Overview CVE-2025-66090 identifies a DOM-Based Cross-Site Scripting (XSS) vulnerability affecting the SKT Skill Bar WordPress plugin. This flaw allows attackers to inject malicious scripts into web pages viewed by users, potentially leading to data theft, session hijacking, or defacement of the website. The vulnerability exists in versions 2.5 and earlier of the plugin. Technical Details The SKT Skill Bar plugin suffers from an Improper Neutralization of Input During Web Page Generation, specifically a DOM-Based XSS vulnerability. This means the injected script is executed in the user’s browser as a result of the way the plugin handles input and dynamically modifies…

Overview CVE-2025-66089 identifies a missing authorization vulnerability within the WebToffee Product Feed for WooCommerce plugin. This vulnerability, categorized as “Exploiting Incorrectly Configured Access Control Security Levels,” allows unauthorized users to potentially access or modify sensitive data or functionalities. The affected versions of the plugin are up to and including version 2.3.1. Technical Details The root cause of CVE-2025-66089 is a failure to properly validate user permissions before granting access to certain features or data within the WebToffee Product Feed for WooCommerce plugin. Specifically, the plugin does not adequately verify if the user initiating an action has the necessary privileges to…

Overview A critical security vulnerability, identified as CVE-2025-66087, has been discovered in the Property Hive WordPress plugin. This vulnerability, classified as a Missing Authorization issue, allows attackers to potentially exploit incorrectly configured access control security levels. Specifically, versions of Property Hive up to and including 2.1.12 are affected. This could lead to unauthorized access to sensitive data or functionality within the plugin. Technical Details CVE-2025-66087 stems from a flaw in how the Property Hive plugin manages user permissions and access control. The specific functions or areas vulnerable are related to insufficient authorization checks before allowing users (or attackers) to perform…

Overview This article details a critical security vulnerability, identified as CVE-2025-66086, affecting the SMS Alert Order Notifications WordPress plugin. This vulnerability, a Missing Authorization issue, allows for potential Exploiting Incorrectly Configured Access Control Security Levels. The affected versions range from n/a through version 3.8.8. Technical Details The vulnerability stems from a lack of proper authorization checks within the SMS Alert Order Notifications plugin. This means that certain functionalities, such as accessing or modifying order notification settings, may be accessible to unauthorized users or roles if incorrectly configured. An attacker could potentially exploit this flaw to manipulate SMS notifications, potentially leading…

Overview This article details CVE-2025-66084, a critical vulnerability discovered in the FluentCommunity WordPress plugin. Specifically, the vulnerability is a missing authorization flaw that allows for Exploiting Incorrectly Configured Access Control Security Levels. This vulnerability affects versions of FluentCommunity from n/a through 2.0.0. Exploitation of this vulnerability could lead to unauthorized access to sensitive data and functionality within the WordPress site. Technical Details CVE-2025-66084 stems from a lack of proper authorization checks within the FluentCommunity plugin. This means that the plugin fails to adequately verify if a user has the necessary permissions to perform certain actions. As a result, an attacker…

Overview CVE-2025-66083 is a missing authorization vulnerability found in the WpEvently (mage-eventpress) WordPress plugin, affecting versions up to and including 5.0.4. This vulnerability allows attackers to exploit incorrectly configured access control security levels, potentially leading to unauthorized access and modification of event data or other sensitive information. This could result in data breaches or defacement of the event system. While the CVSS score is currently unavailable, the potential impact can be significant. Technical Details The vulnerability stems from a lack of proper authorization checks within the plugin’s code. This means that certain actions or functionalities that should be restricted to…

Overview This article details CVE-2025-66082, a Missing Authorization (Broken Access Control) vulnerability discovered in the WpEvently (mage-eventpress) plugin for WordPress. This vulnerability allows attackers to potentially exploit incorrectly configured access control security levels, granting them unauthorized access or privileges. The affected versions are WpEvently up to and including version 5.0.4. Technical Details CVE-2025-66082 stems from inadequate authorization checks within the WpEvently plugin. Specifically, certain functionalities lack proper validation to ensure that users have the necessary permissions to perform specific actions. This could lead to an attacker, even with low privileges, potentially accessing or modifying sensitive data, or executing privileged functions…

Overview A stored Cross-Site Scripting (XSS) vulnerability has been identified in the Head Meta Data WordPress plugin, affecting versions up to and including 20250327. This vulnerability, tracked as CVE-2025-66081, allows attackers to inject malicious scripts into web pages through improperly neutralized input during web page generation. By exploiting this flaw, attackers can potentially compromise user accounts, redirect users to malicious websites, or deface the affected website. Technical Details The vulnerability resides in how the Head Meta Data plugin handles user-supplied input. Specifically, the plugin fails to properly sanitize or encode input before it is displayed on a web page. An…

Overview This article analyzes CVE-2025-66079, a critical security vulnerability affecting the Gutenverse Form WordPress plugin. Specifically, a Missing Authorization vulnerability exists, allowing attackers to potentially exploit incorrectly configured access control security levels. This can lead to unauthorized data access, modification, or deletion. The vulnerability impacts versions of Gutenverse Form up to and including 2.2.0. Technical Details CVE-2025-66079 stems from a lack of proper authorization checks within the Gutenverse Form plugin. This Missing Authorization vulnerability in Jegstudio Gutenverse Form gutenverse-form allows Exploiting Incorrectly Configured Access Control Security Levels. Without adequate validation, users can potentially bypass intended access restrictions and perform actions…

Overview CVE-2025-66077 identifies a critical security vulnerability affecting the Legal Pages plugin for WordPress, developed by wpWax. This vulnerability, classified as a Missing Authorization issue, allows for Exploiting Incorrectly Configured Access Control Security Levels, potentially leading to unauthorized access or modification of sensitive data. The affected versions of the Legal Pages plugin are from n/a through version 1.4.6. Technical Details The vulnerability stems from a lack of proper authorization checks within the Legal Pages plugin. This means that users with insufficient privileges could potentially bypass access controls and perform actions that are normally restricted to administrators or other authorized personnel.…