Vulnerability

Overview A high-severity vulnerability, identified as CVE-2025-12966, has been discovered in the All-in-One Video Gallery plugin for WordPress. This vulnerability allows authenticated attackers with Author-level access or higher to upload arbitrary files to the affected WordPress server. Successful exploitation of this vulnerability can lead to remote code execution, potentially compromising the entire website. This article … Read more

Overview A critical Stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-12499, has been discovered in the Rich Shortcodes for Google Reviews plugin for WordPress. This vulnerability affects all versions up to and including 6.8. It allows unauthenticated attackers to inject malicious JavaScript code into pages through manipulated Google review content, potentially compromising user accounts and … Read more

Overview CVE-2025-13748 identifies a security vulnerability within the Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress. Specifically, it’s an Insecure Direct Object Reference (IDOR) flaw that allows unauthenticated attackers to potentially mark arbitrary form submissions as failed. This affects versions up to and including 6.1.7 of the Fluent … Read more

Published: 2025-12-06 Overview A critical vulnerability, identified as CVE-2025-13377, has been discovered in the 10Web Booster – Website speed optimization, Cache & Page Speed optimizer plugin for WordPress. This vulnerability allows authenticated attackers with Subscriber-level access (or higher) to delete arbitrary folders on the server. This can lead to significant data loss and a denial-of-service … Read more

Overview A Cross-Site Request Forgery (CSRF) vulnerability, identified as CVE-2025-14117, has been discovered in fit2cloud Halo version 2.21.10. This vulnerability allows an attacker to potentially execute unauthorized actions on behalf of an authenticated user. The vendor was notified but did not respond. Technical Details The vulnerability resides in an unspecified function within fit2cloud Halo 2.21.10. … Read more

Overview CVE-2025-13907 is a Stored Cross-Site Scripting (XSS) vulnerability found in the CSS3 Buttons plugin for WordPress. This vulnerability affects all versions up to and including 0.1. It allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into WordPress pages. These scripts will execute whenever a user accesses the compromised page, … Read more

Overview A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the TR Timthumb WordPress plugin. Designated as CVE-2025-13899, this flaw affects all versions up to and including 1.0.4. The vulnerability stems from inadequate sanitization of user-supplied input within shortcode attributes. This allows authenticated attackers with Contributor-level access or higher to inject malicious JavaScript code … Read more

Overview CVE-2025-13898 describes a stored cross-site scripting (XSS) vulnerability present in the Ultra Skype Button plugin for WordPress. This vulnerability affects all versions up to and including 1.0. An authenticated attacker with Contributor-level access or higher can inject malicious JavaScript code into WordPress pages. This injected code will then execute whenever a user visits the … Read more

Overview A stored Cross-Site Scripting (XSS) vulnerability has been discovered in the Social Feed Gallery Portfolio plugin for WordPress. This vulnerability, identified as CVE-2025-13896, affects all versions up to and including 1.3. It allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into WordPress pages. These scripts execute whenever a user … Read more

Overview CVE-2025-13894 describes a Reflected Cross-Site Scripting (XSS) vulnerability identified in the CSV Sumotto plugin for WordPress. This vulnerability affects all versions of the plugin up to and including version 1.0. The flaw stems from insufficient sanitization of user-supplied input used within the $_SERVER[‘PHP_SELF’] variable, leading to potential script injection on affected pages. Unauthenticated attackers … Read more