| CVE-2025-32600 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tournamatch Tournamatch allows Reflected XSS. This issue affects Tournamatch: from n/a through 4.6.1. | high |
| CVE-2025-32599 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in miunosoft Task Scheduler allows Reflected XSS. This issue affects Task Scheduler: from n/a through 1.6.3. | high |
| CVE-2025-32598 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Table Builder WP Table Builder allows Reflected XSS. This issue affects WP Table Builder: from n/a through 2.0.4. | high |
| CVE-2025-32589 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in odude Flexi – Guest Submit allows PHP Local File Inclusion. This issue affects Flexi – Guest Submit: from n/a through 4.28. | high |
| CVE-2025-32587 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in pickupp WooCommerce Pickupp allows PHP Local File Inclusion. This issue affects WooCommerce Pickupp: from n/a through 2.4.0. | high |
| CVE-2025-32586 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ABA Bank ABA PayWay Payment Gateway for WooCommerce allows Reflected XSS. This issue affects ABA PayWay Payment Gateway for WooCommerce: from n/a through 2.1.3. | high |
| CVE-2025-32585 | Path Traversal vulnerability in Trusty Plugins Shop Products Filter allows PHP Local File Inclusion. This issue affects Shop Products Filter: from n/a through 1.2. | high |
| CVE-2025-32579 | Unrestricted Upload of File with Dangerous Type vulnerability in SoftClever Limited Sync Posts allows Upload a Web Shell to a Web Server. This issue affects Sync Posts: from n/a through 1.0. | critical |
| CVE-2025-32577 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in hakeemnala Build App Online allows PHP Local File Inclusion. This issue affects Build App Online: from n/a through 1.0.23. | critical |
| CVE-2025-32569 | Deserialization of Untrusted Data vulnerability in RealMag777 TableOn – WordPress Posts Table Filterable allows Object Injection. This issue affects TableOn – WordPress Posts Table Filterable: from n/a through 1.0.2. | critical |
| CVE-2025-32568 | Deserialization of Untrusted Data vulnerability in empik EmpikPlace for Woocommerce allows Object Injection. This issue affects EmpikPlace for Woocommerce: from n/a through 1.4.2. | critical |
| CVE-2025-32567 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in dev02ali Easy Post Duplicator allows SQL Injection. This issue affects Easy Post Duplicator: from n/a through 1.0.1. | high |
| CVE-2025-32565 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in vertim Neon Product Designer allows SQL Injection. This issue affects Neon Product Designer: from n/a through 2.1.1. | critical |
| CVE-2025-32558 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ketanajani Duplicate Title Checker allows Blind SQL Injection. This issue affects Duplicate Title Checker: from n/a through 1.2. | high |
| CVE-2025-32553 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Magnigenie RestroPress allows Reflected XSS. This issue affects RestroPress: from n/a through 3.1.8.4. | high |
| CVE-2025-32551 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jaap Jansma Connector to CiviCRM with CiviMcRestFace allows Reflected XSS. This issue affects Connector to CiviCRM with CiviMcRestFace: from n/a through 1.0.8. | high |
| CVE-2025-32542 | Missing Authorization vulnerability in EazyPlugins Eazy Plugin Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Eazy Plugin Manager: from n/a through 4.3.0. | high |
| CVE-2025-32541 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in infosoftplugin WooCommerce Sales MIS Report allows Reflected XSS. This issue affects WooCommerce Sales MIS Report: from n/a through 4.0.3. | high |
| CVE-2025-32539 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Josh Kohlbach WooCommerce – Store Exporter allows Reflected XSS. This issue affects WooCommerce – Store Exporter: from n/a through 2.7.4. | high |
| CVE-2025-32538 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dev02ali Easy Post Duplicator allows Reflected XSS. This issue affects Easy Post Duplicator: from n/a through 1.0.1. | high |
| CVE-2025-32537 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rachel Cherry Lock Your Updates allows Reflected XSS. This issue affects Lock Your Updates: from n/a through 1.1. | high |
| CVE-2025-32536 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sandeep Verma HTML5 Video Player with Playlist allows Reflected XSS. This issue affects HTML5 Video Player with Playlist: from n/a through 2.50. | high |
| CVE-2025-32534 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Workbox Workbox Video from Vimeo & Youtube allows Reflected XSS. This issue affects Workbox Video from Vimeo & Youtube: from n/a through 3.2.2. | high |
| CVE-2025-32525 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in interactivegeomaps Interactive Geo Maps allows Reflected XSS. This issue affects Interactive Geo Maps: from n/a through 1.6.24. | high |
| CVE-2025-32524 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MyWorks MyWorks WooCommerce Sync for QuickBooks Online allows Reflected XSS. This issue affects MyWorks WooCommerce Sync for QuickBooks Online: from n/a through 2.9.1. | high |
