Search criteria
8369 vulnerabilities
CVE-2025-11453 (GCVE-0-2025-11453)
Vulnerability from cvelistv5 – Published: 2026-01-09 11:15 – Updated: 2026-01-09 11:15
VLAI?
Title
Header and Footer Scripts <= 2.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Summary
The Header and Footer Scripts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _inpost_head_script parameter in all versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| anand_kumar | Header and Footer Scripts |
Affected:
* , ≤ 2.2.2
(semver)
|
Credits
Powpy
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Header and Footer Scripts",
"vendor": "anand_kumar",
"versions": [
{
"lessThanOrEqual": "2.2.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Powpy"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Header and Footer Scripts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _inpost_head_script parameter in all versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T11:15:36.142Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d658e087-8cc7-4653-af3c-407b6f73fb7b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/header-and-footer-scripts/tags/2.2.2/shfs.php#L119"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-25T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-01-08T21:20:03.000+00:00",
"value": "Disclosed"
}
],
"title": "Header and Footer Scripts \u003c= 2.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-11453",
"datePublished": "2026-01-09T11:15:36.142Z",
"dateReserved": "2025-10-07T17:26:44.860Z",
"dateUpdated": "2026-01-09T11:15:36.142Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13862 (GCVE-0-2025-13862)
Vulnerability from cvelistv5 – Published: 2026-01-09 11:15 – Updated: 2026-01-09 11:15
VLAI?
Title
Menu Card <= 0.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Summary
The Menu Card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `category` parameter in all versions up to, and including, 0.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| furqan-khanzada | Menu Card |
Affected:
* , ≤ 0.8.0
(semver)
|
Credits
Youcef Hamdani
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Menu Card",
"vendor": "furqan-khanzada",
"versions": [
{
"lessThanOrEqual": "0.8.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Youcef Hamdani"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Menu Card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `category` parameter in all versions up to, and including, 0.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T11:15:35.321Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cec428cd-0fa1-4bc4-b7f6-faf90c31f306?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/menu-card/trunk/menu-card.php#L102"
},
{
"url": "https://plugins.trac.wordpress.org/browser/menu-card/tags/0.8.0/menu-card.php#L102"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:22:42.000+00:00",
"value": "Disclosed"
}
],
"title": "Menu Card \u003c= 0.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13862",
"datePublished": "2026-01-09T11:15:35.321Z",
"dateReserved": "2025-12-01T21:06:33.942Z",
"dateUpdated": "2026-01-09T11:15:35.321Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13908 (GCVE-0-2025-13908)
Vulnerability from cvelistv5 – Published: 2026-01-09 11:15 – Updated: 2026-01-09 11:15
VLAI?
Title
The Tooltip <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Summary
The The Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'the_tooltip' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| alobaidi | The Tooltip |
Affected:
* , ≤ 1.0.2
(semver)
|
Credits
Gilang Asra Bilhadi
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "The Tooltip",
"vendor": "alobaidi",
"versions": [
{
"lessThanOrEqual": "1.0.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gilang Asra Bilhadi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The The Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027the_tooltip\u0027 shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T11:15:35.698Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d2bac05e-ecd0-427b-90a0-6cf78175cd19?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/the-tooltip/trunk/the-tooltip.php#L92"
},
{
"url": "https://plugins.trac.wordpress.org/browser/the-tooltip/tags/1.0.2/the-tooltip.php#L92"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:20:51.000+00:00",
"value": "Disclosed"
}
],
"title": "The Tooltip \u003c= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13908",
"datePublished": "2026-01-09T11:15:35.698Z",
"dateReserved": "2025-12-02T16:44:05.173Z",
"dateUpdated": "2026-01-09T11:15:35.698Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14172 (GCVE-0-2025-14172)
Vulnerability from cvelistv5 – Published: 2026-01-09 11:15 – Updated: 2026-01-09 11:15
VLAI?
Title
WP Page Permalink Extension <= 1.5.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Rewrite Rules Flush
Summary
The WP Page Permalink Extension plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.4. This is due to missing authorization checks on the `cwpp_trigger_flush_rewrite_rules` function hooked to `wp_ajax_cwpp_trigger_flush_rewrite_rules`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to flush the site's rewrite rules via the `action` parameter.
Severity ?
6.5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| infosatech | WP Page Permalink Extension |
Affected:
* , ≤ 1.5.4
(semver)
|
Credits
Abhirup Konwar
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Page Permalink Extension",
"vendor": "infosatech",
"versions": [
{
"lessThanOrEqual": "1.5.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abhirup Konwar"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Page Permalink Extension plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.4. This is due to missing authorization checks on the `cwpp_trigger_flush_rewrite_rules` function hooked to `wp_ajax_cwpp_trigger_flush_rewrite_rules`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to flush the site\u0027s rewrite rules via the `action` parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T11:15:34.916Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c5ba37d7-8fde-4ee3-93db-d2459da34bc4?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/change-wp-page-permalinks/trunk/change-wp-page-permalinks.php#L188"
},
{
"url": "https://plugins.trac.wordpress.org/browser/change-wp-page-permalinks/tags/1.5.4/change-wp-page-permalinks.php#L188"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:56:04.000+00:00",
"value": "Disclosed"
}
],
"title": "WP Page Permalink Extension \u003c= 1.5.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Rewrite Rules Flush"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14172",
"datePublished": "2026-01-09T11:15:34.916Z",
"dateReserved": "2025-12-05T22:12:02.972Z",
"dateUpdated": "2026-01-09T11:15:34.916Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13704 (GCVE-0-2025-13704)
Vulnerability from cvelistv5 – Published: 2026-01-09 11:15 – Updated: 2026-01-09 11:15
VLAI?
