Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 4.3

    MEDIUM
    CVE-2025-9622

    The WP Blast | SEO & Performance Booster plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.6. This is due to missing or incorrect nonce validation on multiple administrative actions in the Settings ... Read more

    Affected Products :
    • Published: Sep. 10, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 5.5

    MEDIUM
    CVE-2025-9367

    The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 2.11.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attack... Read more

    Affected Products : welcart_e-commerce
    • Published: Sep. 10, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Cross-Site Scripting

  • 4.3

    MEDIUM
    CVE-2025-8778

    The NitroPack plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the nitropack_set_compression_ajax() function in all versions up to, and including, 1.18.4. This makes it possible for authenticated... Read more

    Affected Products : nitropack
    • Published: Sep. 10, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Authorization

  • 6.4

    MEDIUM
    CVE-2025-7843

    The Auto Save Remote Images (Drafts) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.9 via the fetch_images() function. This makes it possible for authenticated attackers, with Contributor-level ... Read more

    Affected Products :
    • Published: Sep. 10, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Server-Side Request Forgery

  • 6.5

    MEDIUM
    CVE-2025-7826

    The Testimonial plugin for WordPress is vulnerable to SQL Injection via the 'iNICtestimonial' shortcode in all versions up to, and including, 2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existin... Read more

    Affected Products : testimonial_plugin
    • Published: Sep. 10, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-7049

    The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 67.7.0 via the 'MJ_gmgt_gmgt_add_user' function due to missing validation on a user controlled key. This makes it ... Read more

    Affected Products : wordpress_gym_management_system
    • Published: Sep. 10, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Authorization

  • 6.5

    MEDIUM
    CVE-2025-6189

    The Duplicate Page and Post plugin for WordPress is vulnerable to time-based SQL Injection via the ‘meta_key’ parameter in all versions up to, and including, 2.9.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparat... Read more

    Affected Products : duplicate_page_and_post
    • Published: Sep. 10, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Injection

  • 8.8

    HIGH
    CVE-2025-41714

    The upload endpoint insufficiently validates the 'Upload-Key' request header. By supplying path traversal sequences, an authenticated attacker can cause the server to create upload-related artifacts outside the intended storage location. In certain config... Read more

    Affected Products :
    • Published: Sep. 10, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Path Traversal

  • 4.9

    MEDIUM
    CVE-2025-10142

    The PagBank / PagSeguro Connect para WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'status' parameter in all versions up to, and including, 4.44.3 due to insufficient escaping on the user supplied parameter and lack of sufficient... Read more

    Affected Products :
    • Published: Sep. 10, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Injection

  • 6.4

    MEDIUM
    CVE-2025-10126

    The MyBrain Utilities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugins's 'mbumap' shortcode in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping on user supplied attributes... Read more

    Affected Products :
    • Published: Sep. 10, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.2

    HIGH
    CVE-2025-10049

    The Responsive Filterable Portfolio plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the HdnMediaSelection_image field in all versions up to, and including, 1.0.24. This makes it possible for authenticat... Read more

    Affected Products : responsive_filterable_portfolio
    • Published: Sep. 10, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Misconfiguration

  • 8.7

    HIGH
    CVE-2025-58764

    Claude Code is an agentic coding tool. Due to an error in command parsing, versions prior to 1.0.105 were vulnerable to a bypass of the Claude Code confirmation prompt to trigger execution of an untrusted command. Reliably exploiting this requires the abi... Read more

    Affected Products :
    • Published: Sep. 10, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Misconfiguration

  • 4.3

    MEDIUM
    CVE-2025-9623

    The Admin in English with Switch plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the enable_eng function. This makes it possible for unauth... Read more

    Affected Products :
    • Published: Sep. 11, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 4.3

    MEDIUM
    CVE-2025-9627

    The Run Log plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.10. This is due to missing or incorrect nonce validation on the oirl_plugin_options function. This makes it possible for unauthenticated... Read more

    Affected Products :
    • Published: Sep. 11, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 6.5

    MEDIUM
    CVE-2025-10197

    A vulnerability was found in HJSoft HCM Human Resources Management System up to 20250822. Affected by this vulnerability is an unknown functionality of the file /templates/attestation/../../selfservice/lawresource/downlawbase. Performing manipulation of t... Read more

    Affected Products :
    • Published: Sep. 10, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Injection

  • 5.5

    MEDIUM
    CVE-2025-10209

    A security flaw has been discovered in Papermerge DMS up to 3.5.3. This issue affects some unknown processing of the component Authorization Token Handler. Performing manipulation results in improper authorization. The attack can be initiated remotely. Th... Read more

    Affected Products :
    • Published: Sep. 10, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Authorization

  • 6.5

    MEDIUM
    CVE-2025-9463

    The Payments Plugin and Checkout Plugin for WooCommerce: Stripe, PayPal, Square, Authorize.net plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order_by’ parameter in all versions up to, and including, 1.117.5 due to insufficient es... Read more

    Affected Products :
    • Published: Sep. 10, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Injection

  • 4.3

    MEDIUM
    CVE-2025-9628

    The The integration of the AMO.CRM plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the settings_page function. This makes it possible for... Read more

    Affected Products :
    • Published: Sep. 11, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 6.3

    MEDIUM
    CVE-2025-36757

    It is possible to bypass the administrator login screen on SolaX Cloud. An attacker could use parameter tampering to bypass the login screen and gain limited access to the system.... Read more

    Affected Products :
    • Published: Sep. 10, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Authentication

  • 4.3

    MEDIUM
    CVE-2025-9631

    The AutoCatSet plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.4. This is due to missing or incorrect nonce validation on the autocatset_ajax function. This makes it possible for unauthenticated a... Read more

    Affected Products :
    • Published: Sep. 11, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Cross-Site Request Forgery
Showing 20 of 4218 Results