\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/f1b68a12f61846b7fbcd7f1338106a1f.jpg?s=32&d=mp&r=g)Dimas Maulana\n\nMore Details ><\/p>\n

#### Checkout Field Visibility for WooCommerce <= 1.2.3 - Unauthenticated Local File Inclusion\n\n9.8\n\nCVSS Rating \n**Critical (9.8)**\n\nCVE-ID \n**CVE-2025-39391**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 21, 2025**\n\n**Affected Software** \nCheckout Field Visibility for WooCommerce\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/f1b68a12f61846b7fbcd7f1338106a1f.jpg?s=32&d=mp&r=g)Dimas Maulana\n\nMore Details ><\/p>\n

#### CiyaShop <= 4.18.0 - Unauthenticated PHP Object Injection\n\n9.8\n\nCVSS Rating \n**Critical (9.8)**\n\nCVE-ID \n**CVE-2025-39349**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 21, 2025**\n\n**Affected Software** \nCiyaShop - Multipurpose WooCommerce Theme\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Bonds\n\nMore Details ><\/p>\n

#### CWW Portfolio <= 1.3.1 - Unauthenticated Local File Inclusion\n\n9.8\n\nCVSS Rating \n**Critical (9.8)**\n\nCVE-ID \n**CVE-2025-39359**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 21, 2025**\n\n**Affected Software** \nCWW Portfolio\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/f1b68a12f61846b7fbcd7f1338106a1f.jpg?s=32&d=mp&r=g)Dimas Maulana\n\nMore Details ><\/p>\n

#### Fable Extra <= 1.0.6 - Unauthenticated Local File Inclusion\n\n9.8\n\nCVSS Rating \n**Critical (9.8)**\n\nCVE-ID \n**CVE-2025-46468**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \nFable Extra\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/f894d5600bcba5e947d6dde37a3cec1b.jpg?s=32&d=mp&r=g)stealthcopter\n\nMore Details ><\/p>\n

#### Flynax Bridge <= 2.2.0 - Unauthenticated Privilege Escalation via Account Takeover\n\n9.8\n\nCVSS Rating \n**Critical (9.8)**\n\nCVE-ID \n**CVE-2025-3604**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 23, 2025**\n\n**Affected Software** \nFlynax Bridge\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/e97952602dfd17f0532ab6202b1dd0db.jpg?s=32&d=mp&r=g)kr0d\n\nMore Details ><\/p>\n

#### Flynax Bridge <= 2.2.0 - Unauthenticated Privilege Escalation via Password Update\n\n9.8\n\nCVSS Rating \n**Critical (9.8)**\n\nCVE-ID \n**CVE-2025-3603**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 23, 2025**\n\n**Affected Software** \nFlynax Bridge\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/e97952602dfd17f0532ab6202b1dd0db.jpg?s=32&d=mp&r=g)kr0d\n\nMore Details ><\/p>\n

#### Foodbakery Sticky Cart <= 3.2 - Unauthenticated PHP Object Injection\n\n9.8\n\nCVSS Rating \n**Critical (9.8)**\n\nCVE-ID \n**CVE-2025-39356**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 21, 2025**\n\n**Affected Software** \nFoodbakery Sticky Cart\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Bonds\n\nMore Details ><\/p>\n

#### Grace Mag <= 1.1.5 - Unauthenticated Local File Inclusion\n\n9.8\n\nCVSS Rating \n**Critical (9.8)**\n\nCVE-ID \n**CVE-2025-39360**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 21, 2025**\n\n**Affected Software** \nGrace Mag\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/f1b68a12f61846b7fbcd7f1338106a1f.jpg?s=32&d=mp&r=g)Dimas Maulana\n\nMore Details ><\/p>\n

#### Grand Conference <= 5.2 - Unauthenticated PHP Object Injection\n\n9.8\n\nCVSS Rating \n**Critical (9.8)**\n\nCVE-ID \n**CVE-2025-39354**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 21, 2025**\n\n**Affected Software** \nGrand Conference | Event WordPress\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Bonds\n\nMore Details ><\/p>\n

#### Grand Restaurant WordPress <= 7.0 - Unauthenticated PHP Object Injection\n\n9.8\n\nCVSS Rating \n**Critical (9.8)**\n\nCVE-ID \n**CVE-2025-39348**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 21, 2025**\n\n**Affected Software** \nGrand Restaurant WordPress\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Ananda Dhakal\n\nMore Details ><\/p>\n

#### Grand Restaurant WordPress <= 7.0 - Unauthenticated PHP Object Injection via Path Traversal\n\n9.8\n\nCVSS Rating \n**Critical (9.8)**\n\nCVE-ID \n**CVE-2025-32926**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 21, 2025**\n\n**Affected Software** \nGrand Restaurant WordPress\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Ananda Dhakal\n\nMore Details ><\/p>\n

#### Hospital Management System <= 47.0(20-11-2023) - Unauthenticated Arbitrary File Upload\n\n9.8\n\nCVSS Rating \n**Critical (9.8)**\n\nCVE-ID \n**CVE-2025-39380**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nHospital Management System for WordPress\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/11dfabc58a06f06c9123a7e17a41cecb.jpg?s=32&d=mp&r=g)Aiden (Th\u00e1i An)\n\nMore Details ><\/p>\n

#### License For Envato <= 1.0.0 - Unauthenticated Local File Inclusion\n\n9.8\n\nCVSS Rating \n**Critical (9.8)**\n\nCVE-ID \n**CVE-2025-39399**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 21, 2025**\n\n**Affected Software** \nLicense For Envato\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/f1b68a12f61846b7fbcd7f1338106a1f.jpg?s=32&d=mp&r=g)Dimas Maulana\n\nMore Details ><\/p>\n

#### Opstore <= 1.4.5 - Unauthenticated Local File Inclusion\n\n9.8\n\nCVSS Rating \n**Critical (9.8)**\n\nCVE-ID \n**CVE-2025-39387**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 21, 2025**\n\n**Affected Software** \nOpstore\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/f1b68a12f61846b7fbcd7f1338106a1f.jpg?s=32&d=mp&r=g)Dimas Maulana\n\nMore Details ><\/p>\n

#### Product Lister for eBay <= 2.0.9 - Unauthenticated Local File Inclusion\n\n9.8\n\nCVSS Rating \n**Critical (9.8)**\n\nCVE-ID \n**CVE-2025-39384**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 21, 2025**\n\n**Affected Software** \nProduct Lister for eBay\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/f1b68a12f61846b7fbcd7f1338106a1f.jpg?s=32&d=mp&r=g)Dimas Maulana\n\nMore Details ><\/p>\n

#### Service Finder Bookings <= 5.1 - Unauthenticated Privilege Escalation via 'nsl_registration_store_extra_input'\n\n9.8\n\nCVSS Rating \n**Critical (9.8)**\n\nCVE-ID \n**CVE-2025-2470**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nService Finder Bookings\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/2b99835f57008d2a5ee94f41555327d4.jpg?s=32&d=mp&r=g)Alyudin Nafiie\n\nMore Details ><\/p>\n

#### SEUR Oficial <= 2.2.23 - Unauthenticated Local File Inclusion\n\n9.8\n\nCVSS Rating \n**Critical (9.8)**\n\nCVE-ID \n**CVE-2025-46474**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \nSEUR Oficial\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/11dfabc58a06f06c9123a7e17a41cecb.jpg?s=32&d=mp&r=g)Aiden (Th\u00e1i An)\n\nMore Details ><\/p>\n

#### Spreadsheet Price Changer for WooCommerce and WP E-commerce \u2013 Light <= 2.4.37 - Unauthenticated Local File Inclusion\n\n9.8\n\nCVSS Rating \n**Critical (9.8)**\n\nCVE-ID \n**CVE-2025-39378**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 21, 2025**\n\n**Affected Software** \nSpreadsheet Price Changer for WooCommerce and WP E-commerce \u2013 Light\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/f1b68a12f61846b7fbcd7f1338106a1f.jpg?s=32&d=mp&r=g)Dimas Maulana\n\nMore Details ><\/p>\n

#### SUMO Reward Points <= 30.7.0 - Unauthenticated Local File Inclusion\n\n9.8\n\nCVSS Rating \n**Critical (9.8)**\n\nCVE-ID \n**CVE-2025-32925**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 21, 2025**\n\n**Affected Software** \nSUMO Reward Points for WooCommerce\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Bonds\n\nMore Details ><\/p>\n

#### WP FoodBakery <= 3.3 - Unauthenticated PHP Object Injection\n\n9.8\n\nCVSS Rating \n**Critical (9.8)**\n\nCVE-ID \n**CVE-2025-32927**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 21, 2025**\n\n**Affected Software** \nWP Foodbakery\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Bonds\n\nMore Details ><\/p>\n

#### Xews Lite <= 1.0.9 - Unauthenticated Local File Inclusion\n\n9.8\n\nCVSS Rating \n**Critical (9.8)**\n\nCVE-ID \n**CVE-2025-39383**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 21, 2025**\n\n**Affected Software** \nXews Lite\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/f1b68a12f61846b7fbcd7f1338106a1f.jpg?s=32&d=mp&r=g)Dimas Maulana\n\nMore Details ><\/p>\n