Title
Autogen Headers Menu <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'head_class' Shortcode Parameter
Summary
The Autogen Headers Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'head_class' parameter of the 'autogen_menu' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| amirshk | Autogen Headers Menu |
Affected:
* , ≤ 1.0.1
(semver)
|
Credits
Youcef Hamdani
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Autogen Headers Menu",
"vendor": "amirshk",
"versions": [
{
"lessThanOrEqual": "1.0.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Youcef Hamdani"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Autogen Headers Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027head_class\u0027 parameter of the \u0027autogen_menu\u0027 shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T11:15:34.128Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a63bf106-78cf-441b-a1b3-77ec1cf6c22b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/autogen-headers-menu/trunk/index.php#L115"
},
{
"url": "https://plugins.trac.wordpress.org/browser/autogen-headers-menu/tags/1.0.1/index.php#L115"
},
{
"url": "https://plugins.trac.wordpress.org/browser/autogen-headers-menu/trunk/index.php#L53"
},
{
"url": "https://plugins.trac.wordpress.org/browser/autogen-headers-menu/tags/1.0.1/index.php#L53"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:56:23.000+00:00",
"value": "Disclosed"
}
],
"title": "Autogen Headers Menu \u003c= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027head_class\u0027 Shortcode Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13704",
"datePublished": "2026-01-09T11:15:34.128Z",
"dateReserved": "2025-11-25T21:45:09.181Z",
"dateUpdated": "2026-01-09T11:15:34.128Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13717 (GCVE-0-2025-13717)
Vulnerability from cvelistv5 – Published: 2026-01-09 11:15 – Updated: 2026-01-09 11:15
VLAI?
Title
Contact Form vCard Generator <= 2.4 - Missing Authorization to Unauthenticated Sensitive Information Exposure via 'wp-gvc-cf-download-id' Parameter
Summary
The Contact Form vCard Generator plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wp_gvccf_check_download_request' function in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to export sensitive Contact Form 7 submission data via the 'wp-gvc-cf-download-id' parameter, including names, phone numbers, email addresses, and messages.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ashishajani | Contact Form vCard Generator |
Affected:
* , ≤ 2.4
(semver)
|
Credits
Sopon Tangpathum (SoNaJaa)
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Contact Form vCard Generator",
"vendor": "ashishajani",
"versions": [
{
"lessThanOrEqual": "2.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sopon Tangpathum (SoNaJaa)"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Contact Form vCard Generator plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the \u0027wp_gvccf_check_download_request\u0027 function in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to export sensitive Contact Form 7 submission data via the \u0027wp-gvc-cf-download-id\u0027 parameter, including names, phone numbers, email addresses, and messages."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T11:15:34.501Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bdde4399-af90-4528-92a4-5176dfa5e453?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/trunk/includes/wp-gvc-cf-settings.php#L13"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/tags/2.4/includes/wp-gvc-cf-settings.php#L13"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/trunk/includes/wp-gvc-cf-settings.php#L105"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contact-form-vcard-generator/tags/2.4/includes/wp-gvc-cf-settings.php#L105"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:36:46.000+00:00",
"value": "Disclosed"
}
],
"title": "Contact Form vCard Generator \u003c= 2.4 - Missing Authorization to Unauthenticated Sensitive Information Exposure via \u0027wp-gvc-cf-download-id\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13717",
"datePublished": "2026-01-09T11:15:34.501Z",
"dateReserved": "2025-11-25T21:54:45.575Z",
"dateUpdated": "2026-01-09T11:15:34.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13897 (GCVE-0-2025-13897)
Vulnerability from cvelistv5 – Published: 2026-01-09 11:15 – Updated: 2026-01-09 11:15
VLAI?
Title
Client Testimonial Slider <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'aft_testimonial_meta_name' Metabox Field
Summary
The Client Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aft_testimonial_meta_name' custom field in the Client Information metabox in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected administrative page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| amu02aftab | Client Testimonial Slider |
Affected:
* , ≤ 2.0
(semver)
|
Credits
Muhammad Yudha - DJ
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Client Testimonial Slider",
"vendor": "amu02aftab",
"versions": [
{
"lessThanOrEqual": "2.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Client Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027aft_testimonial_meta_name\u0027 custom field in the Client Information metabox in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected administrative page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T11:15:33.126Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5bf12608-4e02-4b3a-9363-991dca5ee11b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-client-testimonial/trunk/wp-client-testimonial.php#L117"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-client-testimonial/tags/2.0/wp-client-testimonial.php#L117"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:37:12.000+00:00",
"value": "Disclosed"
}
],
"title": "Client Testimonial Slider \u003c= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027aft_testimonial_meta_name\u0027 Metabox Field"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13897",
"datePublished": "2026-01-09T11:15:33.126Z",
"dateReserved": "2025-12-02T16:11:34.987Z",
"dateUpdated": "2026-01-09T11:15:33.126Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13892 (GCVE-0-2025-13892)
Vulnerability from cvelistv5 – Published: 2026-01-09 11:15 – Updated: 2026-01-09 11:15
VLAI?
Title
MG AdvancedOptions <= 1.2 - Reflected Cross-Site Scripting
Summary
The MG AdvancedOptions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| mountaingrafix | MG AdvancedOptions |
Affected:
* , ≤ 1.2
(semver)
|
Credits
Abdulsamad Yusuf
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MG AdvancedOptions",
"vendor": "mountaingrafix",
"versions": [
{
"lessThanOrEqual": "1.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abdulsamad Yusuf"
}
],
"descriptions": [
{
"lang": "en",
"value": "The MG AdvancedOptions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER[\u0027PHP_SELF\u0027]` variable in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T11:15:33.718Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/86358a01-bf69-4a7f-8b78-a0d42d362d96?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mg-advancedoptions/trunk/mg-advancedoptions/MG_AdvancedOptions.php#L96"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mg-advancedoptions/trunk/mg-advancedoptions/MG_AdvancedOptions.php#L58"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:35:53.000+00:00",
"value": "Disclosed"
}
],
"title": "MG AdvancedOptions \u003c= 1.2 - Reflected Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13892",
"datePublished": "2026-01-09T11:15:33.718Z",
"dateReserved": "2025-12-02T15:36:54.355Z",
"dateUpdated": "2026-01-09T11:15:33.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13854 (GCVE-0-2025-13854)
Vulnerability from cvelistv5 – Published: 2026-01-09 11:15 – Updated: 2026-01-09 11:15
VLAI?
