Overview CVE-2025-13362 describes a Cross-Site Request Forgery (CSRF) vulnerability found in the Norby AI WordPress plugin. This vulnerability affects all versions up to and including 1.0.3. The lack of sufficient nonce validation on the settings update functionality allows unauthenticated attackers to potentially modify the plugin’s settings and inject malicious web scripts. This attack requires tricking a logged-in WordPress administrator into performing an action, such as clicking a specially crafted link. Technical Details The Norby AI plugin’s save.php file, responsible for handling settings updates, does not properly validate the presence of a nonce. A nonce (number used once) is a security…

Overview A critical vulnerability, identified as CVE-2025-13313, has been discovered in the CRM Memberships plugin for WordPress. This flaw allows unauthenticated attackers to reset arbitrary user passwords, potentially leading to complete account takeover and unauthorized access to sensitive data. This vulnerability affects all versions up to and including version 2.5 of the plugin. Website administrators using the CRM Memberships plugin are strongly advised to take immediate action to mitigate this risk. Technical Details The vulnerability stems from missing authentication and authorization checks on the ntzcrm_changepassword AJAX action. An attacker can exploit this by sending a specially crafted request to the…

Overview A significant security vulnerability, identified as CVE-2025-13312, has been discovered in the CRM Memberships plugin for WordPress. This flaw allows unauthenticated attackers to create arbitrary membership tags and potentially modify CRM configuration. The vulnerability stems from a missing capability check in the ntzcrm_add_new_tag function. All versions of the plugin up to and including version 2.5 are affected. This poses a serious risk to websites using the plugin, as attackers can leverage this vulnerability to manipulate membership management and potentially gain unauthorized access or control. Technical Details The vulnerability resides in the ntzcrm_add_new_tag function within the CRM Memberships plugin. Specifically,…

Overview CVE-2025-13006 is a medium-severity vulnerability affecting the SurveyFunnel – Survey Plugin for WordPress. This vulnerability allows unauthenticated attackers to extract sensitive data from survey responses. This is due to several unprotected REST API endpoints in versions up to and including 1.1.5. Technical Details The vulnerability resides in the /wp-json/surveyfunnel/v2/ REST API endpoints of the SurveyFunnel plugin. Specifically, certain endpoints designed to provide survey data were not adequately protected with authentication mechanisms. This lack of authentication permits any unauthenticated user to query these endpoints and retrieve sensitive information submitted through surveys. The flawed code can be found in the class-surveyfunnel-lite-rest-api.php…

Overview CVE-2025-12417 identifies a stored Cross-Site Scripting (XSS) vulnerability present in the SurveyFunnel – Survey Plugin for WordPress, affecting all versions up to and including 1.1.5. This flaw allows authenticated attackers with contributor-level access or higher to inject malicious JavaScript code into website pages via the plugin’s ‘surveyfunnel_lite_survey’ shortcode. This code will then execute whenever a user visits the compromised page, potentially leading to account compromise, data theft, or other malicious activities. Technical Details The vulnerability stems from insufficient input sanitization and output escaping of user-supplied attributes within the ‘surveyfunnel_lite_survey’ shortcode. The plugin fails to properly validate and sanitize the…

Overview CVE-2025-66542 is a unique case in the world of Common Vulnerabilities and Exposures (CVEs). Unlike typical CVEs that identify specific security flaws in software or hardware, CVE-2025-66542 is explicitly marked as “Rejected reason: Not used”. This means that the CVE ID was initially assigned but was subsequently determined to be invalid, irrelevant, or otherwise not applicable to a real-world vulnerability. This article will delve into the implications of a “Not used” CVE and explain why it doesn’t warrant any immediate action. Technical Details According to the official CVE entry, CVE-2025-66542 was published on 2025-12-05T04:16:00.993 and its description states “Rejected…

Overview This article provides a comprehensive overview of CVE-2025-27389, a security vulnerability identified in ColorOS, the operating system developed by OPPO. This flaw relates to the verification of application installation sources. Under certain conditions, the risk detection mechanism designed to prevent the installation of malicious applications can be bypassed, potentially exposing users to security threats. Technical Details CVE-2025-27389 arises from an insufficient validation process during application installation in ColorOS. The vulnerability allows malicious applications to bypass the intended risk detection mechanisms. The specifics of the bypass technique are not publicly detailed but center around manipulating the apparent source or integrity…

Overview A critical vulnerability, identified as CVE-2025-13066, has been discovered in the Demo Importer Plus plugin for WordPress. This vulnerability affects all versions up to and including 2.0.6. It allows authenticated attackers with author-level access or higher to upload arbitrary files to the affected WordPress site’s server. This can lead to remote code execution and complete compromise of the website. Technical Details The vulnerability stems from insufficient file type validation when handling WXR files. The plugin fails to properly sanitize file names and extensions during the import process. Specifically, it does not adequately detect or prevent the upload of files…

Overview A Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-12804, has been discovered in the Booking Calendar plugin for WordPress. This vulnerability affects all versions up to and including 10.14.6. It allows authenticated attackers with contributor-level access or higher to inject malicious JavaScript code into WordPress pages using the ‘bookingcalendar’ shortcode. This injected code can then execute whenever a user visits the affected page, potentially leading to account compromise or other malicious activities. Technical Details The vulnerability stems from insufficient input sanitization and output escaping of user-supplied attributes within the ‘bookingcalendar’ shortcode. Specifically, attackers can inject malicious JavaScript code within…

Overview CVE-2025-11759 identifies a Cross-Site Request Forgery (CSRF) vulnerability affecting the “Backup, Restore and Migrate your sites with XCloner” plugin for WordPress. This vulnerability exists in versions up to and including 4.8.2. By exploiting this flaw, unauthenticated attackers can potentially modify FTP backup configurations and exfiltrate sensitive website data. This is achieved by tricking a site administrator into performing an unintended action, such as clicking a malicious link. Technical Details The vulnerability stems from missing or insufficient nonce validation within the Xcloner_Remote_Storage:save() function. Nonces are cryptographic tokens designed to prevent CSRF attacks. The absence of proper nonce validation allows an…