#### Database Toolset <= 1.8.4 - Unauthenticated Arbitrary File Deletion\n\n9.1\n\nCVSS Rating \n**Critical (9.1)**\n\nCVE-ID \n**CVE-2025-3065**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 23, 2025**\n\n**Affected Software** \nDatabase Toolset\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/01dce303f1fab51371215f21992679d9.jpg?s=32&d=mp&r=g)theviper17y\n\nMore Details ><\/p>\n

#### Aeropage Sync for Airtable <= 3.2.0 - Authenticated (Subscriber+) Arbitrary File Upload\n\n8.8\n\nCVSS Rating \n**High (8.8)**\n\nCVE-ID \n**CVE-2025-3914**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \nAeropage Sync for Airtable\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/305fb970257c915652a3c990285e766e.jpg?s=32&d=mp&r=g)Chuck\n\nMore Details ><\/p>\n

#### BM Content Builder <= 3.16.2.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update\n\n8.8\n\nCVSS Rating \n**High (8.8)**\n\nCVE-ID \n**CVE-2025-1279**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nBM Content Builder\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/c48b8b9be22c8d030834699df0d43897.jpg?s=32&d=mp&r=g)Tonn\n\nMore Details ><\/p>\n

#### Configurator Theme Core <= 1.4.7 - Authenticated (Subscriber+) Privilege Escalation\n\n8.8\n\nCVSS Rating \n**High (8.8)**\n\nCVE-ID \n**CVE-2025-3101**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 23, 2025**\n\n**Affected Software** \nConfigurator Theme Core\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/c48b8b9be22c8d030834699df0d43897.jpg?s=32&d=mp&r=g)Tonn\n\nMore Details ><\/p>\n

#### Crossword Compiler Puzzles <= 5.2 - Authenticated (Subscriber+) Arbitrary File Upload\n\n8.8\n\nCVSS Rating \n**High (8.8)**\n\nCVE-ID \n**CVE-2025-46490**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \nCrossword Compiler Puzzles\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)astra.r3verii\n\nMore Details ><\/p>\n

#### Frontend Login and Registration Blocks <= 1.0.7 - Authenticated (Subscriber+) Privilege Escalation via Password Reset\n\n8.8\n\nCVSS Rating \n**High (8.8)**\n\nCVE-ID \n**CVE-2025-3607**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 23, 2025**\n\n**Affected Software** \nFrontend Login and Registration Blocks\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/e97952602dfd17f0532ab6202b1dd0db.jpg?s=32&d=mp&r=g)kr0d\n\nMore Details ><\/p>\n

#### Greenshift 11.4 – 11.4.5 – Authenticated (Subscriber+) Arbitrary File Upload<\/p>\n

8.8<\/p>\n

CVSS Rating
\n**High (8.8)**<\/p>\n

CVE-ID
\n**CVE-2025-3616**<\/p>\n

Patch Status
\n**Patched**<\/p>\n

Published
\n**Apr 21, 2025**<\/p>\n

**Affected Software**
\nGreenshift \u2013 animation and page builder blocks<\/p>\n

**Researcher** <\/p>\n

![](https:\/\/www.gravatar.com\/avatar\/7abadae46f0b063bdd43911a30a87f65.jpg?s=32&d=mp&r=g)mikemyers<\/p>\n

More Details ><\/p>\n

#### Integra\u00e7\u00e3o entre Eduzz e Woocommerce 1.5.0 – 1.7.5 – Missing Authorization to Authenticated (Subscriber+) Privilege Escalation<\/p>\n

8.8<\/p>\n

CVSS Rating
\n**High (8.8)**<\/p>\n

CVE-ID
\n**CVE-2025-3906**<\/p>\n

Patch Status
\n**Unpatched**<\/p>\n

Published
\n**Apr 25, 2025**<\/p>\n

**Affected Software**
\nIntegra\u00e7\u00e3o entre Eduzz e Woocommerce<\/p>\n

**Researcher** <\/p>\n

![](https:\/\/www.gravatar.com\/avatar\/e97952602dfd17f0532ab6202b1dd0db.jpg?s=32&d=mp&r=g)kr0d<\/p>\n

More Details ><\/p>\n

#### My Tickets \u2013 Accessible Event Ticketing <= 2.0.16 - Authenticated (Subscriber+) Privilege Escalation\n\n8.8\n\nCVSS Rating \n**High (8.8)**\n\nCVE-ID \n**CVE-2025-3761**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 23, 2025**\n\n**Affected Software** \nMy Tickets \u2013 Accessible Event Ticketing\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/385d41daf781fbf4dbac2a1ff894d7fc.jpg?s=32&d=mp&r=g)Le Ngoc Anh\n\nMore Details ><\/p>\n

#### Popup Builder <= 1.1.35 - Authenticated (Subscriber+) Local File Inclusion\n\n8.8\n\nCVSS Rating \n**High (8.8)**\n\nCVE-ID \n**CVE-2025-46230**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nPopup Builder\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)LVT-tholv2k\n\nMore Details ><\/p>\n

#### Vikinger <= 1.9.30 - Authenticated (Subscriber+) Privilege Escalation via 'vikinger_user_meta_update_ajax'\n\n8.8\n\nCVSS Rating \n**High (8.8)**\n\nCVE-ID \n**CVE-2025-2238**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nVikinger\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/c48b8b9be22c8d030834699df0d43897.jpg?s=32&d=mp&r=g)Tonn\n\nMore Details ><\/p>\n

#### wProject < 5.8.0 - Authenticated (Subscriber+) Privilege Escalation\n\n8.8\n\nCVSS Rating \n**High (8.8)**\n\nCVE-ID \n**CVE-2025-39366**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nwProject\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Dave Jong\n\nMore Details ><\/p>\n

#### Xelion Webchat <= 9.1.0 - Authenticated (Subscriber+) Arbitrary Options Update\n\n8.8\n\nCVSS Rating \n**High (8.8)**\n\nCVE-ID \n**CVE-2025-3058**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 23, 2025**\n\n**Affected Software** \nXelion Webchat\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/e97952602dfd17f0532ab6202b1dd0db.jpg?s=32&d=mp&r=g)kr0d\n\nMore Details ><\/p>\n

#### Xpro Elementor Addons – Pro <= 1.4.9 - Authenticated (Contributor+) Remote Code Execution\n\n8.8\n\nCVSS Rating \n**High (8.8)**\n\nCVE-ID \n**CVE-2024-13808**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \nXpro Elementor Addons - Pro\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/f894d5600bcba5e947d6dde37a3cec1b.jpg?s=32&d=mp&r=g)stealthcopter\n\nMore Details ><\/p>\n

#### Verification SMS with TargetSMS <= 1.5 - Unauthenticated Limited Remote Code Execution\n\n8.3\n\nCVSS Rating \n**High (8.3)**\n\nCVE-ID \n**CVE-2025-3776**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 23, 2025**\n\n**Affected Software** \nVerification SMS with TargetSMS\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/305fb970257c915652a3c990285e766e.jpg?s=32&d=mp&r=g)Chuck\n\nMore Details ><\/p>\n

#### Grand Restaurant WordPress <= 7.0 - Missing Authorization to Unauthenticated Arbitrary Options Deletion\n\n8.2\n\nCVSS Rating \n**High (8.2)**\n\nCVE-ID \n**CVE-2025-39352**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 21, 2025**\n\n**Affected Software** \nGrand Restaurant WordPress\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Ananda Dhakal\n\nMore Details ><\/p>\n

#### WordPress Simple PayPal Shopping Cart <= 5.1.2 - Unauthenticated Information Exposure via file_url Parameter\n\n8.2\n\nCVSS Rating \n**High (8.2)**\n\nCVE-ID \n**CVE-2025-3529**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nWordPress Simple Shopping Cart\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/cd164c6348ca2048a891d26c4106e94a.jpg?s=32&d=mp&r=g)Jack Taylor\n\nMore Details ><\/p>\n

#### Edumall <= 4.2.4 - Unauthenticated Local File Inclusion\n\n8.1\n\nCVSS Rating \n**High (8.1)**\n\nCVE-ID \n**CVE-2025-2101**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \nEduMall - Professional LMS Education Center WordPress Theme\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/c48b8b9be22c8d030834699df0d43897.jpg?s=32&d=mp&r=g)Tonn\n\nMore Details ><\/p>\n

#### JobSearch WP Job Board <= 2.8.8 - Authentication Bypass via Social Logins\n\n8.1\n\nCVSS Rating \n**High (8.1)**\n\nCVE-ID \n**CVE-2024-11917**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nJobSearch WP Job Board\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/0c476cecff9cf0286378f2943694146f.jpg?s=32&d=mp&r=g)Foxyyy\n\nMore Details ><\/p>\n

#### Jupiter X Core <= 4.8.11 - Unauthenticated PHP Object Injection via PHAR\n\n8.1\n\nCVSS Rating \n**High (8.1)**\n\nCVE-ID \n**CVE-2025-2105**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \nJupiter X Core\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/7b8cd550e860295a0dcf86632e3c79be.jpg?s=32&d=mp&r=g)Phat RiO - BlueRock\n\nMore Details ><\/p>\n

