Cybersecurity

Overview A reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Live Sales Notification for Woocommerce – Woomotiv plugin for WordPress. This vulnerability, tracked as CVE-2025-13137, affects all versions up to and including 3.6.3. The flaw stems from insufficient input sanitization and output escaping of the ‘woomotiv_limit’ parameter. This allows unauthenticated attackers to inject … Read more

Overview CVE-2025-12721 is a medium-severity vulnerability affecting the g-FFL Cockpit WordPress plugin, versions up to and including 1.7.1. This vulnerability allows unauthenticated attackers to access sensitive server information via the /server_status REST API endpoint due to missing capability checks. This means anyone can potentially retrieve configuration details and other sensitive data about the server hosting … Read more

Overview A critical vulnerability, identified as CVE-2025-12720, has been discovered in the g-FFL Cockpit plugin for WordPress. This medium severity flaw allows unauthenticated attackers to delete arbitrary products from a WordPress site. The vulnerability stems from insecure IP-based authorization within the handle_enqueue_only() function. All versions up to, and including, 1.7.1 of the plugin are affected. … Read more

Overview A stored Cross-Site Scripting (XSS) vulnerability has been identified in the List Attachments Shortcode plugin for WordPress. This vulnerability, tracked as CVE-2025-12717, allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts into WordPress pages. These scripts will execute whenever a user accesses the compromised page. All versions up to and … Read more

Overview CVE-2025-12715 details a Stored Cross-Site Scripting (XSS) vulnerability affecting the Canadian Nutrition Facts Label plugin for WordPress. This vulnerability exists in versions up to and including 3.0. Successful exploitation allows authenticated attackers with Contributor-level access or higher to inject malicious JavaScript code into the website’s database. This injected code executes when other users, including … Read more

Overview A critical security vulnerability, identified as CVE-2025-12673, has been discovered in the Flex QR Code Generator plugin for WordPress. This vulnerability allows unauthenticated attackers to upload arbitrary files to the affected server, potentially leading to remote code execution. It affects all versions up to and including 1.2.6. Technical Details The vulnerability stems from a … Read more

Overview A medium-severity vulnerability, identified as CVE-2025-12577, has been discovered in the Listar – Directory Listing & Classifieds WordPress Plugin. This flaw allows authenticated attackers with Subscriber-level access or higher to modify listing details without proper authorization. This can lead to data manipulation, potential defacement, and other malicious activities. Technical Details The vulnerability exists due … Read more

Overview CVE-2025-12574 is a security vulnerability affecting the Listar – Directory Listing & Classifieds WordPress plugin. This vulnerability allows authenticated attackers with even Subscriber-level access to delete arbitrary posts due to a missing capability check on a specific REST API endpoint. All versions of the plugin up to and including 3.0.0 are affected. Technical Details … Read more

Overview CVE-2025-12091 is a medium-severity vulnerability affecting the “Search, Filters & Merchandising for WooCommerce” plugin for WordPress. This plugin, also known as “Instant Search for WooCommerce”, is vulnerable to unauthorized data modification due to a missing capability check on the wcis_save_email endpoint. This flaw allows authenticated attackers with Subscriber-level access or higher to deactivate the … Read more

This article details a medium-severity security vulnerability, CVE-2025-13922, affecting the “Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI” plugin for WordPress. If you use this plugin, it is crucial to understand the risk and take immediate action to protect your website. Overview CVE-2025-13922 is a time-based blind SQL Injection vulnerability found in the … Read more