Title
Curved Text <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Summary
The Curved Text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'radius' parameter of the arctext shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| soniz | Curved Text |
Affected:
* , ≤ 0.1
(semver)
|
Credits
Gilang Asra Bilhadi
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Curved Text",
"vendor": "soniz",
"versions": [
{
"lessThanOrEqual": "0.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gilang Asra Bilhadi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Curved Text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027radius\u0027 parameter of the arctext shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T11:15:32.678Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/48514fdb-20c6-4a7f-8f60-e532ddd8853e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/curved-text/trunk/curved-text.php#L32"
},
{
"url": "https://plugins.trac.wordpress.org/browser/curved-text/tags/0.1/curved-text.php#L32"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:22:18.000+00:00",
"value": "Disclosed"
}
],
"title": "Curved Text \u003c= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13854",
"datePublished": "2026-01-09T11:15:32.678Z",
"dateReserved": "2025-12-01T20:23:34.658Z",
"dateUpdated": "2026-01-09T11:15:32.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13701 (GCVE-0-2025-13701)
Vulnerability from cvelistv5 – Published: 2026-01-09 11:15 – Updated: 2026-01-09 11:15
VLAI?
Title
Shabat Keeper <= 0.4.4 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']
Summary
The Shabat Keeper plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $_SERVER['PHP_SELF'] parameter in all versions up to, and including, 0.4.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| beshkin | Shabat Keeper |
Affected:
* , ≤ 0.4.4
(semver)
|
Credits
Abdulsamad Yusuf
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Shabat Keeper",
"vendor": "beshkin",
"versions": [
{
"lessThanOrEqual": "0.4.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abdulsamad Yusuf"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Shabat Keeper plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $_SERVER[\u0027PHP_SELF\u0027] parameter in all versions up to, and including, 0.4.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T11:15:32.224Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3aa73be6-0836-4540-8a80-e1da34c0ee0d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/shabat-keeper/trunk/shabat-keeper.php#L148"
},
{
"url": "https://plugins.trac.wordpress.org/browser/shabat-keeper/tags/0.4.4/shabat-keeper.php#L148"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:55:43.000+00:00",
"value": "Disclosed"
}
],
"title": "Shabat Keeper \u003c= 0.4.4 - Reflected Cross-Site Scripting via $_SERVER[\u0027PHP_SELF\u0027]"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13701",
"datePublished": "2026-01-09T11:15:32.224Z",
"dateReserved": "2025-11-25T21:40:55.256Z",
"dateUpdated": "2026-01-09T11:15:32.224Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13967 (GCVE-0-2025-13967)
Vulnerability from cvelistv5 – Published: 2026-01-09 11:15 – Updated: 2026-01-09 11:15
VLAI?
Title
Woodpecker for WordPress <= 3.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'form_name' Shortcode Attribute
Summary
The Woodpecker for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_name' parameter of the [woodpecker-connector] shortcode in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| woodpeckerleadform | Woodpecker for WordPress |
Affected:
* , ≤ 3.0.4
(semver)
|
Credits
Gilang Asra Bilhadi
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Woodpecker for WordPress",
"vendor": "woodpeckerleadform",
"versions": [
{
"lessThanOrEqual": "3.0.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gilang Asra Bilhadi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Woodpecker for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027form_name\u0027 parameter of the [woodpecker-connector] shortcode in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T11:15:31.734Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1d99c8a8-daeb-402b-990d-6bacf6e9a780?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woodpecker/trunk/public/class-wfw-public.php#L109"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woodpecker/tags/3.0.4/public/class-wfw-public.php#L109"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woodpecker/trunk/public/partials/wfw-public-shortcode.php#L39"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woodpecker/tags/3.0.4/public/partials/wfw-public-shortcode.php#L39"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:54:57.000+00:00",
"value": "Disclosed"
}
],
"title": "Woodpecker for WordPress \u003c= 3.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027form_name\u0027 Shortcode Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13967",
"datePublished": "2026-01-09T11:15:31.734Z",
"dateReserved": "2025-12-03T15:28:00.300Z",
"dateUpdated": "2026-01-09T11:15:31.734Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13852 (GCVE-0-2025-13852)
Vulnerability from cvelistv5 – Published: 2026-01-09 11:15 – Updated: 2026-01-09 11:15
VLAI?
Title
Debt.com Business in a Box <= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Summary
The Debt.com Business in a Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'configuration' parameter of the lead_form shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| debtcom | Debt.com Business in a Box |
Affected:
* , ≤ 4.1.0
(semver)
|
Credits
Youcef Hamdani
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Debt.com Business in a Box",
"vendor": "debtcom",
"versions": [
{
"lessThanOrEqual": "4.1.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Youcef Hamdani"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Debt.com Business in a Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027configuration\u0027 parameter of the lead_form shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T11:15:31.249Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1bb58556-29be-4272-85fc-bb2b7c72abf4?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/debtcom-business-in-a-box/trunk/inc/bib_form.php#L256"
},
{
"url": "https://plugins.trac.wordpress.org/browser/debtcom-business-in-a-box/tags/4.1.0/inc/bib_form.php#L256"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:36:17.000+00:00",
"value": "Disclosed"
}
],
"title": "Debt.com Business in a Box \u003c= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13852",
"datePublished": "2026-01-09T11:15:31.249Z",
"dateReserved": "2025-12-01T20:20:30.422Z",
"dateUpdated": "2026-01-09T11:15:31.249Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13893 (GCVE-0-2025-13893)
Vulnerability from cvelistv5 – Published: 2026-01-09 11:15 – Updated: 2026-01-09 11:15
VLAI?