#### Plugin Central <= 2.5.1 - Cross-Site Request Forgery to Arbitrary File Deletion\n\n8.1\n\nCVSS Rating \n**High (8.1)**\n\nCVE-ID \n**CVE-2025-46439**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nPlugin Central\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g)Nguyen Xuan Chien\n\nMore Details ><\/p>\n

#### AnalyticsWP <= 2.1.2 - Unauthenticated SQL Injection\n\n7.5\n\nCVSS Rating \n**High (7.5)**\n\nCVE-ID \n**CVE-2025-39389**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 21, 2025**\n\n**Affected Software** \nAnalyticsWP\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/15c7bc3e71963fdd7c656346bcf8b159.jpg?s=32&d=mp&r=g)Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc)\n\nMore Details ><\/p>\n

#### Easy Guide <= 1.0.0 - Unauthenticated SQL Injection\n\n7.5\n\nCVSS Rating \n**High (7.5)**\n\nCVE-ID \n**CVE-2025-46460**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \nWordPress Easy Guide\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/385d41daf781fbf4dbac2a1ff894d7fc.jpg?s=32&d=mp&r=g)Le Ngoc Anh\n\nMore Details ><\/p>\n

#### Fable Extra <= 1.0.6 - Unauthenticated SQL Injection\n\n7.5\n\nCVSS Rating \n**High (7.5)**\n\nCVE-ID \n**CVE-2025-46539**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \nFable Extra\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)timomangcut\n\nMore Details ><\/p>\n

#### Frontend Dashboard <= 2.2.5 - Unauthenticated SQL Injection\n\n7.5\n\nCVSS Rating \n**High (7.5)**\n\nCVE-ID \n**CVE-2025-46248**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nFrontend Dashboard\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/b9c98f876000c488fa1e815fe093a085.jpg?s=32&d=mp&r=g)Nguyen Ngoc Quang Bach (maysbachs)\n\nMore Details ><\/p>\n

#### Frontend Dashboard <= 2.2.5 - Unauthenticated SQL Injection\n\n7.5\n\nCVSS Rating \n**High (7.5)**\n\nCVE-ID \n**CVE-2025-46248**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nFrontend Dashboard\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/b9c98f876000c488fa1e815fe093a085.jpg?s=32&d=mp&r=g)Nguyen Ngoc Quang Bach (maysbachs)\n\nMore Details ><\/p>\n

#### Hospital Management System <= 47.0(20-11-2023) - Unauthenticated SQL Injection\n\n7.5\n\nCVSS Rating \n**High (7.5)**\n\nCVE-ID \n**CVE-2025-39386**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nHospital Management System for WordPress\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/15c7bc3e71963fdd7c656346bcf8b159.jpg?s=32&d=mp&r=g)Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc)\n\nMore Details ><\/p>\n

#### Mayosis Core <= 5.4.1 - Unauthenticated Arbitrary File Read\n\n7.5\n\nCVSS Rating \n**High (7.5)**\n\nCVE-ID \n**CVE-2025-1565**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nMayosis Core\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/c48b8b9be22c8d030834699df0d43897.jpg?s=32&d=mp&r=g)Tonn\n\nMore Details ><\/p>\n

#### WordPress Simple PayPal Shopping Cart <= 5.1.2 - Unauthenticated Product Price Manipulation\n\n7.5\n\nCVSS Rating \n**High (7.5)**\n\nCVE-ID \n**CVE-2025-3530**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nWordPress Simple Shopping Cart\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/cd164c6348ca2048a891d26c4106e94a.jpg?s=32&d=mp&r=g)Jack Taylor\n\nMore Details ><\/p>\n

#### WP HRM LITE <= 1.1 - Unauthenticated SQL Injection\n\n7.5\n\nCVSS Rating \n**High (7.5)**\n\nCVE-ID \n**CVE-2025-46455**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \nWP HRM LITE\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Hiro\n\nMore Details ><\/p>\n

#### Create custom forms for WordPress with a smart form plugin for smart businesses <= 1.2.4 - Unauthenticated Arbitrary Shortcode Execution\n\n7.3\n\nCVSS Rating \n**High (7.3)**\n\nCVE-ID \n**CVE-2025-2801**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \nCreate custom forms for WordPress with a smart form plugin for smart businesses \u2013 Form builder for WordPress\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/a07a4a4ddd21367fd4d51d2d3105e7ef.jpg?s=32&d=mp&r=g)Avraham Shemesh\n\nMore Details ><\/p>\n

#### Add custom page template <= 2.0.1 - Authenticated (Administrator+) PHP Code Injection to Remote Code Execution\n\n7.2\n\nCVSS Rating \n**High (7.2)**\n\nCVE-ID \n**CVE-2025-3491**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \nAdd custom page template\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/dfc42784669accf02da36cb658a6a355.jpg?s=32&d=mp&r=g)ch4r0n\n\nMore Details ><\/p>\n

#### eForm <= 4.18.0 - Unauthenticated Stored Cross-Site Scripting\n\n7.2\n\nCVSS Rating \n**High (7.2)**\n\nCVE-ID \n**CVE-2025-1294**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \neForm - WordPress Form Builder\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/0ad8993a904e3c0dcdc8928248485fd6.jpg?s=32&d=mp&r=g)shaman0x01\n\nMore Details ><\/p>\n

#### Flickr Shortcode Importer <= 2.2.3 - Authenticated (Administrator+) PHP Object Injection\n\n7.2\n\nCVSS Rating \n**High (7.2)**\n\nCVE-ID \n**CVE-2025-46481**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nFlickr Shortcode Importer\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Ngo Bui Truong Vu\n\nMore Details ><\/p>\n

#### WPMasterToolKit (WPMTK) \u2013 All in one plugin <= 2.5.2 - Authenticated (Administrator+) to Arbitrary File Read and Write\n\n7.2\n\nCVSS Rating \n**High (7.2)**\n\nCVE-ID \n**CVE-2025-3300**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 23, 2025**\n\n**Affected Software** \nWPMasterToolKit (WPMTK) \u2013 All in one plugin\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/37cc74b0e1957fee81825154abeae540.jpg?s=32&d=mp&r=g)nquangit\n\nMore Details ><\/p>\n

#### Social Counter <= 2.0.5 - Authenticated (Administrator+) PHP Object Injection\n\n6.6\n\nCVSS Rating \n**Medium (6.6)**\n\nCVE-ID \n**CVE-2025-46473**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nSocial Counter\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/b9c98f876000c488fa1e815fe093a085.jpg?s=32&d=mp&r=g)Nguyen Ngoc Quang Bach (maysbachs)\n\nMore Details ><\/p>\n

#### Anps Theme plugin <= 1.1.1 - Unauthenticated Arbitrary Shortcode Execution\n\n6.5\n\nCVSS Rating \n**Medium (6.5)**\n\nCVE-ID \n**CVE-2024-13812**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \nAnps Theme plugin\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/8f9a99fa0333fc8418c837d7e0883c3b.jpg?s=32&d=mp&r=g)Lucio S\u00e1\n\nMore Details ><\/p>\n

#### Appointment Booking Calendar <= 1.3.92 - Cross-Site Request Forgery to SQL Injection\n\n6.5\n\nCVSS Rating \n**Medium (6.5)**\n\nCVE-ID \n**CVE-2025-46241**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nAppointment Booking Calendar\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)astra.r3verii\n\nMore Details ><\/p>\n

#### Appsero Helper <= 1.3.4 - Authenticated (Subscriber+) SQL Injection\n\n6.5\n\nCVSS Rating \n**Medium (6.5)**\n\nCVE-ID \n**CVE-2025-39377**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 21, 2025**\n\n**Affected Software** \nAppsero Helper\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/15c7bc3e71963fdd7c656346bcf8b159.jpg?s=32&d=mp&r=g)Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc)\n\nMore Details ><\/p>\n

#### ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes <= 1.4.9 - Authenticated (Subscriber+) SQL Injection\n\n6.5\n\nCVSS Rating \n**Medium (6.5)**\n\nCVE-ID \n**CVE-2025-3280**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 23, 2025**\n\n**Affected Software** \nELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/7b8cd550e860295a0dcf86632e3c79be.jpg?s=32&d=mp&r=g)Phat RiO - BlueRock\n\nMore Details ><\/p>\n

#### FAT Services Booking <= 5.6 - Authenticated (Subscriber+) SQL Injection\n\n6.5\n\nCVSS Rating \n**Medium (6.5)**\n\nCVE-ID \n**CVE-2025-39355**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 21, 2025**\n\n**Affected Software** \nFAT Services Booking\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/11dfabc58a06f06c9123a7e17a41cecb.jpg?s=32&d=mp&r=g)Aiden (Th\u00e1i An)\n\nMore Details ><\/p>\n

#### Hospital Management System <= 47.0(20-11-2023) - Authenticated (Subscriber+) SQL Injection\n\n6.5\n\nCVSS Rating \n**Medium (6.5)**\n\nCVE-ID \n**CVE-2025-39357**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 21, 2025**\n\n**Affected Software** \nHospital Management System for WordPress\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/11dfabc58a06f06c9123a7e17a41cecb.jpg?s=32&d=mp&r=g)Aiden (Th\u00e1i An)\n\nMore Details ><\/p>\n

