Overview CVE-2025-13515 is a security vulnerability affecting the Nouri.sh Newsletter plugin for WordPress. Specifically, it’s a Reflected Cross-Site Scripting (XSS) vulnerability present in all versions up to and including 1.0.1.3. This flaw allows unauthenticated attackers to potentially inject malicious JavaScript code into web pages that are then executed in a user’s browser, given the user is tricked into interacting with a crafted link. Technical Details The vulnerability stems from insufficient input sanitization and output escaping within the plugin’s code. The `$_SERVER[‘PHP_SELF’]` parameter is used without proper validation. This allows an attacker to craft a URL containing malicious JavaScript code. When…

Overview A critical SQL Injection vulnerability, identified as CVE-2025-12850, has been discovered in the My Auctions Allegro plugin for WordPress. This vulnerability affects all versions up to and including 3.6.32. Unauthenticated attackers can exploit this flaw to inject malicious SQL queries, potentially leading to sensitive data extraction from the WordPress database. Immediate action is required to update the plugin and mitigate the risk. Technical Details The vulnerability stems from insufficient escaping of the auction_id parameter and a lack of proper preparation in the existing SQL query within the My Auctions Allegro plugin. An attacker can manipulate the auction_id parameter to…

Overview A critical vulnerability, identified as CVE-2025-12374, has been discovered in the “Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification” plugin for WordPress. This flaw allows unauthenticated attackers to bypass the login process and gain access to accounts, potentially including administrator accounts, without providing a valid One-Time Password (OTP). Technical Details The vulnerability resides in the user_verification_form_wrap_process_otpLogin function of the plugin. Versions up to and including 2.0.39 are affected. The core issue is the lack of proper validation to ensure that an OTP was actually generated before comparing it against user-submitted input.…

Overview CVE-2025-12373 details a Cross-Site Request Forgery (CSRF) vulnerability affecting the Torod – The smart shipping and delivery portal for e-shops and retailers plugin for WordPress. All versions up to and including version 1.9 are affected. This flaw allows an unauthenticated attacker to potentially modify the plugin’s settings by tricking a site administrator into performing an unintended action, such as clicking a malicious link. Technical Details The vulnerability resides within the save_settings function of the Torod plugin. The core issue is the absence of proper nonce validation. Nonces are cryptographic tokens designed to prevent CSRF attacks by ensuring that requests…

Overview CVE-2025-12355 identifies a medium-severity vulnerability affecting the Payaza WordPress plugin, versions up to and including 0.3.8. This flaw allows unauthenticated attackers to modify order statuses due to a missing capability check on the wp_ajax_nopriv_update_order_status AJAX endpoint. This means anyone can potentially change the status of orders processed through your website without needing any valid user credentials. This can lead to significant disruptions and potential fraud. Technical Details The vulnerability lies within the wp_ajax_nopriv_update_order_status AJAX action, which is intended to be used to update the status of orders. Due to the lack of proper authentication checks (specifically, a missing capability…

Overview CVE-2025-12354 is a medium-severity security vulnerability affecting the Live CSS Preview WordPress plugin. This flaw allows authenticated attackers with Subscriber-level access (or higher) to modify the plugin’s CSS settings. This can lead to potential defacement of the website, CSS injection attacks, or other malicious activities leveraging the altered CSS. Technical Details The vulnerability lies in the lack of a proper capability check on the wp_ajax_frontend_save AJAX endpoint. Specifically, versions up to and including 2.0.0 of the Live CSS Preview plugin do not verify if the user attempting to access and utilize this endpoint possesses the necessary privileges to modify…

Overview CVE-2025-12186 identifies a Stored Cross-Site Scripting (XSS) vulnerability within the Weekly Planner plugin for WordPress. This flaw affects versions up to and including 1.0. The vulnerability allows authenticated attackers with administrator-level permissions (or above) to inject malicious JavaScript code into the plugin’s settings. This injected script will then execute whenever a user accesses a page or area where the plugin renders these compromised settings. Crucially, this vulnerability primarily affects multi-site WordPress installations and single-site installations where the unfiltered_html capability has been disabled. Technical Details The root cause of this vulnerability lies in the insufficient input sanitization and output escaping…

Overview A significant security vulnerability, identified as CVE-2025-12093, has been discovered in the Voidek Employee Portal plugin for WordPress. This vulnerability allows unauthenticated attackers to perform actions such as registering accounts, deleting users, and modifying details within the employee portal. This poses a serious risk to the security and integrity of websites utilizing the affected plugin. Technical Details CVE-2025-12093 stems from a missing capability check on several AJAX actions within the Voidek Employee Portal plugin. Specifically, versions up to and including 1.0.6 are vulnerable. The lack of proper authentication checks means that attackers can bypass normal access controls and directly…

This article provides a detailed analysis of CVE-2025-66270, a medium severity vulnerability affecting KDE Connect and related applications. Understanding this vulnerability is crucial for users and administrators to ensure the security of their systems. Overview CVE-2025-66270 describes a flaw in the KDE Connect protocol 8 where device IDs are not properly correlated across different packets. This can potentially lead to security issues due to the inability to reliably identify and verify the source of communication. This vulnerability affects various implementations of KDE Connect, including the desktop version, iOS and Android apps, as well as GSConnect and Valent. Technical Details The…

Overview CVE-2025-32900 is a medium severity vulnerability affecting the KDE Connect information-exchange protocol. This vulnerability allows an attacker to craft a malicious packet that can temporarily change the displayed information about a device connected to the KDE Connect network. This is possible due to the use of broadcast UDP for communication within the KDE Connect protocol. The vulnerability affects various KDE Connect implementations across different platforms. Technical Details The vulnerability stems from the way KDE Connect utilizes broadcast UDP for device discovery and information exchange. An attacker on the same network can send a specially crafted UDP packet that mimics…