Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 6.4

    MEDIUM
    CVE-2025-6787

    The Smart Docs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'smartdocs_search' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attribut... Read more

    Affected Products : smart_docs
    • Published: Jul. 04, 2025
    • Modified: Jul. 09, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.3

    MEDIUM
    CVE-2025-6786

    The DocCheck Login plugin for WordPress is vulnerable to unauthorized post access in all versions up to, and including, 1.1.5. This is due to plugin redirecting a user to login on a password protected post after the page has loaded. This makes it possible... Read more

    Affected Products :
    • Published: Jul. 04, 2025
    • Modified: Jul. 08, 2025
    • Vuln Type: Authorization

  • 7.5

    HIGH
    CVE-2025-6783

    The GoZen Forms plugin for WordPress is vulnerable to SQL Injection via the 'forms-id' parameter of the emdedSc() function in all versions up to, and including, 1.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient prepa... Read more

    Affected Products : gozen_forms
    • Published: Jul. 04, 2025
    • Modified: Jul. 09, 2025
    • Vuln Type: Injection

  • 7.5

    HIGH
    CVE-2025-6782

    The GoZen Forms plugin for WordPress is vulnerable to SQL Injection via the 'forms-id' parameter of the dirGZActiveForm() function in all versions up to, and including, 1.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficie... Read more

    Affected Products : gozen_forms
    • Published: Jul. 04, 2025
    • Modified: Jul. 09, 2025
    • Vuln Type: Injection

  • 6.5

    MEDIUM
    CVE-2025-6739

    The WPQuiz plugin for WordPress is vulnerable to SQL Injection via the 'id' attribute of the 'wpquiz' shortcode in all versions up to, and including, 0.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on t... Read more

    Affected Products : wpquiz
    • Published: Jul. 04, 2025
    • Modified: Jul. 09, 2025
    • Vuln Type: Injection

  • 6.4

    MEDIUM
    CVE-2025-6729

    The PayMaster for WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 0.4.31 via the 'wp_ajax_paym_status' AJAX action This makes it possible for authenticated attackers, with Subscriber-leve... Read more

    Affected Products : paymaster_for_woocommerce
    • Published: Jul. 04, 2025
    • Modified: Jul. 09, 2025
    • Vuln Type: Server-Side Request Forgery

  • 7.2

    HIGH
    CVE-2025-6586

    The Download Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the dpwap_plugin_locInstall function in all versions up to, and including, 2.2.8. This makes it possible for authenticated attackers, w... Read more

    Affected Products : download_plugin
    • Published: Jul. 04, 2025
    • Modified: Jul. 09, 2025
    • Vuln Type: Misconfiguration

  • 8.0

    HIGH
    CVE-2025-6238

    The AI Engine plugin for WordPress is vulnerable to open redirect in version 2.8.4. This is due to an insecure OAuth implementation, as the 'redirect_uri' parameter is missing validation during the authorization flow. This makes it possible for unauthenti... Read more

    Affected Products : ai_engine ai_engine
    • Published: Jul. 04, 2025
    • Modified: Aug. 13, 2025
    • Vuln Type: Authentication

  • 6.1

    MEDIUM
    CVE-2025-6041

    The yContributors plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5. This is due to missing or incorrect nonce validation on the 'yContributors' page. This makes it possible for unauthenticated atta... Read more

    Affected Products :
    • Published: Jul. 04, 2025
    • Modified: Jul. 08, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 6.4

    MEDIUM
    CVE-2025-6039

    The ProcessingJS for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pjs4wp' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied at... Read more

    Affected Products :
    • Published: Jul. 04, 2025
    • Modified: Jul. 08, 2025
    • Vuln Type: Cross-Site Scripting

  • 8.1

    HIGH
    CVE-2025-5956

    The WP Human Resource Management plugin for WordPress is vulnerable to Arbitrary User Deletion due to a missing authorization within the ajax_delete_employee() function in versions 2.0.0 through 2.2.17. The plugin’s deletion handler reads the client-suppl... Read more

    Affected Products : wp_human_resource_management
    • Published: Jul. 04, 2025
    • Modified: Aug. 13, 2025
    • Vuln Type: Authorization

  • 8.8

    HIGH
    CVE-2025-5953

    The WP Human Resource Management plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization in the ajax_insert_employee() and update_empoyee() functions in versions 2.0.0 through 2.2.17. The AJAX handler reads the client-suppl... Read more

    Affected Products : wp_human_resource_management
    • Published: Jul. 04, 2025
    • Modified: Aug. 13, 2025
    • Vuln Type: Authorization

  • 4.3

    MEDIUM
    CVE-2025-5933

    The RD Contacto plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the rdWappUpdateData() function. This makes it possible for unauthenticated... Read more

    Affected Products :
    • Published: Jul. 04, 2025
    • Modified: Jul. 08, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 4.3

    MEDIUM
    CVE-2025-5924

    The WP Firebase Push Notification plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the wfpn_brodcast_notification_message() function. This... Read more

    Affected Products : wp_firebase_push_notification
    • Published: Jul. 04, 2025
    • Modified: Jul. 10, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 6.4

    MEDIUM
    CVE-2025-5567

    The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data-url' DOM element attribute in all versions up to, and including, 7.4.0 due to insufficient input sanitization and output escapin... Read more

    • Published: Jul. 04, 2025
    • Modified: Jul. 09, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.2

    HIGH
    CVE-2025-5322

    The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the do_updatecar and createcar functions in all versions up to, and including, 1.4.3. This makes it possible fo... Read more

    Affected Products : vikrentcar
    • Published: Jul. 03, 2025
    • Modified: Jul. 10, 2025
    • Vuln Type: Misconfiguration

  • 8.4

    HIGH
    CVE-2025-53367

    DjVuLibre is a GPL implementation of DjVu, a web-centric format for distributing documents and images. Prior to version 3.5.29, the MMRDecoder::scanruns method is affected by an OOB-write vulnerability, because it does not check that the xr pointer stays ... Read more

    Affected Products : djvulibre
    • Published: Jul. 03, 2025
    • Modified: Jul. 18, 2025
    • Vuln Type: Memory Corruption

  • 7.5

    HIGH
    CVE-2025-49826

    Next.js is a React framework for building full-stack web applications. From versions 15.0.4-canary.51 to before 15.1.8, a cache poisoning bug leading to a Denial of Service (DoS) condition was found in Next.js. This issue does not impact customers hosted ... Read more

    Affected Products : next.js
    • Published: Jul. 03, 2025
    • Modified: Jul. 08, 2025
    • Vuln Type: Denial of Service

  • 3.7

    LOW
    CVE-2025-49005

    Next.js is a React framework for building full-stack web applications. In Next.js App Router from 15.3.0 to before 15.3.3 and Vercel CLI from 41.4.1 to 42.2.0, a cache poisoning vulnerability was found. The issue allowed page requests for HTML content to ... Read more

    Affected Products : next.js
    • Published: Jul. 03, 2025
    • Modified: Jul. 08, 2025
    • Vuln Type: Misconfiguration

  • 8.6

    HIGH
    CVE-2025-53370

    Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. From versions 1.9.4 to before 3.4.0, short descriptions set via the ShortDescription extension are inserted as raw HTML by the Citizen skin, allowing any user to insert arb... Read more

    Affected Products : citizen
    • Published: Jul. 03, 2025
    • Modified: Aug. 22, 2025
    • Vuln Type: Cross-Site Scripting
Showing 20 of 291589 Results