#### Mailing Group Listserv <= 3.0.4 - Authenticated (Subscriber+) SQL Injection\n\n6.5\n\nCVSS Rating \n**Medium (6.5)**\n\nCVE-ID \n**CVE-2025-46463**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \nMailing Group Listserv\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)timomangcut\n\nMore Details ><\/p>\n

#### Ocean Extra <= 2.4.6 - Unauthenticated Arbitrary Shortcode Execution\n\n6.5\n\nCVSS Rating \n**Medium (6.5)**\n\nCVE-ID \n**CVE-2025-3472**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 21, 2025**\n\n**Affected Software** \nOcean Extra\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/f894d5600bcba5e947d6dde37a3cec1b.jpg?s=32&d=mp&r=g)stealthcopter\n\nMore Details ><\/p>\n

#### Revy <= 2.1 - Authenticated (Subscriber+) SQL Injection\n\n6.5\n\nCVSS Rating \n**Medium (6.5)**\n\nCVE-ID \n**CVE-2025-32924**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 21, 2025**\n\n**Affected Software** \nRevy\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/11dfabc58a06f06c9123a7e17a41cecb.jpg?s=32&d=mp&r=g)Aiden (Th\u00e1i An)\n\nMore Details ><\/p>\n

#### ShopLentor \u2013 WooCommerce Builder for Elementor & Gutenberg +20 Modules \u2013 All in One Solution (formerly WooLentor) <= 3.1.2 - Unauthenticated Server-Side Request Forgery via URL Parameter\n\n6.5\n\nCVSS Rating \n**Medium (6.5)**\n\nCVE-ID \n**CVE-2025-3775**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nShopLentor \u2013 WooCommerce Builder for Elementor & Gutenberg +20 Modules \u2013 All in One Solution (formerly WooLentor)\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/7abadae46f0b063bdd43911a30a87f65.jpg?s=32&d=mp&r=g)mikemyers\n\nMore Details ><\/p>\n

#### 360 View <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46509**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \n360 View\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### Able Player <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46475**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nAble Player, accessible HTML5 media player\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### Able Player, accessible HTML5 media player <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via preload Parameter\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-3752**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nAble Player, accessible HTML5 media player\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/258c774aecd81b7d1fa67abf3b576b33.jpg?s=32&d=mp&r=g)Peter Thaleikis\n\nMore Details ><\/p>\n

#### Advanced Accordion Gutenberg Block <= 5.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-2543**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 23, 2025**\n\n**Affected Software** \nAdvanced Accordion Gutenberg Block\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/a07a4a4ddd21367fd4d51d2d3105e7ef.jpg?s=32&d=mp&r=g)Avraham Shemesh\n\nMore Details ><\/p>\n

#### Animate <= 0.5 - Authenticated (Contributor+) Server-Side Request Forgery\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46443**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nAnimate\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g)Nguyen Xuan Chien\n\nMore Details ><\/p>\n

#### Author Box After Posts <= 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46263**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \nAuthor Box After Posts\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Michael\n\nMore Details ><\/p>\n

#### Awesome Wp Image Gallery <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46476**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nAwesome Wp Image Gallery\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha\n\nMore Details ><\/p>\n

#### BBCode Deluxe <= 2020.08.01.2 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46479**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nBBCode Deluxe\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### BeerXML Shortcode <= 0.71 - Authenticated (Contributor+) Server-Side Request Forgery\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46511**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nBeerXML Shortcode\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/dfc42784669accf02da36cb658a6a355.jpg?s=32&d=mp&r=g)ch4r0n\n\nMore Details ><\/p>\n

#### Breeze Display <= 1.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via cal_size Parameter\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-3749**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nBreeze Display\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/258c774aecd81b7d1fa67abf3b576b33.jpg?s=32&d=mp&r=g)Peter Thaleikis\n\nMore Details ><\/p>\n

#### Carousel-of-post-images <= 1.07 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46536**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nCarousel-of-post-images\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### Custom Related Posts <= 1.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46227**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nCustom Related Posts\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha\n\nMore Details ><\/p>\n

#### Dropdown Content <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46478**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nDropdown Content\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha\n\nMore Details ><\/p>\n

#### Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) <= 5.10.29 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-1458**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \nElement Pack Addons for Elementor \u2013 Best Elementor addons with Ready Templates, Blocks, Widgets and WooCommerce Builder\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/a964068aac6d7229783a0ea643877251.jpg?s=32&d=mp&r=g)zer0gh0st\n\nMore Details ><\/p>\n

#### Enhanced Paypal Shortcodes <= 0.5a - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46543**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \nEnhanced Paypal Shortcodes\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### Event post <= 5.9.11 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46228**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nEvent post\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)astra.r3verii\n\nMore Details ><\/p>\n

#### External Markdown <= 0.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46445**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nExternal Markdown\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### Fable Extra <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46447**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nFable Extra\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)timomangcut\n\nMore Details ><\/p>\n

#### FuseDesk <= 6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via successredirect Parameter\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-3832**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 23, 2025**\n\n**Affected Software** \nFuseDesk\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/258c774aecd81b7d1fa67abf3b576b33.jpg?s=32&d=mp&r=g)Peter Thaleikis\n\nMore Details ><\/p>\n

#### GNA Search Shortcode <= 0.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46540**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nGNA Search Shortcode\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### GTDB Guitar Tuners <= 4.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46438**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nGTDB Guitar Tuners\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### GutenKit <= 2.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46253**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nGutenKit \u2013 Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Khalid Yusuf\n\nMore Details ><\/p>\n

#### HTML Forms <= 1.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46236**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nHTML Forms \u2013 Simple WordPress Forms Plugin\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha\n\nMore Details ><\/p>\n

#### Image Hover Effects For WPBakery Page Builder <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46484**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nImage Hover Effects For WPBakery Page Builder\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha\n\nMore Details ><\/p>\n

#### Image Style Hover <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46534**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nImage Style Hover \u2013 Displays content when you hover on image\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### Inline Text Popup <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46538**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nInline Text Popup\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### Link Library <= 7.8 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46237**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nLink Library\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha\n\nMore Details ><\/p>\n

#### List Last Changes <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46238**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nList Last Changes\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha\n\nMore Details ><\/p>\n

#### Lottie Player <= 1.1.8 - Authenticated (Author+) Stored Cross-Site Scripting via File Upload\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-2579**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 23, 2025**\n\n**Affected Software** \nLottie Player- Great Lottie Player Solution\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/a07a4a4ddd21367fd4d51d2d3105e7ef.jpg?s=32&d=mp&r=g)Avraham Shemesh\n\nMore Details ><\/p>\n

#### Mad Mimi for WordPress <= 1.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46262**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \nMad Mimi for WordPress\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)0x1ceKing\n\nMore Details ><\/p>\n

#### Mini twitter feed <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46496**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nMini twitter feed\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### Mixcloud Embed <= 2.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46501**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nMixcloud Embed\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### MPL-Publisher <= 2.18.0 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46226**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nMPL-Publisher \u2014 Ebook & Audiobook Creator\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha\n\nMore Details ><\/p>\n

#### Multi-Column Taxonomy List <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46491**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nMulti-Column Taxonomy List\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### Nepali Post Date <= 5.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46480**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nNepali Post Date\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha\n\nMore Details ><\/p>\n

#### Ocean Extra <= 2.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'ocean_gallery_id'\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-3458**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 21, 2025**\n\n**Affected Software** \nOcean Extra\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha\n\nMore Details ><\/p>\n

#### Ocean Extra <= 2.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-3457**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 21, 2025**\n\n**Affected Software** \nOcean Extra\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha\n\nMore Details ><\/p>\n

#### Peadig\u2019s Google +1 Button <= 0.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46483**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nPeadig\u2019s Google +1 Button\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### Peekaboo <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46505**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nPeekaboo\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### Post in page for Elementor <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46225**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nPost in page for Elementor\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Gab\n\nMore Details ><\/p>\n

#### Posts for Page <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-39369**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \nPosts for Page\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/01dce303f1fab51371215f21992679d9.jpg?s=32&d=mp&r=g)theviper17y\n\nMore Details ><\/p>\n

#### RAphicon <= 2.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46467**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nRAphicon\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### RRSSB <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46461**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nRRSSB\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### Simple Download Counter <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46240**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nSimple Download Counter\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha\n\nMore Details ><\/p>\n

#### Simple Google Photos Grid <= 1.5 - Authenticated (Contributor+) Server-Side Request Forgery\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46503**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nSimple Google Photos Grid\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/dfc42784669accf02da36cb658a6a355.jpg?s=32&d=mp&r=g)ch4r0n\n\nMore Details ><\/p>\n

#### Sirv <= 7.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46233**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nImage Optimizer, Resizer and CDN \u2013 Sirv\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/15c7bc3e71963fdd7c656346bcf8b159.jpg?s=32&d=mp&r=g)Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc)\n\nMore Details ><\/p>\n

#### SKT Blocks <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46235**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nSKT Blocks \u2013 Gutenberg based Page Builder\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/4c2bd6964b38518385c4e8d1791fd762.jpg?s=32&d=mp&r=g)zaim\n\nMore Details ><\/p>\n