Title
Lesson Plan Book <= 1.3 - Reflected Cross-Site Scripting
Summary
The Lesson Plan Book plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| burtrw | Lesson Plan Book |
Affected:
* , ≤ 1.3
(semver)
|
Credits
Abdulsamad Yusuf
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Lesson Plan Book",
"vendor": "burtrw",
"versions": [
{
"lessThanOrEqual": "1.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abdulsamad Yusuf"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Lesson Plan Book plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER[\u0027PHP_SELF\u0027]` variable in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T11:15:30.823Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/18696937-5cc5-4e14-940d-fc25468377a3?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/lesson-plan-book/trunk/lesson.php#L719"
},
{
"url": "https://plugins.trac.wordpress.org/browser/lesson-plan-book/trunk/lesson.php#L1776"
},
{
"url": "https://plugins.trac.wordpress.org/browser/lesson-plan-book/trunk/lesson.php#L1910"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:37:35.000+00:00",
"value": "Disclosed"
}
],
"title": "Lesson Plan Book \u003c= 1.3 - Reflected Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13893",
"datePublished": "2026-01-09T11:15:30.823Z",
"dateReserved": "2025-12-02T15:38:02.335Z",
"dateUpdated": "2026-01-09T11:15:30.823Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13903 (GCVE-0-2025-13903)
Vulnerability from cvelistv5 – Published: 2026-01-09 11:15 – Updated: 2026-01-09 11:15
VLAI?
Title
PullQuote <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Summary
The PullQuote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pullquote' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Credits
Gilang Asra Bilhadi
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PullQuote",
"vendor": "ctietze",
"versions": [
{
"lessThanOrEqual": "1.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gilang Asra Bilhadi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The PullQuote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027pullquote\u0027 shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T11:15:30.170Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0a0ee752-7fc4-46d3-9e0f-8b9317b0ea72?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/pullquote/trunk/includes/core.php#L12"
},
{
"url": "https://plugins.trac.wordpress.org/browser/pullquote/tags/1.0/includes/core.php#L12"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:54:08.000+00:00",
"value": "Disclosed"
}
],
"title": "PullQuote \u003c= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13903",
"datePublished": "2026-01-09T11:15:30.170Z",
"dateReserved": "2025-12-02T16:34:18.320Z",
"dateUpdated": "2026-01-09T11:15:30.170Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13895 (GCVE-0-2025-13895)
Vulnerability from cvelistv5 – Published: 2026-01-09 09:19 – Updated: 2026-01-09 09:19
VLAI?
Title
Top Position Google Finance <= 0.1.0 - Reflected Cross-Site Scripting
Summary
The Top Position Google Finance plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 0.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| top-position | Top Position Google Finance |
Affected:
* , ≤ 0.1.0
(semver)
|
Credits
Abdulsamad Yusuf
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Top Position Google Finance",
"vendor": "top-position",
"versions": [
{
"lessThanOrEqual": "0.1.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abdulsamad Yusuf"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Top Position Google Finance plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER[\u0027PHP_SELF\u0027]` variable in all versions up to, and including, 0.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T09:19:48.081Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fcbf81f8-8b33-4b83-91fb-626b7b5f3bb2?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/top-position-google-finance/trunk/top-position-google-finance.php#L78"
},
{
"url": "https://plugins.trac.wordpress.org/browser/top-position-google-finance/trunk/top-position-google-finance.php#L56"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:19:22.000+00:00",
"value": "Disclosed"
}
],
"title": "Top Position Google Finance \u003c= 0.1.0 - Reflected Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13895",
"datePublished": "2026-01-09T09:19:48.081Z",
"dateReserved": "2025-12-02T15:40:16.609Z",
"dateUpdated": "2026-01-09T09:19:48.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13853 (GCVE-0-2025-13853)
Vulnerability from cvelistv5 – Published: 2026-01-09 09:19 – Updated: 2026-01-09 09:19
VLAI?
Title
Nearby Now Reviews <= 5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Summary
The Nearby Now Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data_tech' parameter of the nn-tech shortcode in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| lnbadmin1 | Nearby Now Reviews |
Affected:
* , ≤ 5.2
(semver)
|
Credits
Gilang Asra Bilhadi
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Nearby Now Reviews",
"vendor": "lnbadmin1",
"versions": [
{
"lessThanOrEqual": "5.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gilang Asra Bilhadi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Nearby Now Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027data_tech\u0027 parameter of the nn-tech shortcode in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T09:19:47.232Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8dc991ea-0d00-4734-9b9a-5af759e83540?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/nearby-now-reviews/trunk/nn-reviews.php#L160"
},
{
"url": "https://plugins.trac.wordpress.org/browser/nearby-now-reviews/tags/5.2/nn-reviews.php#L160"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:19:01.000+00:00",
"value": "Disclosed"
}
],
"title": "Nearby Now Reviews \u003c= 5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13853",
"datePublished": "2026-01-09T09:19:47.232Z",
"dateReserved": "2025-12-01T20:21:37.258Z",
"dateUpdated": "2026-01-09T09:19:47.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13900 (GCVE-0-2025-13900)
Vulnerability from cvelistv5 – Published: 2026-01-09 09:19 – Updated: 2026-01-09 09:19
VLAI?
