Overview CVE-2025-66106 identifies a missing authorization vulnerability within the WordPress Featured Post Creative plugin. This flaw, categorized as “Exploiting Incorrectly Configured Access Control Security Levels,” allows attackers to potentially bypass intended access restrictions and perform unauthorized actions. The affected plugin versions range from n/a up to and including version 1.5.5. Technical Details The vulnerability stems from a lack of proper authorization checks within the Featured Post Creative plugin. Specifically, certain functionalities or endpoints within the plugin do not adequately verify the user’s permissions before allowing access. This means an attacker, potentially with low-level privileges or even unauthenticated, could manipulate requests…

Overview CVE-2025-66101 identifies a Missing Authorization vulnerability, also known as a Broken Access Control vulnerability, within the CBX Bookmark & Favorite WordPress plugin. This flaw allows attackers to bypass intended security restrictions and potentially access or manipulate user data without proper authorization. The vulnerability affects versions of the plugin up to and including 2.0.1. Technical Details The vulnerability arises from improperly configured access control mechanisms within the plugin. Specifically, certain functionalities related to bookmark and favorite management lack sufficient authorization checks. This means an attacker, even with low privileges (or no privileges at all in some cases), could potentially perform…

Overview CVE-2025-66099 describes a missing authorization vulnerability (Broken Access Control) affecting the Chat Help WordPress plugin. This flaw allows attackers to potentially bypass intended access restrictions and perform actions they should not be authorized to, leading to unauthorized data access or modification. The vulnerability affects versions of the Chat Help plugin from n/a through version 3.1.3. Technical Details The vulnerability stems from incorrectly configured access control security levels within the Chat Help plugin. Specifically, the plugin fails to adequately verify user permissions before granting access to certain functionalities or data. This could involve, for instance, allowing unauthorized users to view…

Overview CVE-2025-66098 details a Stored Cross-Site Scripting (XSS) vulnerability found in the Travelers’ Map WordPress plugin. This vulnerability allows an attacker to inject malicious scripts into the plugin’s data, which will then be executed in the browsers of other users who access the affected page. The vulnerability affects versions 2.3.2 and earlier of the Travelers’ Map plugin. Technical Details The vulnerability stems from the improper neutralization of input during web page generation. Specifically, the Travelers’ Map plugin fails to adequately sanitize user-supplied data before displaying it. This allows an attacker to inject arbitrary JavaScript code into fields or settings within…

Overview CVE-2025-66097 describes a Cross-Site Request Forgery (CSRF) vulnerability found in the I Order Terms WordPress plugin, versions up to and including 1.5.0. This vulnerability allows an attacker to potentially force authenticated users to perform unintended actions on a WordPress site, such as changing settings or performing administrative tasks, without their knowledge or consent. Technical Details The I Order Terms plugin, designed by Igor Jerosimić, suffers from a lack of proper CSRF protection. This means that certain actions within the plugin can be triggered through crafted HTTP requests. An attacker can exploit this by tricking a logged-in administrator (or other…

Overview CVE-2025-66096 describes a “Missing Authorization” vulnerability found in the Table Block by Tableberg plugin for WordPress, also known as tableberg. This flaw allows attackers to potentially exploit incorrectly configured access control security levels, leading to unauthorized access and manipulation of data. The vulnerability affects versions of the Tableberg plugin up to and including 0.6.9. Technical Details The vulnerability stems from a lack of proper authorization checks within the Tableberg plugin. This means that certain functionalities, such as creating, modifying, or deleting tables, may not be adequately protected against unauthorized users. An attacker could potentially leverage this flaw to bypass…

Overview A critical SQL Injection vulnerability, identified as CVE-2025-66095, has been discovered in the KiviCare clinic management system WordPress plugin. This vulnerability allows attackers to potentially execute arbitrary SQL commands on the affected database, leading to sensitive data breaches, modification, or even deletion. The affected versions are up to and including version 3.6.13. Technical Details CVE-2025-66095 stems from improper neutralization of special elements used in an SQL command. Specifically, the KiviCare plugin fails to adequately sanitize user-supplied input before incorporating it into SQL queries. This allows a malicious actor to inject their own SQL code, bypassing intended security measures and…

Overview CVE-2025-66093 identifies a DOM-Based Cross-Site Scripting (XSS) vulnerability found in the “Extensions for Leaflet Map” WordPress plugin. This vulnerability affects versions up to and including 4.8. Exploitation could allow attackers to inject malicious scripts into the affected web pages, potentially leading to account compromise, data theft, or other malicious activities. Technical Details The vulnerability lies in the improper neutralization of input during web page generation, specifically a DOM-Based XSS flaw. This means that the malicious script doesn’t need to be sent to the server to be executed. Instead, the vulnerability occurs entirely within the user’s browser. The plugin’s JavaScript…

Overview A stored Cross-Site Scripting (XSS) vulnerability has been identified in the Accordion Slider WordPress plugin. This vulnerability, tracked as CVE-2025-66092, allows an attacker to inject malicious JavaScript code into the plugin’s settings or content, which is then executed in the browsers of other users accessing the affected website. This vulnerability affects versions of Accordion Slider up to and including 1.9.13. Technical Details CVE-2025-66092 details an Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability. The Accordion Slider plugin fails to properly sanitize user-supplied input when handling data related to slider titles, descriptions, or other configurable fields. An…

Overview This article details CVE-2025-66091, a DOM-Based Cross-Site Scripting (XSS) vulnerability affecting the Stylish Cost Calculator WordPress plugin. This vulnerability allows attackers to inject malicious scripts into web pages viewed by users, potentially leading to data theft, session hijacking, or website defacement. The affected plugin versions are up to and including 8.1.5. Technical Details of CVE-2025-66091 CVE-2025-66091 is a DOM-Based XSS vulnerability. This means the malicious script doesn’t directly interact with the server. Instead, the vulnerability lies in the client-side JavaScript code of the Stylish Cost Calculator plugin. The plugin improperly neutralizes user-supplied input during the generation of web pages,…