#### Sky Addons for Elementor <= 3.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46260**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nSky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blog, Video Gallery)\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/585bd77d4bbe100a43b04223fd09a74f.jpg?s=32&d=mp&r=g)Jo\u00e3o Pedro Soares de Alc\u00e2ntara\n\nMore Details ><\/p>\n

#### Tax Switch for WooCommerce <= 1.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via class-name Parameter\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-3814**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 21, 2025**\n\n**Affected Software** \nTax Switch for WooCommerce\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/258c774aecd81b7d1fa67abf3b576b33.jpg?s=32&d=mp&r=g)Peter Thaleikis\n\nMore Details ><\/p>\n

#### The Pack Elementor addons <= 2.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46472**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nThe Pack Elementor addon\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Michael\n\nMore Details ><\/p>\n

#### Theme Switcha <= 3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46239**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nTheme Switcha \u2013 Easily Switch Themes for Development and Testing\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha\n\nMore Details ><\/p>\n

#### Tooltip <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46532**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nWordPress Tooltip\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### UiCore Elements \u2013 Free Elementor widgets and templates <= 1.0.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-1054**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nUiCore Elements \u2013 Free Elementor widgets and templates\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/ef74f4dbe7907a62f177592f647c1afa.jpg?s=32&d=mp&r=g)Webbernaut\n\nMore Details ><\/p>\n

#### Visual Composer Website Builder <= 45.10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46254**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nVisual Composer Website Builder\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha\n\nMore Details ><\/p>\n

#### WoWHead Tooltips <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46449**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nWoWHead Tooltips\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### WP AVCL Automation Helper (formerly WPFlyLeads) <= 3.4 - Authenticated (Subscriber+) Server-Side Request Forgery\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46531**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nWP AVCL Automation Helper (formerly WPFlyLeads)\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/dfc42784669accf02da36cb658a6a355.jpg?s=32&d=mp&r=g)ch4r0n\n\nMore Details ><\/p>\n

#### WP Custom Post Popup <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46471**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nWP Custom Post Popup\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### WP Import Export Lite <= 3.9.27 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-2839**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 21, 2025**\n\n**Affected Software** \nWP Import Export Lite\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/ef74f4dbe7907a62f177592f647c1afa.jpg?s=32&d=mp&r=g)Webbernaut\n\nMore Details ><\/p>\n

#### WP Quiz <= 2.0.10 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46482**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \nBest Quiz Plugin for WordPress: WP Quiz\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha\n\nMore Details ><\/p>\n

#### WP Vegas <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-43841**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \nWP Vegas\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### Xpert Tab <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46542**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nXpert Tab\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### Zoho Creator Forms <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting\n\n6.4\n\nCVSS Rating \n**Medium (6.4)**\n\nCVE-ID \n**CVE-2025-46453**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nZoho Creator Forms\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### 1 Decembrie 1918 <= 1.dec.2012 - Cross-Site Request Forgery to Stored Cross-Site Scripting\n\n6.1\n\nCVSS Rating \n**Medium (6.1)**\n\nCVE-ID \n**CVE-2025-3870**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \n1 Decembrie 1918\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### ACF: Google Font Selector <= 3.0.1 - Reflected Cross-Site Scripting\n\n6.1\n\nCVSS Rating \n**Medium (6.1)**\n\nCVE-ID \n**CVE-2025-39382**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 21, 2025**\n\n**Affected Software** \nACF: Google Font Selector\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/f1b68a12f61846b7fbcd7f1338106a1f.jpg?s=32&d=mp&r=g)Dimas Maulana\n\nMore Details ><\/p>\n

#### Add Google +1 (Plus one) social share Button <= 1.0.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting\n\n6.1\n\nCVSS Rating \n**Medium (6.1)**\n\nCVE-ID \n**CVE-2025-3866**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nAdd Google +1 (Plus one) social share Button\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### Advanced lazy load <= 1.6.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting\n\n6.1\n\nCVSS Rating \n**Medium (6.1)**\n\nCVE-ID \n**CVE-2025-46508**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nAdvanced lazy load\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### Ajax Comment Form CST <= 1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting\n\n6.1\n\nCVSS Rating \n**Medium (6.1)**\n\nCVE-ID \n**CVE-2025-3867**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nAjax Comment Form CST\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### Anything Popup <= 7.3 - Reflected Cross-Site Scripting\n\n6.1\n\nCVSS Rating \n**Medium (6.1)**\n\nCVE-ID \n**CVE-2025-39397**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 21, 2025**\n\n**Affected Software** \nAnything Popup\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/f1b68a12f61846b7fbcd7f1338106a1f.jpg?s=32&d=mp&r=g)Dimas Maulana\n\nMore Details ><\/p>\n

#### Best Posts Summary <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting\n\n6.1\n\nCVSS Rating \n**Medium (6.1)**\n\nCVE-ID \n**CVE-2025-39374**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \nBest Posts Summary\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### CheckBot <= 1.05 - Cross-Site Request Forgery to Stored Cross-Site Scripting\n\n6.1\n\nCVSS Rating \n**Medium (6.1)**\n\nCVE-ID \n**CVE-2025-43840**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \nCheckBot\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### Contact Form 7 Calendar <= 3.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting\n\n6.1\n\nCVSS Rating \n**Medium (6.1)**\n\nCVE-ID \n**CVE-2025-46510**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nContact Form 7 Calendar\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### Control Listings <= 1.0.4.1 - Reflected Cross-Site Scripting\n\n6.1\n\nCVSS Rating \n**Medium (6.1)**\n\nCVE-ID \n**CVE-2025-46234**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nControl Listings \u2013 Classifieds Ads Directory Portal Manager\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/11dfabc58a06f06c9123a7e17a41cecb.jpg?s=32&d=mp&r=g)Aiden (Th\u00e1i An)\n\nMore Details ><\/p>\n

#### Custom Admin-Bar Favorites <= 0.1 - Reflected Cross-Site Scripting\n\n6.1\n\nCVSS Rating \n**Medium (6.1)**\n\nCVE-ID \n**CVE-2025-3868**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nCustom Admin-Bar Favorites\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### Custom Functions Plugin <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting\n\n6.1\n\nCVSS Rating \n**Medium (6.1)**\n\nCVE-ID \n**CVE-2025-46512**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nCustom Functions Plugin\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### Document Management System <= 1.24 - Reflected Cross-Site Scripting\n\n6.1\n\nCVSS Rating \n**Medium (6.1)**\n\nCVE-ID \n**CVE-2025-46448**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \nDocument Management System\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g)Nguyen Xuan Chien\n\nMore Details ><\/p>\n

#### Drop Caps <= 2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting\n\n6.1\n\nCVSS Rating \n**Medium (6.1)**\n\nCVE-ID \n**CVE-2025-46495**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nDrop Caps\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### Google News <= 2.5.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting\n\n6.1\n\nCVSS Rating \n**Medium (6.1)**\n\nCVE-ID \n**CVE-2025-46452**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nGoogle News\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g)Nguyen Xuan Chien\n\nMore Details ><\/p>\n

#### Hospital Management System <= 47.0(20-11-2023) - Reflected Cross-Site Scripting\n\n6.1\n\nCVSS Rating \n**Medium (6.1)**\n\nCVE-ID \n**CVE-2025-39393**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nHospital Management System for WordPress\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/11dfabc58a06f06c9123a7e17a41cecb.jpg?s=32&d=mp&r=g)Aiden (Th\u00e1i An)\n\nMore Details ><\/p>\n

#### Libro de Reclamaciones <= 1.0.1 - Reflected Cross-Site Scripting\n\n6.1\n\nCVSS Rating \n**Medium (6.1)**\n\nCVE-ID \n**CVE-2025-46446**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \nLibro de Reclamaciones\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g)Nguyen Xuan Chien\n\nMore Details ><\/p>\n

#### Loan Calculator <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting\n\n6.1\n\nCVSS Rating \n**Medium (6.1)**\n\nCVE-ID \n**CVE-2025-46442**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nLoan Calculator\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan\n\nMore Details ><\/p>\n

#### LSD Custom taxonomy and category meta <= 1.3.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting\n\n6.1\n\nCVSS Rating \n**Medium (6.1)**\n\nCVE-ID \n**CVE-2025-46502**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nLSD Custom taxonomy and category meta\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### Milat jQuery Automatic Popup <= 1.3.1 - Cross-Site Request Forgery to Stored Cross-site Scripting\n\n6.1\n\nCVSS Rating \n**Medium (6.1)**\n\nCVE-ID \n**CVE-2025-46514**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nMilat jQuery Automatic Popup\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### My Custom Widgets <= 2.0.5 - Reflected Cross-Site Scripting\n\n6.1\n\nCVSS Rating \n**Medium (6.1)**\n\nCVE-ID \n**CVE-2025-46526**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \nMy Custom Widgets\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### occupancyplan <= 1.0.3.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting\n\n6.1\n\nCVSS Rating \n**Medium (6.1)**\n\nCVE-ID \n**CVE-2025-46450**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \noccupancyplan\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g)Nguyen Xuan Chien\n\nMore Details ><\/p>\n