Title
WP Popup Magic <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'name' Shortcode Attribute
Summary
The WP Popup Magic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter of the [wppum_end] shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| themelocation | WP Popup Magic |
Affected:
* , ≤ 1.0.0
(semver)
|
Credits
Muhammad Yudha - DJ
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Popup Magic",
"vendor": "themelocation",
"versions": [
{
"lessThanOrEqual": "1.0.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Popup Magic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027name\u0027 parameter of the [wppum_end] shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T09:19:47.637Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c11a5f07-de89-47ec-a92e-2adc75965648?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wppopupmagic/trunk/class-wppum-frontend.php#L622"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wppopupmagic/tags/1.0.0/class-wppum-frontend.php#L622"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:19:37.000+00:00",
"value": "Disclosed"
}
],
"title": "WP Popup Magic \u003c= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027name\u0027 Shortcode Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13900",
"datePublished": "2026-01-09T09:19:47.637Z",
"dateReserved": "2025-12-02T16:15:13.624Z",
"dateUpdated": "2026-01-09T09:19:47.637Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13729 (GCVE-0-2025-13729)
Vulnerability from cvelistv5 – Published: 2026-01-09 09:19 – Updated: 2026-01-09 09:19
VLAI?
Title
Entry Views <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Summary
The Entry Views plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'entry-views' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| greenshady | Entry Views |
Affected:
* , ≤ 1.0.0
(semver)
|
Credits
Muhammad Yudha - DJ
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Entry Views",
"vendor": "greenshady",
"versions": [
{
"lessThanOrEqual": "1.0.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Entry Views plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027entry-views\u0027 shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T09:19:46.607Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e7e9fcc-804a-46a8-95cd-b358ba7681ec?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/entry-views/tags/1.0.0/inc/shortcodes.php#L25"
},
{
"url": "https://plugins.trac.wordpress.org/browser/entry-views/tags/1.0.0/inc/shortcodes.php#L36"
},
{
"url": "https://plugins.trac.wordpress.org/browser/entry-views/tags/1.0.0/inc/template.php#L35"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T21:18:42.000+00:00",
"value": "Disclosed"
}
],
"title": "Entry Views \u003c= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13729",
"datePublished": "2026-01-09T09:19:46.607Z",
"dateReserved": "2025-11-25T23:26:23.223Z",
"dateUpdated": "2026-01-09T09:19:46.607Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0627 (GCVE-0-2026-0627)
Vulnerability from cvelistv5 – Published: 2026-01-09 08:20 – Updated: 2026-01-09 08:20
VLAI?
Title
AMP for WP <= 1.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG File Upload
Summary
The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file content that only removes `<script>` tags while allowing other XSS vectors such as event handlers (onload, onerror, onmouseover), foreignObject elements, and SVG animation attributes. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts via malicious SVG file uploads that will execute whenever a user views the uploaded file.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| mohammed_kaludi | AMP for WP – Accelerated Mobile Pages |
Affected:
* , ≤ 1.1.10
(semver)
|
Credits
andrea bocchetti
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "AMP for WP \u2013 Accelerated Mobile Pages",
"vendor": "mohammed_kaludi",
"versions": [
{
"lessThanOrEqual": "1.1.10",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "andrea bocchetti"
}
],
"descriptions": [
{
"lang": "en",
"value": "The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file content that only removes `\u003cscript\u003e` tags while allowing other XSS vectors such as event handlers (onload, onerror, onmouseover), foreignObject elements, and SVG animation attributes. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts via malicious SVG file uploads that will execute whenever a user views the uploaded file."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T08:20:46.258Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4ed23318-3b47-4336-a3aa-6b09f3911926?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/trunk/templates/features.php#L10373"
},
{
"url": "https://plugins.trac.wordpress.org/browser/accelerated-mobile-pages/tags/1.1.10/templates/features.php#L10373"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3434946/accelerated-mobile-pages/trunk/templates/features.php?old=3426181\u0026old_path=accelerated-mobile-pages%2Ftrunk%2Ftemplates%2Ffeatures.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T19:34:15.000+00:00",
"value": "Disclosed"
}
],
"title": "AMP for WP \u003c= 1.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via SVG File Upload"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0627",
"datePublished": "2026-01-09T08:20:46.258Z",
"dateReserved": "2026-01-05T22:04:46.579Z",
"dateUpdated": "2026-01-09T08:20:46.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14657 (GCVE-0-2025-14657)
Vulnerability from cvelistv5 – Published: 2026-01-09 07:22 – Updated: 2026-01-09 07:22
VLAI?
Title
Eventin – Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered) <= 4.0.51 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting via 'post_settings'
Summary
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
Severity ?
7.2 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| arraytics | Eventin – Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered) |
Affected:
* , ≤ 4.0.51
(semver)
|
Credits
Sarawut Poolkhet
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Eventin \u2013 Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered)",
"vendor": "arraytics",
"versions": [
{
"lessThanOrEqual": "4.0.51",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sarawut Poolkhet"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Eventin \u2013 Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027post_settings\u0027 function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the \u0027etn_primary_color\u0027 setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T07:22:12.728Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e4188b26-80f8-41b8-be19-1ddcbd7e39f5?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3429942/wp-event-solution/trunk/base/Enqueue/register.php?old=3390273\u0026old_path=wp-event-solution%2Ftrunk%2Fbase%2FEnqueue%2Fregister.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3429942/wp-event-solution/trunk/base/api-handler.php?old=3390273\u0026old_path=wp-event-solution%2Ftrunk%2Fbase%2Fapi-handler.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3429942/wp-event-solution/trunk/core/event/api.php?old=3390273\u0026old_path=wp-event-solution%2Ftrunk%2Fcore%2Fevent%2Fapi.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-11T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-12-13T12:42:56.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-08T18:45:19.000+00:00",
"value": "Disclosed"
}
],
"title": "Eventin \u2013 Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered) \u003c= 4.0.51 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting via \u0027post_settings\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14657",
"datePublished": "2026-01-09T07:22:12.728Z",
"dateReserved": "2025-12-13T12:25:43.872Z",
"dateUpdated": "2026-01-09T07:22:12.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13753 (GCVE-0-2025-13753)
Vulnerability from cvelistv5 – Published: 2026-01-09 07:22 – Updated: 2026-01-09 07:22
VLAI?
