Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 5.3

    MEDIUM
    CVE-2025-8492

    The Salon Booking System, Appointment Scheduling for Salons, Spas & Small Businesses plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax function in all versions up to, and including, 10.20... Read more

    Affected Products : salon_booking_system
    • Published: Sep. 11, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Authorization

  • 4.3

    MEDIUM
    CVE-2025-8481

    The Blog Designer For Elementor – Post Slider, Post Carousel, Post Grid plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.1.7. This is due to missing or incorrect nonce validation on the bdfe_install_activate_rswpbs_only functi... Read more

    Affected Products :
    • Published: Sep. 11, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 6.4

    MEDIUM
    CVE-2025-8445

    The Countdown Timer for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'countdown_label' Parameter in all versions up to, and including, 1.3.9 due to insufficient input sanitization and output escaping. This makes it p... Read more

    Affected Products : countdown_timer_for_elementor
    • Published: Sep. 11, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Cross-Site Scripting

  • 8.8

    HIGH
    CVE-2025-8425

    The My WP Translate plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ajax_import_strings() function in all versions up to, and including, 1.1. This makes... Read more

    Affected Products : my_wp_translate
    • Published: Sep. 11, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Authorization

  • 5.4

    MEDIUM
    CVE-2025-8423

    The My WP Translate plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the mtswpt_remove_plugin() and ajax_update_export_code() functions in all versions up to, and including, 1.1. This makes it po... Read more

    Affected Products : my_wp_translate
    • Published: Sep. 11, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Authorization

  • 7.5

    HIGH
    CVE-2025-8422

    The Propovoice: All-in-One Client Management System plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.7.6.7 via the send_email() function. This makes it possible for unauthenticated attackers to read the con... Read more

    Affected Products :
    • Published: Sep. 11, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Path Traversal

  • 8.1

    HIGH
    CVE-2025-8417

    The Catalog Importer, Scraper & Crawler plugin for WordPress is vulnerable to PHP code injection in all versions up to, and including, 5.1.4. This is due to reliance on a guessable numeric token (e.g. ?key= 900001705) without proper authentication, combin... Read more

    Affected Products :
    • Published: Sep. 11, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Injection

  • 6.4

    MEDIUM
    CVE-2025-8398

    The azurecurve BBCode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'url' shortcode in all versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. Th... Read more

    Affected Products :
    • Published: Sep. 11, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.4

    MEDIUM
    CVE-2025-8392

    The Mitfahrgelegenheit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘date’ parameter in all versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authentica... Read more

    Affected Products :
    • Published: Sep. 11, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.4

    MEDIUM
    CVE-2025-8318

    The Jobify plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘keyword’ parameter in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attac... Read more

    Affected Products :
    • Published: Sep. 11, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Cross-Site Scripting

  • 4.3

    MEDIUM
    CVE-2025-9635

    The Analytics Reduce Bounce Rate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on the unbounce_options function. This makes it possible for ... Read more

    Affected Products :
    • Published: Sep. 11, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Cross-Site Request Forgery

  • 8.0

    HIGH
    CVE-2025-9693

    The User Meta – User Profile Builder and User management plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the postInsertUserProcess function in all versions up to, and including, 3.1.2. This ... Read more

    • Published: Sep. 11, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Path Traversal

  • 4.4

    MEDIUM
    CVE-2025-43886

    Dell PowerProtect Data Manager, version(s) 19.19 and 19.20, Hyper-V contain(s) a Path Traversal: '.../...//' vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Filesystem access for attacke... Read more

    Affected Products : powerprotect_data_manager
    • Published: Sep. 10, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Path Traversal

  • 6.4

    MEDIUM
    CVE-2025-9850

    The Evenium plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'evenium_single_event' shortcode in all versions up to, and including, 1.3.11 due to insufficient input sanitization and output escaping on user supplied attrib... Read more

    Affected Products :
    • Published: Sep. 11, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.4

    MEDIUM
    CVE-2025-9860

    The Mixtape plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mixtape' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes... Read more

    Affected Products :
    • Published: Sep. 11, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Cross-Site Scripting

  • 7.5

    HIGH
    CVE-2025-9874

    The Ultimate Classified Listings plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6 via the 'uclwp_dashboard' shortcode. This makes it possible for authenticated attackers, with Contributor-level access an... Read more

    Affected Products : ultimate_classified_listings
    • Published: Sep. 11, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Path Traversal

  • 8.7

    HIGH
    CVE-2025-9918

    A Path Traversal vulnerability in the archive extraction component in Google SecOps SOAR Server (versions 6.3.54.0, 6.3.53.2, and all prior versions) allows an authenticated attacker with permissions to import Use Cases to achieve Remote Code Execution (R... Read more

    Affected Products :
    • Published: Sep. 11, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Path Traversal

  • 10.0

    CRITICAL
    CVE-2025-58321

    Delta Electronics DIALink has an Directory Traversal Authentication Bypass Vulnerability.... Read more

    Affected Products : dialink
    • Published: Sep. 11, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Path Traversal

  • 3.1

    LOW
    CVE-2025-10252

    A flaw has been found in SEAT Queue Ticket Kiosk up to 20250827. This affects an unknown part of the component Java RMI Registry Handler. This manipulation causes deserialization. The attack can only be done within the local network. The attack is conside... Read more

    Affected Products :
    • Published: Sep. 11, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Information Disclosure

  • 5.8

    MEDIUM
    CVE-2025-9997

    CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause command injection in BLMon that is executed in the operating system console when in a SSH session.... Read more

    Affected Products :
    • Published: Sep. 09, 2025
    • Modified: Sep. 11, 2025
    • Vuln Type: Injection
Showing 20 of 4405 Results