#### Related Posts via Taxonomies <= 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting\n\n6.1\n\nCVSS Rating \n**Medium (6.1)**\n\nCVE-ID \n**CVE-2025-46520**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nRelated Posts via Taxonomies\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### Tayori Form <= 1.2.9 - Reflected Cross-Site Scripting\n\n6.1\n\nCVSS Rating \n**Medium (6.1)**\n\nCVE-ID \n**CVE-2025-46437**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \nTayori Form Plugin\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g)Nguyen Xuan Chien\n\nMore Details ><\/p>\n

#### Time Based Greeting <= 2.2.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting\n\n6.1\n\nCVSS Rating \n**Medium (6.1)**\n\nCVE-ID \n**CVE-2025-46435**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nTime Based Greeting\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g)Nguyen Xuan Chien\n\nMore Details ><\/p>\n

#### Twitter Card Generator <= 1.0.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting\n\n6.1\n\nCVSS Rating \n**Medium (6.1)**\n\nCVE-ID \n**CVE-2025-46516**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nTwitter Card Generator\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### User Registration <= 4.1.5 - Reflected Cross-Site Scripting\n\n6.1\n\nCVSS Rating \n**Medium (6.1)**\n\nCVE-ID \n**CVE-2025-39400**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nUser Registration & Membership \u2013 Custom Registration Form, Login Form, and User Profile\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Psai\n\nMore Details ><\/p>\n

#### Vasaio QR Code <= 1.2.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting\n\n6.1\n\nCVSS Rating \n**Medium (6.1)**\n\nCVE-ID \n**CVE-2025-46504**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nVasaio QR Code\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### VikRestaurants Table Reservations and Take-Away <= 1.3.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting\n\n6.1\n\nCVSS Rating \n**Medium (6.1)**\n\nCVE-ID \n**CVE-2025-46251**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nVikRestaurants Table Reservations and Take-Away\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/106e34cffb07e9ff1371d99d90540fca.jpg?s=32&d=mp&r=g)Dhabaleshwar Das\n\nMore Details ><\/p>\n

#### WordPress Events Calendar Registration & Tickets <= 2.6.0 - Reflected Cross-Site Scripting\n\n6.1\n\nCVSS Rating \n**Medium (6.1)**\n\nCVE-ID \n**CVE-2025-39372**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nWordPress Events Calendar Registration & Tickets\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Bonds\n\nMore Details ><\/p>\n

#### Wp Custom CMS Block <= 2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting\n\n6.1\n\nCVSS Rating \n**Medium (6.1)**\n\nCVE-ID \n**CVE-2025-46457**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nWp Custom CMS Block\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### WP Filter Post Category <= 2.1.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting\n\n6.1\n\nCVSS Rating \n**Medium (6.1)**\n\nCVE-ID \n**CVE-2025-46524**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nWP Filter Post Category\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### wProject < 5.8.0 - Reflected Cross-Site Scripting\n\n6.1\n\nCVSS Rating \n**Medium (6.1)**\n\nCVE-ID \n**CVE-2025-39365**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nwProject\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Dave Jong\n\nMore Details ><\/p>\n

#### WpZon \u2013 Amazon Affiliate Plugin <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting\n\n6.1\n\nCVSS Rating \n**Medium (6.1)**\n\nCVE-ID \n**CVE-2025-46506**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nWpZon \u2013 Amazon Affiliate Plugin\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### Confirm User Registration <= 2.1.5 - Authenticated (Administrator+) Stored Cross-Site Scripting\n\n5.5\n\nCVSS Rating \n**Medium (5.5)**\n\nCVE-ID \n**CVE-2025-46459**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nConfirm User Registration\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan\n\nMore Details ><\/p>\n

#### Send From <= 2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting\n\n5.5\n\nCVSS Rating \n**Medium (5.5)**\n\nCVE-ID \n**CVE-2025-46469**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nSend From\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan\n\nMore Details ><\/p>\n

#### WP Customize Login Page <= 1.6.5 - Authenticated (Administrator+) Stored Cross-Site Scripting\n\n5.5\n\nCVSS Rating \n**Medium (5.5)**\n\nCVE-ID \n**CVE-2025-46477**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nWP Customize Login Page\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan\n\nMore Details ><\/p>\n

#### Prevent Direct Access 2.8.6 – 2.8.8.2 – Incorrect Authorization to Authenticated (Contributor+) Multiple Media Actions<\/p>\n

5.4<\/p>\n

CVSS Rating
\n**Medium (5.4)**<\/p>\n

CVE-ID
\n**CVE-2025-3861**<\/p>\n

Patch Status
\n**Patched**<\/p>\n

Published
\n**Apr 24, 2025**<\/p>\n

**Affected Software**
\nPrevent Direct Access \u2013 Protect WordPress Files<\/p>\n

**Researcher** <\/p>\n

![](https:\/\/www.gravatar.com\/avatar\/b52f0ed9bfd356ab8119b9ee6d7d040a.jpg?s=32&d=mp&r=g)0xbro<\/p>\n

More Details ><\/p>\n

#### Print Science Designer <= 1.3.155 - Cross-Site Request Forgery to Stored Cross-Site Scripting\n\n5.4\n\nCVSS Rating \n**Medium (5.4)**\n\nCVE-ID \n**CVE-2025-46465**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nPrint Science Designer\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Skalucy\n\nMore Details ><\/p>\n

#### Advanced Linked Variations for Woocommerce <= 1.0.3 - Missing Authorization\n\n5.3\n\nCVSS Rating \n**Medium (5.3)**\n\nCVE-ID \n**CVE-2025-46244**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nAdvanced Linked Variations for Woocommerce\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/dfc42784669accf02da36cb658a6a355.jpg?s=32&d=mp&r=g)ch4r0n\n\nMore Details ><\/p>\n

#### Appointment Booking Calendar <= 1.3.92 - Missing Authorization\n\n5.3\n\nCVSS Rating \n**Medium (5.3)**\n\nCVE-ID \n**CVE-2025-46247**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nAppointment Booking Calendar\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)timomangcut\n\nMore Details ><\/p>\n

#### Bulk Assign Linked Products For WooCommerce <= 2.1 - Missing Authorization\n\n5.3\n\nCVSS Rating \n**Medium (5.3)**\n\nCVE-ID \n**CVE-2025-46489**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nBulk Assign Linked Products For WooCommerce\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/dfc42784669accf02da36cb658a6a355.jpg?s=32&d=mp&r=g)ch4r0n\n\nMore Details ><\/p>\n

#### JNews <= 11.6.5 - Missing Authorization\n\n5.3\n\nCVSS Rating \n**Medium (5.3)**\n\nCVE-ID \n**CVE-2025-39373**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nJNews - WordPress Newspaper Magazine Blog AMP Theme\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Ananda Dhakal\n\nMore Details ><\/p>\n

#### Memberpress <= 1.11.37 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure\n\n5.3\n\nCVSS Rating \n**Medium (5.3)**\n\nCVE-ID \n**CVE-2024-11299**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 21, 2025**\n\n**Affected Software** \nMemberpress\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/563db10a8ff7243299139da63e0d17f7.jpg?s=32&d=mp&r=g)Francesco Carlucci\n\nMore Details ><\/p>\n

#### Prevent Direct Access \u2013 Protect WordPress Files <= 2.8.8 - Unauthenticated Sensitive Information Exposure\n\n5.3\n\nCVSS Rating \n**Medium (5.3)**\n\nCVE-ID \n**CVE-2025-3923**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nPrevent Direct Access \u2013 Protect WordPress Files\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/328ff846493345d2b275183f36281a9d.jpg?s=32&d=mp&r=g)Tom Broucke\n\nMore Details ><\/p>\n

#### Reales WP – Real Estate WordPress Theme <= 2.1.2 - Missing Authorization to Unauthenticated Attachment Deletion and Favorite Property Updates\n\n5.3\n\nCVSS Rating \n**Medium (5.3)**\n\nCVE-ID \n**CVE-2024-13307**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 23, 2025**\n\n**Affected Software** \nReales WP - Real Estate WordPress Theme\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/8f9a99fa0333fc8418c837d7e0883c3b.jpg?s=32&d=mp&r=g)Lucio S\u00e1\n\nMore Details ><\/p>\n

#### Upsell Funnel Builder for WooCommerce <= 3.0.0 - Unauthenticated Order Manipulation\n\n5.3\n\nCVSS Rating \n**Medium (5.3)**\n\nCVE-ID \n**CVE-2025-3743**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nUpsell Funnel Builder for WooCommerce\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/fe75f0e802ed3b22dcf3fc8fa6402026.jpg?s=32&d=mp&r=g)p4\n\nMore Details ><\/p>\n

#### WP Customize Login Page <= 1.6.5 - Missing Authorization\n\n5.3\n\nCVSS Rating \n**Medium (5.3)**\n\nCVE-ID \n**CVE-2025-46485**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nWP Customize Login Page\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan\n\nMore Details ><\/p>\n

#### wProject < 5.8.0 - Missing Authorization to Unauthenticated Content Modification and Deletion\n\n5.3\n\nCVSS Rating \n**Medium (5.3)**\n\nCVE-ID \n**CVE-2025-39350**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nwProject\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Dave Jong\n\nMore Details ><\/p>\n