Title
WP Table Builder <= 2.0.19 - Incorrect Authorization to Authenticated (Subscriber+) Arbitrary Table Creation
Summary
The WP Table Builder – Drag & Drop Table Builder plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect authorization check on the save_table() function in all versions up to, and including, 2.0.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new wptb-table posts.
Severity ?
4.3 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wptb | WP Table Builder – Drag & Drop Table Builder |
Affected:
* , ≤ 2.0.19
(semver)
|
Credits
Dmitrii Ignatyev
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Table Builder \u2013 Drag \u0026 Drop Table Builder",
"vendor": "wptb",
"versions": [
{
"lessThanOrEqual": "2.0.19",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Table Builder \u2013 Drag \u0026 Drop Table Builder plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect authorization check on the save_table() function in all versions up to, and including, 2.0.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new wptb-table posts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T07:22:12.280Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/95f49080-2263-4f6d-9372-30137efd8e10?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3432381/wp-table-builder"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-01T18:20:23.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-08T18:58:47.000+00:00",
"value": "Disclosed"
}
],
"title": "WP Table Builder \u003c= 2.0.19 - Incorrect Authorization to Authenticated (Subscriber+) Arbitrary Table Creation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13753",
"datePublished": "2026-01-09T07:22:12.280Z",
"dateReserved": "2025-11-26T18:34:46.579Z",
"dateUpdated": "2026-01-09T07:22:12.280Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13934 (GCVE-0-2025-13934)
Vulnerability from cvelistv5 – Published: 2026-01-09 07:22 – Updated: 2026-01-09 07:22
VLAI?
Title
Tutor LMS – eLearning and online course solution <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Course Enrollment Bypass
Summary
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course enrollment in all versions up to, and including, 3.9.3. This is due to a missing capability check and purchasability validation in the `course_enrollment()` AJAX handler. This makes it possible for authenticated attackers, with subscriber level access and above, to enroll themselves in any course without going through the proper purchase flow.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| themeum | Tutor LMS – eLearning and online course solution |
Affected:
* , ≤ 3.9.3
(semver)
|
Credits
Supakiad S.
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tutor LMS \u2013 eLearning and online course solution",
"vendor": "themeum",
"versions": [
{
"lessThanOrEqual": "3.9.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Supakiad S."
}
],
"descriptions": [
{
"lang": "en",
"value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course enrollment in all versions up to, and including, 3.9.3. This is due to a missing capability check and purchasability validation in the `course_enrollment()` AJAX handler. This makes it possible for authenticated attackers, with subscriber level access and above, to enroll themselves in any course without going through the proper purchase flow."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T07:22:11.542Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5de212c9-5c2e-4713-b1ce-022dd84520c3?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3422766/tutor/trunk/classes/Course.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-19T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-12-02T22:38:03.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-08T18:43:50.000+00:00",
"value": "Disclosed"
}
],
"title": "Tutor LMS \u2013 eLearning and online course solution \u003c= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Course Enrollment Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13934",
"datePublished": "2026-01-09T07:22:11.542Z",
"dateReserved": "2025-12-02T22:22:20.669Z",
"dateUpdated": "2026-01-09T07:22:11.542Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14741 (GCVE-0-2025-14741)
Vulnerability from cvelistv5 – Published: 2026-01-09 07:22 – Updated: 2026-01-09 07:22
VLAI?
Title
Frontend Admin by DynamiApps <= 3.28.25 - Missing Authorization to Unauthenticated Arbitrary Data Deletion via 'delete post' Form Element
Summary
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to missing authorization to unauthorized data modification and deletion due to a missing capability check on the 'delete_object' function in all versions up to, and including, 3.28.25. This makes it possible for unauthenticated attackers to delete arbitrary posts, pages, products, taxonomy terms, and user accounts.
Severity ?
9.1 (Critical)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| shabti | Frontend Admin by DynamiApps |
Affected:
* , ≤ 3.28.25
(semver)
|
Credits
andrea bocchetti
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Frontend Admin by DynamiApps",
"vendor": "shabti",
"versions": [
{
"lessThanOrEqual": "3.28.25",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "andrea bocchetti"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to missing authorization to unauthorized data modification and deletion due to a missing capability check on the \u0027delete_object\u0027 function in all versions up to, and including, 3.28.25. This makes it possible for unauthenticated attackers to delete arbitrary posts, pages, products, taxonomy terms, and user accounts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T07:22:11.168Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/53adbab6-953a-4a6f-bbfc-89efdbdd28e0?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.26/main/frontend/fields/general/class-delete-object.php?marks=106,119,132,142#L106"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-12T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-12-15T19:25:39.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-08T18:45:51.000+00:00",
"value": "Disclosed"
}
],
"title": "Frontend Admin by DynamiApps \u003c= 3.28.25 - Missing Authorization to Unauthenticated Arbitrary Data Deletion via \u0027delete post\u0027 Form Element"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14741",
"datePublished": "2026-01-09T07:22:11.168Z",
"dateReserved": "2025-12-15T19:08:42.013Z",
"dateUpdated": "2026-01-09T07:22:11.168Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13935 (GCVE-0-2025-13935)
Vulnerability from cvelistv5 – Published: 2026-01-09 07:22 – Updated: 2026-01-09 07:22
VLAI?
