Overview CVE-2025-13863 identifies a Stored Cross-Site Scripting (XSS) vulnerability present in the RevInsite plugin for WordPress. This vulnerability affects all versions up to, and including, 1.1.0. It allows authenticated attackers with Contributor-level access or higher to inject malicious JavaScript code into pages via the vulnerable `token` parameter. When a user visits a page containing the … Read more
Overview CVE-2025-13857 identifies a Stored Cross-Site Scripting (XSS) vulnerability affecting the “Yet Another WebClap for WordPress” plugin. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject malicious JavaScript code into WordPress pages or posts. This code will then execute whenever a user views the affected page, potentially leading to account compromise, data … Read more
Overview A Stored Cross-Site Scripting (XSS) vulnerability has been discovered in the Extra Post Images plugin for WordPress. This vulnerability, identified as CVE-2025-13856, affects all versions up to and including 1.0. Exploitation of this vulnerability can allow attackers with Contributor-level access or higher to inject malicious JavaScript code into pages. This code will then execute … Read more
Overview This blog post details a critical security vulnerability, identified as CVE-2025-13666, affecting the Helloprint plugin for WordPress. This vulnerability allows unauthenticated attackers to modify WooCommerce order statuses, potentially leading to significant business disruption and financial loss. Technical Details CVE-2025-13666 is a Missing Authorization vulnerability present in versions of the Helloprint plugin up to and … Read more
Overview A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Cute News Ticker plugin for WordPress. This vulnerability, tracked as CVE-2025-13656, affects all versions up to, and including, 1.0. The flaw allows authenticated attackers with Contributor-level access or higher to inject malicious JavaScript code into WordPress pages and posts. This injected code can … Read more
Overview A medium-severity security vulnerability, identified as CVE-2025-13629, has been discovered in the WP Landing Page plugin for WordPress. This vulnerability affects all versions up to, and including, 0.9.3. It stems from a Cross-Site Request Forgery (CSRF) flaw within the plugin’s code, specifically related to the lack of nonce validation in the wplp_api_update_text function. This … Read more
Overview CVE-2025-13626 describes a reflected Cross-Site Scripting (XSS) vulnerability found in the myLCO WordPress plugin. This vulnerability affects all versions up to and including 0.8.1. It stems from insufficient input sanitization and output escaping of the $_SERVER[‘PHP_SELF’] parameter. This allows unauthenticated attackers to inject arbitrary web scripts into vulnerable pages. Technical Details The vulnerability exists … Read more
Overview CVE-2025-13358 is a medium-severity security vulnerability affecting the Accessiy By CodeConfig Accessibility plugin for WordPress, versions up to and including 1.0.0. This vulnerability allows authenticated attackers with Subscriber-level access or higher to create arbitrary published pages on the WordPress site without proper authorization. This can lead to defacement, spam injection, or other malicious activities. … Read more
Overview CVE-2025-13309 details an authorization bypass vulnerability found in the “Accessiy By CodeConfig Accessibility – Easy One-Click Accessibility Toolbar That Truly Matters” WordPress plugin. Affecting versions up to and including 1.0.0, this vulnerability allows authenticated attackers with subscriber-level access (or higher) to modify the plugin’s global accessibility settings. This is due to insufficient authorization checks … Read more
Overview A reflected Cross-Site Scripting (XSS) vulnerability has been discovered in the Application Passwords plugin for WordPress. This vulnerability, identified as CVE-2025-13308, affects all versions up to and including 0.1.3. Unauthenticated attackers can exploit this vulnerability by injecting arbitrary web scripts into the ‘reject_url’ parameter, which will execute when a user interacts with a specific … Read more