#### WS Form LITE \u2013 Drag & Drop Contact Form Builder for WordPress <= 1.10.35 - Missing Authorization to Unauthenticated Sensitive Information Exposure\n\n5.3\n\nCVSS Rating \n**Medium (5.3)**\n\nCVE-ID \n**CVE-2025-3912**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nWS Form LITE \u2013 Drag & Drop Contact Form Builder for WordPress\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/e9ce52728f69df70f9bafa79a7a6b548.jpg?s=32&d=mp&r=g)Amin Beheshti\n\nMore Details ><\/p>\n

#### Absolute Links <= 1.1.1 - Authenticated (Administrator+) SQL Injection\n\n4.9\n\nCVSS Rating \n**Medium (4.9)**\n\nCVE-ID \n**CVE-2025-43833**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \nAbsolute Links\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)0x1ceKing\n\nMore Details ><\/p>\n

#### Contact Form by Bit Form <= 2.18.3 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload\n\n4.9\n\nCVSS Rating \n**Medium (4.9)**\n\nCVE-ID \n**CVE-2025-2580**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nContact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/a07a4a4ddd21367fd4d51d2d3105e7ef.jpg?s=32&d=mp&r=g)Avraham Shemesh\n\nMore Details ><\/p>\n

#### iCafe Library <= 1.8.3 - Authenticated (Editor+) SQL Injection\n\n4.9\n\nCVSS Rating \n**Medium (4.9)**\n\nCVE-ID \n**CVE-2025-39370**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \niCafe Library\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)0x1ceKing\n\nMore Details ><\/p>\n

#### Message Filter for Contact Form 7 <= 1.6.3.2 - Authenticated (Administrator+) SQL Injection\n\n4.9\n\nCVSS Rating \n**Medium (4.9)**\n\nCVE-ID \n**CVE-2025-46252**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nMessage Filter for Contact Form 7\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/7b8cd550e860295a0dcf86632e3c79be.jpg?s=32&d=mp&r=g)Phat RiO - BlueRock\n\nMore Details ><\/p>\n

#### Watu Quiz <= 3.4.3 - Authenticated (Administrator+) SQL Injection\n\n4.9\n\nCVSS Rating \n**Medium (4.9)**\n\nCVE-ID \n**CVE-2025-46242**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nWatu Quiz\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)astra.r3verii\n\nMore Details ><\/p>\n

#### Blog Manager WP <= 1.0.5 - Authenticated (Administrator+) Stored Cross-Site Scripting\n\n4.4\n\nCVSS Rating \n**Medium (4.4)**\n\nCVE-ID \n**CVE-2025-46517**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nBlog Manager WP\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan\n\nMore Details ><\/p>\n

#### Business Contact Widget <= 2.7.0 - Authenticated (Administrator+) Stored Cross-Site Scripting\n\n4.4\n\nCVSS Rating \n**Medium (4.4)**\n\nCVE-ID \n**CVE-2025-46529**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nBusiness Contact Widget\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan\n\nMore Details ><\/p>\n

#### cookieBAR <= 1.7.0 - Authenticated (Administrator+) Stored Cross-Site Scripting\n\n4.4\n\nCVSS Rating \n**Medium (4.4)**\n\nCVE-ID \n**CVE-2025-43834**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \ncookieBAR\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan\n\nMore Details ><\/p>\n

#### COVID-19 (Coronavirus) Update Your Customers <= 1.5.1 - Authenticated (Administrator+) Stored Cross-Site Scripting\n\n4.4\n\nCVSS Rating \n**Medium (4.4)**\n\nCVE-ID \n**CVE-2025-46523**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nCOVID-19 (Coronavirus) Update Your Customers\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/b9c98f876000c488fa1e815fe093a085.jpg?s=32&d=mp&r=g)Nguyen Ngoc Quang Bach (maysbachs)\n\nMore Details ><\/p>\n

#### Floating Social Bar <= 1.1.7 - Authenticated (Administrator+) Stored Cross-Site Scripting\n\n4.4\n\nCVSS Rating \n**Medium (4.4)**\n\nCVE-ID \n**CVE-2025-46451**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nFloating Social Bar\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan\n\nMore Details ><\/p>\n

#### Landing pages and Domain aliases for WordPress <= 0.8 - Authenticated (Administrator+) Stored Cross-Site Scripting\n\n4.4\n\nCVSS Rating \n**Medium (4.4)**\n\nCVE-ID \n**CVE-2025-46533**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nLanding pages and Domain aliases for WordPress\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan\n\nMore Details ><\/p>\n

#### MangBoard WP <= 1.8.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via Board Header And Footer\n\n4.4\n\nCVSS Rating \n**Medium (4.4)**\n\nCVE-ID \n**CVE-2025-3435**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 23, 2025**\n\n**Affected Software** \nMang Board WP\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/37cc74b0e1957fee81825154abeae540.jpg?s=32&d=mp&r=g)nquangit\n\nMore Details ><\/p>\n

#### Seriously Simple Podcasting <= 3.9.0 - Authenticated (Editor+) Stored Cross-Site Scripting\n\n4.4\n\nCVSS Rating \n**Medium (4.4)**\n\nCVE-ID \n**CVE-2025-46261**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nSeriously Simple Podcasting\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/15c7bc3e71963fdd7c656346bcf8b159.jpg?s=32&d=mp&r=g)Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc)\n\nMore Details ><\/p>\n

#### Textmetrics <= 3.6.2 - Authenticated (Administrator+) Stored Cross-Site Scripting\n\n4.4\n\nCVSS Rating \n**Medium (4.4)**\n\nCVE-ID \n**CVE-2025-46229**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nTextmetrics\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan\n\nMore Details ><\/p>\n

#### VForm <= 3.1.14 - Authenticated (Administrator+) Stored Cross-Site Scripting\n\n4.4\n\nCVSS Rating \n**Medium (4.4)**\n\nCVE-ID \n**CVE-2025-46250**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nLifetime free Drag & Drop Contact Form Builder for WordPress VForm\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)0xVenus\n\nMore Details ><\/p>\n

#### WP Cookie Consent <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting\n\n4.4\n\nCVSS Rating \n**Medium (4.4)**\n\nCVE-ID \n**CVE-2025-46525**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nWP Cookie Consent\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan\n\nMore Details ><\/p>\n

#### WP-reCAPTCHA-bp <= 4.1 - Authenticated (Administrator+) Stored Cross-Site Scripting\n\n4.4\n\nCVSS Rating \n**Medium (4.4)**\n\nCVE-ID \n**CVE-2025-46541**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nWP-reCAPTCHA-bp\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan\n\nMore Details ><\/p>\n

#### WS Force Login Page <= 3.0.3 - Authenticated (Administrator+) Stored Cross-Site Scripting\n\n4.4\n\nCVSS Rating \n**Medium (4.4)**\n\nCVE-ID \n**CVE-2025-46521**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nWS Force Login Page\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan\n\nMore Details ><\/p>\n

#### Aeropage Sync for Airtable <= 3.2.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion\n\n4.3\n\nCVSS Rating \n**Medium (4.3)**\n\nCVE-ID \n**CVE-2025-3915**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \nAeropage Sync for Airtable\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/305fb970257c915652a3c990285e766e.jpg?s=32&d=mp&r=g)Chuck\n\nMore Details ><\/p>\n

#### affiliate-toolkit <= 3.7.3 - Cross-Site Request Forgery\n\n4.3\n\nCVSS Rating \n**Medium (4.3)**\n\nCVE-ID \n**CVE-2025-46231**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \naffiliate-toolkit \u2013 WP Affiliate Plugin with Amazon\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/f894d5600bcba5e947d6dde37a3cec1b.jpg?s=32&d=mp&r=g)stealthcopter\n\nMore Details ><\/p>\n

#### All in One Time Clock Lite <= 1.3.324 - Cross-Site Request Forgery\n\n4.3\n\nCVSS Rating \n**Medium (4.3)**\n\nCVE-ID \n**CVE-2025-46513**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nAll in One Time Clock Lite \u2013 Tracking Employee Time Has Never Been Easier\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan\n\nMore Details ><\/p>\n

#### Author Box Plugin With Different Description <= 1.3.5 - Cross-Site Request Forgery\n\n4.3\n\nCVSS Rating \n**Medium (4.3)**\n\nCVE-ID \n**CVE-2025-39371**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \nAuthor Box Plugin With Different Description\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### Availability Calendar <= 0.2.4 - Cross-Site Request Forgery\n\n4.3\n\nCVSS Rating \n**Medium (4.3)**\n\nCVE-ID \n**CVE-2025-46528**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nAvailability Calendar\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### Call Now PHT Blog <= 2.4.1 - Cross-Site Request Forgery\n\n4.3\n\nCVSS Rating \n**Medium (4.3)**\n\nCVE-ID \n**CVE-2025-46492**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nCall Now PHT Blog\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### Car Park Booking System for WordPress <= 2.6 - Missing Authorization\n\n4.3\n\nCVSS Rating \n**Medium (4.3)**\n\nCVE-ID \n**CVE-2025-39376**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nCar Park Booking System for WordPress\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Ananda Dhakal\n\nMore Details ><\/p>\n