Title
Tutor LMS – eLearning and online course solution <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Course Completion
Summary
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course completion in all versions up to, and including, 3.9.2. This is due to missing enrollment verification in the 'mark_course_complete' function. This makes it possible for authenticated attackers, with subscriber level access and above, to mark any course as completed.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| themeum | Tutor LMS – eLearning and online course solution |
Affected:
* , ≤ 3.9.2
(semver)
|
Credits
Supakiad S.
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tutor LMS \u2013 eLearning and online course solution",
"vendor": "themeum",
"versions": [
{
"lessThanOrEqual": "3.9.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Supakiad S."
}
],
"descriptions": [
{
"lang": "en",
"value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course completion in all versions up to, and including, 3.9.2. This is due to missing enrollment verification in the \u0027mark_course_complete\u0027 function. This makes it possible for authenticated attackers, with subscriber level access and above, to mark any course as completed."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T07:22:11.913Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7b8b111a-9626-41f4-8a13-51f576af0257?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3422766/tutor/trunk/classes/Course.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-19T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-12-02T22:38:12.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-08T18:44:27.000+00:00",
"value": "Disclosed"
}
],
"title": "Tutor LMS \u2013 eLearning and online course solution \u003c= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Course Completion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13935",
"datePublished": "2026-01-09T07:22:11.913Z",
"dateReserved": "2025-12-02T22:22:21.248Z",
"dateUpdated": "2026-01-09T07:22:11.913Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14937 (GCVE-0-2025-14937)
Vulnerability from cvelistv5 – Published: 2026-01-09 07:22 – Updated: 2026-01-09 07:22
VLAI?
Title
Frontend Admin by DynamiApps <= 3.28.23 - Unauthenticated Stored Cross-Site Scripting via 'update_field'
Summary
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'acff' parameter in the 'frontend_admin/forms/update_field' AJAX action in all versions up to, and including, 3.28.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
7.2 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| shabti | Frontend Admin by DynamiApps |
Affected:
* , ≤ 3.28.23
(semver)
|
Credits
Paolo Tresso
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Frontend Admin by DynamiApps",
"vendor": "shabti",
"versions": [
{
"lessThanOrEqual": "3.28.23",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Paolo Tresso"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027acff\u0027 parameter in the \u0027frontend_admin/forms/update_field\u0027 AJAX action in all versions up to, and including, 3.28.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T07:22:10.363Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/46c988ff-9cc5-4f2b-a3dd-06eaef5a7919?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3427236/acf-frontend-form-element"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-15T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-12-18T21:31:38.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-08T18:46:31.000+00:00",
"value": "Disclosed"
}
],
"title": "Frontend Admin by DynamiApps \u003c= 3.28.23 - Unauthenticated Stored Cross-Site Scripting via \u0027update_field\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14937",
"datePublished": "2026-01-09T07:22:10.363Z",
"dateReserved": "2025-12-18T21:15:38.790Z",
"dateUpdated": "2026-01-09T07:22:10.363Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13628 (GCVE-0-2025-13628)
Vulnerability from cvelistv5 – Published: 2026-01-09 07:22 – Updated: 2026-01-09 07:22
VLAI?
Title
Tutor LMS – eLearning and online course solution <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Coupon Modification
Summary
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulk_action_handler' and 'coupon_permanent_delete' functions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with subscriber level access and above, to delete, activate, deactivate, or trash arbitrary coupons.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| themeum | Tutor LMS – eLearning and online course solution |
Affected:
* , ≤ 3.9.3
(semver)
|
Credits
Supakiad S.
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tutor LMS \u2013 eLearning and online course solution",
"vendor": "themeum",
"versions": [
{
"lessThanOrEqual": "3.9.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Supakiad S."
}
],
"descriptions": [
{
"lang": "en",
"value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the \u0027bulk_action_handler\u0027 and \u0027coupon_permanent_delete\u0027 functions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with subscriber level access and above, to delete, activate, deactivate, or trash arbitrary coupons."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T07:22:10.781Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/46f71f7b-7326-47b6-a23a-68a40f5bb56b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3422766/tutor/trunk/ecommerce/CouponController.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-15T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-11-24T21:55:21.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-08T19:03:12.000+00:00",
"value": "Disclosed"
}
],
"title": "Tutor LMS \u2013 eLearning and online course solution \u003c= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Coupon Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13628",
"datePublished": "2026-01-09T07:22:10.781Z",
"dateReserved": "2025-11-24T21:38:45.491Z",
"dateUpdated": "2026-01-09T07:22:10.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14146 (GCVE-0-2025-14146)
Vulnerability from cvelistv5 – Published: 2026-01-09 07:22 – Updated: 2026-01-09 07:22
VLAI?
