Latest CVE Feed
-
6.4
MEDIUMCVE-2025-13220
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode attributes in all versions up to, and including... Read more
Affected Products : ultimate_member- Published: Dec. 21, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Cross-Site Scripting
-
6.1
MEDIUMCVE-2025-12398
The Product Table for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'search_key' parameter in all versions up to, and including, 5.0.8 due to insufficient input sanitization and output escaping. This makes it pos... Read more
Affected Products :- Published: Dec. 21, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Cross-Site Scripting
-
5.3
MEDIUMCVE-2025-14043
The Tainacan plugin for WordPress is vulnerable to unauthorized metadata section creation due to missing authorization checks in all versions up to, and including, 1.0.1. This is due to the `create_item_permissions_check()` function unconditionally return... Read more
Affected Products : tainacan- Published: Dec. 21, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Authorization
-
6.1
MEDIUMCVE-2025-11496
The Five Star Restaurant Reservations – WordPress Booking Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rtb-name' parameter in all versions up to, and including, 2.7.5 due to insufficient input sanitization and output e... Read more
Affected Products : five_star_restaurant_reservations- Published: Dec. 21, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Cross-Site Scripting
-
7.7
HIGHCVE-2023-25446
Missing Authorization vulnerability in HappyFiles HappyFiles Pro happyfiles-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HappyFiles Pro: from n/a through 1.8.1.... Read more
Affected Products :- Published: Dec. 21, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Authorization
-
7.0
HIGHCVE-2025-10021
A Use of Uninitialized Variable vulnerability exists in Open Design Alliance Drawings SDK static versions (mt) before 2026.12. Static object `COdaMfcAppApp theApp` may access `OdString::kEmpty` before its initialization. Due to undefined initialization or... Read more
Affected Products :- Published: Dec. 22, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Memory Corruption
-
8.5
HIGHCVE-2025-34290
Versa SASE Client for Windows versions released between 7.8.7 and 7.9.4 contain a local privilege escalation vulnerability in the audit log export functionality. The client communicates user-controlled file paths to a privileged service, which performs fi... Read more
Affected Products :- Published: Dec. 20, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Race Condition
-
5.4
MEDIUMCVE-2025-14298
The FiboSearch – Ajax Search for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `thegem_te_search` shortcode in all versions up to, and including, 1.32.0 due to insufficient input sanitization and output esc... Read more
Affected Products : fibosearch- Published: Dec. 20, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Cross-Site Scripting
-
5.4
MEDIUMCVE-2025-14734
The Amazon affiliate lite Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the 'ADAL_settings_page' function. This makes it possibl... Read more
Affected Products :- Published: Dec. 20, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Cross-Site Request Forgery
-
4.3
MEDIUMCVE-2025-14168
The WP DB Booster plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the cleanup_all AJAX action. This makes it possible for unauthenticated attackers to... Read more
Affected Products :- Published: Dec. 20, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Cross-Site Request Forgery
-
9.8
CRITICALCVE-2025-13329
The File Uploader for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the callback function for the 'add-image-data' REST API endpoint in all versions up to, and including, 1.0.3. This makes ... Read more
Affected Products :- Published: Dec. 20, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Authentication
-
5.3
MEDIUMCVE-2025-12898
The Pretty Google Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the pgcal_ajax_handler() function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated att... Read more
Affected Products :- Published: Dec. 20, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Authorization
-
8.6
HIGHCVE-2023-53958
LDAP Tool Box Self Service Password 1.5.2 contains a password reset vulnerability that allows attackers to manipulate HTTP Host headers during token generation. Attackers can craft malicious password reset requests that generate tokens sent to a controlle... Read more
Affected Products :- Published: Dec. 19, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Authentication
-
0.0
NACVE-2025-68341
In the Linux kernel, the following vulnerability has been resolved: veth: reduce XDP no_direct return section to fix race As explain in commit fa349e396e48 ("veth: Fix race with AF_XDP exposing old or uninitialized descriptors") for veth there is a chan... Read more
Affected Products : linux_kernel- Published: Dec. 23, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Race Condition
-
6.4
MEDIUMCVE-2025-14000
The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'register_form' and 'restrict' shortcodes in all versions up to, and including, 3.2.15 due to insufficient input sanitization and o... Read more
Affected Products : membership_plugin_-_restrict_content- Published: Dec. 23, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Cross-Site Scripting
-
0.0
NACVE-2025-68330
In the Linux kernel, the following vulnerability has been resolved: iio: accel: bmc150: Fix irq assumption regression The code in bmc150-accel-core.c unconditionally calls bmc150_accel_set_interrupt() in the iio_buffer_setup_ops, such as on the runtime ... Read more
Affected Products : linux_kernel- Published: Dec. 22, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Misconfiguration
-
6.5
MEDIUMCVE-2025-8305
An authenticated local user can obtain information that allows claiming security policy rules of another user due to sensitive information being printed in plaintext in Identity Agent for Terminal Services debug files.... Read more
Affected Products :- Published: Dec. 22, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Information Disclosure
-
6.4
MEDIUMCVE-2025-14548
The Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'event_desc' parameter in all versions up to, and including, 1.3.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated... Read more
Affected Products : calendar- Published: Dec. 23, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Cross-Site Scripting
-
9.3
CRITICALCVE-2023-53960
SOUND4 IMPACT/FIRST/PULSE/Eco version 2.x contains an SQL injection vulnerability in the 'index.php' authentication mechanism that allows attackers to manipulate login credentials. Attackers can inject malicious SQL code through the 'password' POST parame... Read more
Affected Products : stream- Published: Dec. 22, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Injection
-
0.0
NACVE-2025-68334
In the Linux kernel, the following vulnerability has been resolved: platform/x86/amd/pmc: Add support for Van Gogh SoC The ROG Xbox Ally (non-X) SoC features a similar architecture to the Steam Deck. While the Steam Deck supports S3 (s2idle causes a cra... Read more
Affected Products : linux_kernel- Published: Dec. 22, 2025
- Modified: Dec. 23, 2025
- Vuln Type: Denial of Service