#### CM Ad Changer <= 2.0.5 - Cross-Site Request Forgery\n\n4.3\n\nCVSS Rating \n**Medium (4.3)**\n\nCVE-ID \n**CVE-2025-46245**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nCM Ad Changer \u2013 A simple tool to control and optimize your site's banners\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/dfc42784669accf02da36cb658a6a355.jpg?s=32&d=mp&r=g)ch4r0n\n\nMore Details ><\/p>\n

#### CM Answers <= 3.3.3 - Cross-Site Request Forgery\n\n4.3\n\nCVSS Rating \n**Medium (4.3)**\n\nCVE-ID \n**CVE-2025-46246**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nCM Answers \u2013 Easy-to-use forum to grow your WP community\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/dfc42784669accf02da36cb658a6a355.jpg?s=32&d=mp&r=g)ch4r0n\n\nMore Details ><\/p>\n

#### Custom Login and Registration <= 1.0.0 - Missing Authorization\n\n4.3\n\nCVSS Rating \n**Medium (4.3)**\n\nCVE-ID \n**CVE-2025-46535**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \nCustom Login and Registration\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/b9c98f876000c488fa1e815fe093a085.jpg?s=32&d=mp&r=g)Nguyen Ngoc Quang Bach (maysbachs)\n\nMore Details ><\/p>\n

#### Download Alt Text AI <= 1.9.93 - Missing Authorization\n\n4.3\n\nCVSS Rating \n**Medium (4.3)**\n\nCVE-ID \n**CVE-2025-46232**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nAlt Text AI \u2013 Automatically generate image alt text for SEO and accessibility\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/15c7bc3e71963fdd7c656346bcf8b159.jpg?s=32&d=mp&r=g)Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc)\n\nMore Details ><\/p>\n

#### Easy Child Theme Creator <= 1.3.1 - Cross-Site Request Forgery\n\n4.3\n\nCVSS Rating \n**Medium (4.3)**\n\nCVE-ID \n**CVE-2025-39375**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \nEasy Child Theme Creator\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g)Nguyen Xuan Chien\n\nMore Details ><\/p>\n

#### Hacklog Remote Attachment <= 1.3.2 - Cross-Site Request Forgery\n\n4.3\n\nCVSS Rating \n**Medium (4.3)**\n\nCVE-ID \n**CVE-2025-46530**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nHacklog Remote Attachment\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### Hotel + Bed and Breakfast Booking Calendar Theme | Bellevue <= 4.2.2 - Missing Authorization\n\n4.3\n\nCVSS Rating \n**Medium (4.3)**\n\nCVE-ID \n**CVE-2025-39398**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nbellevuex\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Ananda Dhakal\n\nMore Details ><\/p>\n

#### Media Library Downloader <= 1.3.1 - Missing Authorization\n\n4.3\n\nCVSS Rating \n**Medium (4.3)**\n\nCVE-ID \n**CVE-2025-46519**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nMedia Library Downloader\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/dfc42784669accf02da36cb658a6a355.jpg?s=32&d=mp&r=g)ch4r0n\n\nMore Details ><\/p>\n

#### Modern Polls <= 1.0.10 - Cross-Site Request Forgery\n\n4.3\n\nCVSS Rating \n**Medium (4.3)**\n\nCVE-ID \n**CVE-2025-46466**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nModern Polls\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Skalucy\n\nMore Details ><\/p>\n

#### Navegg Analytics <= 3.3.3 - Cross-Site Request Forgery\n\n4.3\n\nCVSS Rating \n**Medium (4.3)**\n\nCVE-ID \n**CVE-2025-46497**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nNavegg Analytics\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### PayPal Express Checkout <= 2.1.2 - Cross-Site Request Forgery\n\n4.3\n\nCVSS Rating \n**Medium (4.3)**\n\nCVE-ID \n**CVE-2025-46499**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nPayPal Express Checkout\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### Recover abandoned cart for WooCommerce <= 2.2 - Cross-Site Request Forgery\n\n4.3\n\nCVSS Rating \n**Medium (4.3)**\n\nCVE-ID \n**CVE-2025-46243**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nRecover abandoned cart for WooCommerce\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/dfc42784669accf02da36cb658a6a355.jpg?s=32&d=mp&r=g)ch4r0n\n\nMore Details ><\/p>\n

#### SCSS-Library <= 0.4.1 - Cross-Site Request Forgery\n\n4.3\n\nCVSS Rating \n**Medium (4.3)**\n\nCVE-ID \n**CVE-2025-46436**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nSCSS-Library\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g)Nguyen Xuan Chien\n\nMore Details ><\/p>\n

#### Simple calendar for Elementor <= 1.6.4 - Cross-Site Request Forgery\n\n4.3\n\nCVSS Rating \n**Medium (4.3)**\n\nCVE-ID \n**CVE-2025-46249**\n\nPatch Status \n**Patched**\n\nPublished \n**Apr 22, 2025**\n\n**Affected Software** \nSimple calendar for Elementor\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)haudayroi\n\nMore Details ><\/p>\n

#### Smart Hashtags [#hashtagger] <= 7.2.3 - Missing Authorization\n\n4.3\n\nCVSS Rating \n**Medium (4.3)**\n\nCVE-ID \n**CVE-2025-46470**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nSmart Hashtags [#hashtagger]\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)domiee13\n\nMore Details ><\/p>\n

#### Tabs <= 4.0.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting\n\n4.3\n\nCVSS Rating \n**Medium (4.3)**\n\nCVE-ID \n**CVE-2025-46522**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nWordPress Tabs\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska\n\nMore Details ><\/p>\n

#### Unsafe Mimetypes <= 0.1.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting\n\n4.3\n\nCVSS Rating \n**Medium (4.3)**\n\nCVE-ID \n**CVE-2025-46507**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nUnsafe Mimetypes\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/c36a7211a54c34d3d52be3b1bd8d253e.jpg?s=32&d=mp&r=g)lucky_buddy\n\nMore Details ><\/p>\n

#### Woocommerce Automatic Order Printing | ( Formerly WooCommerce Google Cloud Print) <= 4.1 - Insecure Direct Object Reference to Authenticated (Subscriber+) Order Information Disclosure\n\n4.3\n\nCVSS Rating \n**Medium (4.3)**\n\nCVE-ID \n**CVE-2025-1284**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 23, 2025**\n\n**Affected Software** \nWoocommerce Automatic Order Printing | ( Formerly WooCommerce Google Cloud Print)\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/8f9a99fa0333fc8418c837d7e0883c3b.jpg?s=32&d=mp&r=g)Lucio S\u00e1\n\nMore Details ><\/p>\n

#### wp-cyr-cho <= 0.1 - Cross-Site Request Forgery\n\n4.3\n\nCVSS Rating \n**Medium (4.3)**\n\nCVE-ID \n**CVE-2025-43835**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 25, 2025**\n\n**Affected Software** \nwp-cyr-cho | \u041a\u043e\u043d\u0432\u0435\u0440\u0442\u0438\u0440\u0430 \u043a\u0438\u0440\u0438\u043b\u0441\u043a\u0438 \u0441\u0438\u043c\u0432\u043e\u043b\u0438 \u0432 \u043b\u0430\u0442\u0438\u043d\u0438\u0441\u043a\u0438\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan\n\nMore Details ><\/p>\n

#### WPVN <= 0.7.8 - Cross-Site Request Forgery\n\n4.3\n\nCVSS Rating \n**Medium (4.3)**\n\nCVE-ID \n**CVE-2025-46462**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nWPVN \u2013 Username Changer\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Skalucy\n\nMore Details ><\/p>\n

#### Zalo Official Live Chat <= 1.0.0 - Cross-Site Request Forgery\n\n4.3\n\nCVSS Rating \n**Medium (4.3)**\n\nCVE-ID \n**CVE-2025-46498**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 24, 2025**\n\n**Affected Software** \nZalo Official Live Chat\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)haudayroi\n\nMore Details ><\/p>\n

#### Buddypress Force Password Change <= 0.1 - Authenticated (Subscriber+) Account Takeover via Password Update\n\n4.2\n\nCVSS Rating \n**Medium (4.2)**\n\nCVE-ID \n**CVE-2025-3793**\n\nPatch Status \n**Unpatched**\n\nPublished \n**Apr 23, 2025**\n\n**Affected Software** \nBuddypress Force Password Change\n\n**Researcher** \n\n\n![](https:\/\/www.gravatar.com\/avatar\/e97952602dfd17f0532ab6202b1dd0db.jpg?s=32&d=mp&r=g)kr0d\n\nMore Details ><\/p>\n

* * *<\/p>\n

_As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence._<\/p>\n

This database is continuously updated, maintained, and populated by Wordfence\u2019s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.<\/p>\n

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.<\/p>\n

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (April 21, 2025 to April 27, 2025) appeared first on Wordfence.\n <\/p><\/div>\n<\/p><\/div>\n

\n

Impact Assessment<\/h3>\n\n\n\n
Base Score<\/th>\n9.8<\/td>\n<\/tr>\n
Severity<\/th>\nCRITICAL<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

View full CVE details<\/a><\/p>\n<\/p><\/div>\n<\/div>\n