Threat Entry Updated 2025-07-08

CVE-2025-6290 - Tournament Bracket Generator Plugin

The Tournament Bracket Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bracket' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Tournament Bracket Generator

CVE-2025-6290

MEDIUM CVSS 6.4 2025-06-26

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-06-26

CVE-2025-6258 - Wp Soundsystem Plugin

The WP SoundSystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpsstm-track shortcode in all versions up to, and including, 3.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wp Soundsystem

CVE-2025-6258

MEDIUM CVSS 6.4 2025-06-26

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-06-26

CVE-2025-5588 - Image Editor By Pixo Plugin

The Image Editor by Pixo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘download’ parameter in all versions up to, and including, 2.3.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Image Editor By Pixo

CVE-2025-5588

MEDIUM CVSS 6.4 2025-06-26

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-06-26

CVE-2025-5812 - Vgw Metis Plugin

The VG WORT METIS plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the gutenberg_save_post() function in all versions up to, and including, 2.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update limited post settings.

PLUGIN Vgw Metis

CVE-2025-5812

MEDIUM CVSS 4.3 2025-06-26

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-06-26

CVE-2025-5564 - Gc Social Wall Plugin

The GC Social Wall plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gc_social_wall' shortcode in all versions up to, and including, 1.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Gc Social Wall

CVE-2025-5564

MEDIUM CVSS 6.4 2025-06-26

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-07-16

CVE-2025-5559 - Timezonecalculator Plugin

The TimeZoneCalculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'timezonecalculator_output' shortcode in all versions up to, and including, 3.37 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Timezonecalculator

CVE-2025-5559

MEDIUM CVSS 6.4 2025-06-26

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-07-11

CVE-2025-5540 - Event Rsvp And Simple Event Management Plugin

The Event RSVP and Simple Event Management Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'emd_mb_meta' shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Event Rsvp And Simple Event Management

CVE-2025-5540

MEDIUM CVSS 6.4 2025-06-26

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-06-26

CVE-2025-5535 - Enigma Buttons Plugin

The e.nigma buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button' shortcode in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Enigma Buttons

CVE-2025-5535

MEDIUM CVSS 6.4 2025-06-26

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-07-11

CVE-2025-5488 - Wp Masonry Infinite Scroll Plugin

The WP Masonry & Infinite Scroll plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wmis' shortcode in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wp Masonry Infinite Scroll

CVE-2025-5488

MEDIUM CVSS 6.4 2025-06-26

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-07-03

CVE-2025-3863 - Post Carousel Slider For Elementor Plugin

The Post Carousel Slider for Elementor plugin for WordPress is vulnerable to improper authorization due to a missing capability check on the process_wbelps_promo_form() function in all versions up to, and including, 1.6.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger the plugin’s support‐form handler to send arbitrary emails to the site’s support address.

PLUGIN Post Carousel Slider For Elementor

CVE-2025-3863

MEDIUM CVSS 4.3 2025-06-26

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-07-08

CVE-2025-5585 - Siteorigin Widgets Bundle Plugin

The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-url` DOM Element Attribute in all versions up to, and including, 1.68.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Siteorigin Widgets Bundle

CVE-2025-5585

MEDIUM CVSS 6.4 2025-06-25

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-06-26

CVE-2025-5258 - Conference Scheduler Plugin

The Conference Scheduler plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 2.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Conference Scheduler

CVE-2025-5258

MEDIUM CVSS 6.4 2025-06-24

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-07-09

CVE-2025-5289 - 3d Flipbook Plugin

The 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style’ and 'mode' parameters in all versions up to, and including, 1.16.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note: This issue affects only block-based themes.

PLUGIN 3d Flipbook

CVE-2025-5289

MEDIUM CVSS 6.4 2025-06-21

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-07-09

CVE-2025-5143 - Tableon Wordpress Posts Table Filterable Plugin

The TableOn – WordPress Posts Table Filterable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's tableon_popup_iframe_button shortcode in all versions up to, and including, 1.0.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Tableon Wordpress Posts Table Filterable

CVE-2025-5143

MEDIUM CVSS 6.4 2025-06-21

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-06-23

CVE-2025-50050 - WordPress Core

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BlueGlass Interactive AG Jobs for WordPress allows Stored XSS. This issue affects Jobs for WordPress: from n/a through 2.7.12.

CORE WordPress Core

CVE-2025-50050

MEDIUM CVSS 6.5 2025-06-20

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-06-23

CVE-2025-50010 - WordPress Core

Missing Authorization vulnerability in Zapier Zapier for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Zapier for WordPress: from n/a through 1.5.2.

CORE WordPress Core

CVE-2025-50010

MEDIUM CVSS 5.4 2025-06-20

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-06-23

CVE-2025-49974 - A Project Management Plugin

Missing Authorization vulnerability in upstreamplugin UpStream: a Project Management Plugin for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects UpStream: a Project Management Plugin for WordPress: from n/a through 2.1.0.

PLUGIN A Project Management

CVE-2025-49974

MEDIUM CVSS 4.3 2025-06-20

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-06-23

CVE-2025-6257 - Euro Fxref Currency Converter Plugin

The Euro FxRef Currency Converter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's currency shortcode in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Euro Fxref Currency Converter

CVE-2025-6257

MEDIUM CVSS 6.4 2025-06-20

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-07-11

CVE-2025-5125 - Custom Post Carousels With Owl Plugin

The Custom Post Carousels with Owl WordPress plugin before 1.4.12 uses the featherlight library and makes use of the data-featherlight attribute without sanitizing before using it.

PLUGIN Custom Post Carousels With Owl

CVE-2025-5125

MEDIUM CVSS 4.8 2025-06-20

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-07-16

CVE-2025-5234 - Gutenverse News Plugin

The Gutenverse News plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘elementId’ parameter in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Gutenverse News

CVE-2025-5234

MEDIUM CVSS 6.4 2025-06-19

Risk Score

Open Full Technical Breakdown