Title
Booking Calendar <= 10.14.10 - Unauthenticated Sensitive Information Exposure
Summary
The Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.14.10 via the `WPBC_FLEXTIMELINE_NAV` AJAX action. This is due to the nonce verification being conditionally disabled by default (`booking_is_nonce_at_front_end` option is `'Off'` by default). When the `booking_is_show_popover_in_timeline_front_end` option is enabled (which is the default in demo installations and can be enabled by administrators), it is possible for unauthenticated attackers to extract sensitive booking data including customer names, email addresses, phone numbers, and booking details.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpdevelop | Booking Calendar |
Affected:
* , ≤ 10.14.10
(semver)
|
Credits
Filippo Decortes
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Booking Calendar",
"vendor": "wpdevelop",
"versions": [
{
"lessThanOrEqual": "10.14.10",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Filippo Decortes"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.14.10 via the `WPBC_FLEXTIMELINE_NAV` AJAX action. This is due to the nonce verification being conditionally disabled by default (`booking_is_nonce_at_front_end` option is `\u0027Off\u0027` by default). When the `booking_is_show_popover_in_timeline_front_end` option is enabled (which is the default in demo installations and can be enabled by administrators), it is possible for unauthenticated attackers to extract sensitive booking data including customer names, email addresses, phone numbers, and booking details."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T07:22:09.760Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/281a1c0e-bbd8-4cf6-94ca-b888c7d7e3af?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/booking/tags/10.14.8/core/lib/wpbc-ajax.php#L29"
},
{
"url": "https://plugins.trac.wordpress.org/browser/booking/tags/10.14.8/includes/_functions/nonce_func.php#L33"
},
{
"url": "https://plugins.trac.wordpress.org/browser/booking/tags/10.14.8/core/wpbc-activation.php#L572"
},
{
"url": "https://plugins.trac.wordpress.org/browser/booking/tags/10.14.8/core/timeline/v2/wpbc-class-timeline_v2.php#L3187"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3434934%40booking%2Ftrunk\u0026old=3432649%40booking%2Ftrunk\u0026sfp_email=\u0026sfph_mail=#file2"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-05T19:07:36.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-08T19:08:54.000+00:00",
"value": "Disclosed"
}
],
"title": "Booking Calendar \u003c= 10.14.10 - Unauthenticated Sensitive Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14146",
"datePublished": "2026-01-09T07:22:09.760Z",
"dateReserved": "2025-12-05T18:52:20.067Z",
"dateUpdated": "2026-01-09T07:22:09.760Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14574 (GCVE-0-2025-14574)
Vulnerability from cvelistv5 – Published: 2026-01-09 06:34 – Updated: 2026-01-09 06:34
VLAI?
Title
weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot <= 2.1.15 - Unauthenticated Sensitive Information Exposure
Summary
The weDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.15 via the `/wp-json/wp/v2/docs/settings` REST API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including third party services API keys.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wedevs | weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot |
Affected:
* , ≤ 2.1.15
(semver)
|
Credits
German
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki \u0026 AI Chatbot",
"vendor": "wedevs",
"versions": [
{
"lessThanOrEqual": "2.1.15",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "German"
}
],
"descriptions": [
{
"lang": "en",
"value": "The weDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.15 via the `/wp-json/wp/v2/docs/settings` REST API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including third party services API keys."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T06:34:56.372Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cbca3d1e-0985-43d3-855e-eee07715f670?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=/wedocs/tags/2.1.15\u0026new_path=/wedocs/tags/2.1.16#file12"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-11T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-12-12T12:40:05.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-08T17:31:31.000+00:00",
"value": "Disclosed"
}
],
"title": "weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki \u0026 AI Chatbot \u003c= 2.1.15 - Unauthenticated Sensitive Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14574",
"datePublished": "2026-01-09T06:34:56.372Z",
"dateReserved": "2025-12-12T12:23:59.405Z",
"dateUpdated": "2026-01-09T06:34:56.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-15055 (GCVE-0-2025-15055)
Vulnerability from cvelistv5 – Published: 2026-01-09 06:34 – Updated: 2026-01-09 06:34
VLAI?
Title
SlimStat Analytics <= 5.3.4 - Unauthenticated Stored Cross-Site Scripting via 'notes/resource' Parameters
Summary
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator accesses the Recent Custom Events report.
Severity ?
7.2 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| veronalabs | SlimStat Analytics |
Affected:
* , ≤ 5.3.4
(semver)
|
Credits
Supakiad S.
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SlimStat Analytics",
"vendor": "veronalabs",
"versions": [
{
"lessThanOrEqual": "5.3.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Supakiad S."
}
],
"descriptions": [
{
"lang": "en",
"value": "The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027notes\u0027 and \u0027resource\u0027 parameters in all versions up to, and including, 5.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator accesses the Recent Custom Events report."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T06:34:55.531Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/afbfabfc-b923-4fe9-9e8f-0cf159f488db?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3429990/wp-slimstat"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-19T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-12-23T19:29:25.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-08T17:59:23.000+00:00",
"value": "Disclosed"
}
],
"title": "SlimStat Analytics \u003c= 5.3.4 - Unauthenticated Stored Cross-Site Scripting via \u0027notes/resource\u0027 Parameters"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-15055",
"datePublished": "2026-01-09T06:34:55.531Z",
"dateReserved": "2025-12-23T15:41:39.208Z",
"dateUpdated": "2026-01-09T06:34:55.531Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14893 (GCVE-0-2025-14893)
Vulnerability from cvelistv5 – Published: 2026-01-09 06:34 – Updated: 2026-01-09 06:34
VLAI?
Title
IndieWeb <= 4.0.5 - Authenticated (Author+) Stored Cross-Site Scripting via 'Telephone' Parameter
Summary
The IndieWeb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Telephone' parameter in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Credits
Tharadol Suksamran
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "IndieWeb",
"vendor": "indieweb",
"versions": [
{
"lessThanOrEqual": "4.0.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tharadol Suksamran"
}
],
"descriptions": [
{
"lang": "en",
"value": "The IndieWeb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027Telephone\u0027 parameter in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T06:34:55.949Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b29f0fea-a2db-4b2e-b7b8-d15b2395e9e6?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3423983/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-17T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-12-19T16:15:07.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-08T17:50:29.000+00:00",
"value": "Disclosed"
}
],
"title": "IndieWeb \u003c= 4.0.5 - Authenticated (Author+) Stored Cross-Site Scripting via \u0027Telephone\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14893",
"datePublished": "2026-01-09T06:34:55.949Z",
"dateReserved": "2025-12-18T15:50:45.191Z",
"dateUpdated": "2026-01-09T06:34:55.949Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}