| CVE-2025-32523 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in payphone WooCommerce – Payphone Gateway allows Reflected XSS. This issue affects WooCommerce – Payphone Gateway: from n/a through 3.2.0. | high |
| CVE-2025-32519 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeAtelier IDonate allows PHP Local File Inclusion. This issue affects IDonate: from n/a through 2.1.8. | high |
| CVE-2025-32517 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SCAND MultiMailer allows Reflected XSS. This issue affects MultiMailer: from n/a through 1.0.3. | high |
| CVE-2025-32509 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WPMinds Simple WP Events allows Path Traversal. This issue affects Simple WP Events: from n/a through 1.8.17. | high |
| CVE-2025-32491 | Incorrect Privilege Assignment vulnerability in Rankology Rankology SEO – On-site SEO allows Privilege Escalation. This issue affects Rankology SEO – On-site SEO: from n/a through 2.2.3. | critical |
| CVE-2025-32144 | Deserialization of Untrusted Data vulnerability in PickPlugins Job Board Manager allows Object Injection. This issue affects Job Board Manager: from n/a through 2.1.60. | high |
| CVE-2025-32143 | Deserialization of Untrusted Data vulnerability in PickPlugins Accordion allows Object Injection. This issue affects Accordion: from n/a through 2.3.10. | high |
| CVE-2025-32107 | OS command injection vulnerability exists in Deco BE65 Pro firmware versions prior to "Deco BE65 Pro(JP)_V1_1.1.2 Build 20250123". If this vulnerability is exploited, an arbitrary OS command may be executed by the user who can log in to the device. | high |
| CVE-2025-31599 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in N-Media Bulk Product Sync allows SQL Injection. This issue affects Bulk Product Sync: from n/a through 8.6. | critical |
| CVE-2025-31565 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPSmartContracts WPSmartContracts allows Blind SQL Injection. This issue affects WPSmartContracts: from n/a through 2.0.10. | critical |
| CVE-2025-31379 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in programphases Insert HTML Here allows Reflected XSS. This issue affects Insert HTML Here: from n/a through 1.0. | high |
| CVE-2025-31378 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in danbwb Oppso Unit Converter allows Reflected XSS. This issue affects Oppso Unit Converter: from n/a through 1.1.1. | high |
| CVE-2025-31041 | Missing Authorization vulnerability in NotFound AnyTrack Affiliate Link Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects AnyTrack Affiliate Link Manager: from n/a through 1.0.4. | high |
| CVE-2025-31040 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound WP Food ordering and Restaurant Menu allows PHP Local File Inclusion. This issue affects WP Food ordering and Restaurant Menu: from n/a through 1.1. | high |
| CVE-2025-31028 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WP Hide Categories allows Reflected XSS. This issue affects WP Hide Categories: from n/a through 1.0. | high |
| CVE-2025-31021 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dolby_uk Mobile Smart allows Reflected XSS. This issue affects Mobile Smart: from n/a through v1.3.16. | high |
| CVE-2025-31015 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Adrian Tobey WordPress SMTP Service, Email Delivery Solved! — MailHawk allows PHP Local File Inclusion. This issue affects WordPress SMTP Service, Email Delivery Solved! — MailHawk: from n/a through 1.3.1. | high |
| CVE-2025-31014 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ho3einie Material Dashboard allows PHP Local File Inclusion. This issue affects Material Dashboard: from n/a through 1.4.5. | high |
| CVE-2025-27721 | Unauthorized users can access the system without proper authorization, which could lead to unauthorized access to system resources. | No Score |
| CVE-2025-24489 | An attacker could exploit this vulnerability by uploading arbitrary files via a specific service, which could lead to system compromise. | No Score |
| CVE-2025-27714 | An attacker could exploit this vulnerability by uploading arbitrary files via the a specific endpoint, leading to unauthorized remote code execution or system compromise. | No Score |
| CVE-2025-3512 | There is a Heap-based Buffer Overflow vulnerability in QTextMarkdownImporter. This requires an incorrectly formatted markdown file to be passed to QTextMarkdownImporter to trigger the overflow.This issue affects Qt from 6.8.0 to 6.8.4. Versions up to 6.6.0 are known to be unaffected, and the fix is in 6.8.4 and later. | medium |
| CVE-2025-2636 | The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.1.0.85 via the 'instawp-database-manager' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | critical |
| CVE-2025-1386 | When using the ch-go library, under a specific condition when the query includes a large, uncompressed malicious external data, it is possible for an attacker in control of such data to smuggle another query packet into the connection stream. | medium |
| CVE-2025-32816 | CodeLit CourseLit before 0.57.5 allows Parameter Tampering via a payment plan associated with the wrong entity. | low |
