| CVE-2025-49444 | Unrestricted Upload of File with Dangerous Type vulnerability in merkulove Reformer for Elementor allows Upload a Web Shell to a Web Server. This issue affects Reformer for Elementor: from n/a through 1.0.5. | critical |
| CVE-2025-49415 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Fastw3b LLC FW Gallery allows Path Traversal. This issue affects FW Gallery: from n/a through 8.0.0. | high |
| CVE-2025-49331 | Deserialization of Untrusted Data vulnerability in impleCode eCommerce Product Catalog allows Object Injection. This issue affects eCommerce Product Catalog: from n/a through 3.4.3. | high |
| CVE-2025-49330 | Deserialization of Untrusted Data vulnerability in CRM Perks Integration for Contact Form 7 and Zoho CRM, Bigin allows Object Injection. This issue affects Integration for Contact Form 7 and Zoho CRM, Bigin: from n/a through 1.3.0. | critical |
| CVE-2025-49316 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saleswonder Team Tobias WP2LEADS allows Reflected XSS. This issue affects WP2LEADS: from n/a through 3.5.0. | high |
| CVE-2025-49312 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeRevolution Echo RSS Feed Post Generator Plugin for WordPress allows Reflected XSS. This issue affects Echo RSS Feed Post Generator Plugin for WordPress: from n/a through 5.4.8.1. | high |
| CVE-2025-49266 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rustaurius Ultimate Reviews allows Reflected XSS. This issue affects Ultimate Reviews: from n/a through 3.2.14. | high |
| CVE-2025-49261 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Diza allows PHP Local File Inclusion. This issue affects Diza: from n/a through 1.3.8. | high |
| CVE-2025-49260 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Aora allows PHP Local File Inclusion. This issue affects Aora: from n/a through 1.3.9. | high |
| CVE-2025-49259 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Hara allows PHP Local File Inclusion. This issue affects Hara: from n/a through 1.2.10. | high |
| CVE-2025-49258 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Maia allows PHP Local File Inclusion. This issue affects Maia: from n/a through 1.1.15. | high |
| CVE-2025-49257 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Zota allows PHP Local File Inclusion. This issue affects Zota: from n/a through 1.3.8. | high |
| CVE-2025-49256 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Sapa allows PHP Local File Inclusion. This issue affects Sapa: from n/a through 1.1.14. | high |
| CVE-2025-49255 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Ruza allows PHP Local File Inclusion. This issue affects Ruza: from n/a through 1.0.7. | high |
| CVE-2025-49254 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Nika allows PHP Local File Inclusion. This issue affects Nika: from n/a through 1.2.8. | high |
| CVE-2025-49253 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Lasa allows PHP Local File Inclusion. This issue affects Lasa: from n/a through 1.1. | high |
| CVE-2025-49252 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Besa allows PHP Local File Inclusion. This issue affects Besa: from n/a through 2.3.8. | high |
| CVE-2025-49251 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Fana allows PHP Local File Inclusion. This issue affects Fana: from n/a through 1.1.28. | high |
| CVE-2025-49234 | Missing Authorization vulnerability in Deepak anand WP Dummy Content Generator allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Dummy Content Generator: from n/a through 3.4.6. | medium |
| CVE-2025-49180 | A flaw was found in the RandR extension, where the RRChangeProviderProperty function does not properly validate input. This issue leads to an integer overflow when computing the total size to allocate. | medium |
| CVE-2025-49179 | A flaw was found in the X Record extension. The RecordSanityCheckRegisterClients function does not check for an integer overflow when computing request length, which allows a client to bypass length checks. | medium |
| CVE-2025-49178 | A flaw was found in the X server's request handling. Non-zero 'bytes to ignore' in a client's request can cause the server to skip processing another client's request, potentially leading to a denial of service. | medium |
| CVE-2025-49177 | A flaw was found in the XFIXES extension. The XFixesSetClientDisconnectMode handler does not validate the request length, allowing a client to read unintended memory from previous requests. | medium |
| CVE-2025-49176 | A flaw was found in the Big Requests extension. The request length is multiplied by 4 before checking against the maximum allowed size, potentially causing an integer overflow and bypassing the size check. | medium |
| CVE-2025-49175 | A flaw was found in the X Rendering extension's handling of animated cursors. If a client provides no cursors, the server assumes at least one is present, leading to an out-of-bounds read and potential crash. | medium |
| CVE-2025-49071 | Unrestricted Upload of File with Dangerous Type vulnerability in NasaTheme Flozen allows Upload a Web Shell to a Web Server. This issue affects Flozen: from n/a through n/a. | critical |
| CVE-2025-48333 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPQuark eForm - WordPress Form Builder allows Reflected XSS. This issue affects eForm - WordPress Form Builder: from n/a through n/a. | high |
| CVE-2025-48274 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpjobportal WP Job Portal allows Blind SQL Injection. This issue affects WP Job Portal: from n/a through 2.3.2. | critical |
| CVE-2025-48145 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michal Jaworski Track, Analyze & Optimize by WP Tao allows Reflected XSS. This issue affects Track, Analyze & Optimize by WP Tao: from n/a through 1.3. | high |
| CVE-2025-48118 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WpExperts Hub Woocommerce Partial Shipment allows SQL Injection. This issue affects Woocommerce Partial Shipment: from n/a through 3.2. | high |
| CVE-2025-48111 | Cross-Site Request Forgery (CSRF) vulnerability in YITHEMES YITH PayPal Express Checkout for WooCommerce allows Cross Site Request Forgery. This issue affects YITH PayPal Express Checkout for WooCommerce: from n/a through 1.49.0. | medium |
| CVE-2025-47573 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla School Management allows Blind SQL Injection. This issue affects School Management: from n/a through 92.0.0. | critical |
| CVE-2025-47572 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in mojoomla School Management allows PHP Local File Inclusion. This issue affects School Management: from n/a through 93.0.0. | high |
| CVE-2025-47559 | Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG allows Upload a Web Shell to a Web Server. This issue affects MapSVG: from n/a through 8.5.32. | critical |
| CVE-2025-47452 | Unrestricted Upload of File with Dangerous Type vulnerability in RexTheme WP VR allows Upload a Web Shell to a Web Server. This issue affects WP VR: from n/a through 8.5.26. | critical |
| CVE-2025-39508 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NasaTheme Nasa Core allows Reflected XSS. This issue affects Nasa Core: from n/a through 6.3.2. | high |
| CVE-2025-39486 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ValvePress Rankie allows SQL Injection. This issue affects Rankie: from n/a through n/a. | high |
| CVE-2025-39479 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in smartiolabs Smart Notification allows Blind SQL Injection. This issue affects Smart Notification: from n/a through 10.3. | critical |
| CVE-2025-34508 | A path traversal vulnerability exists in the file dropoff functionality of ZendTo versions 6.15-7 and prior. This could allow a remote, authenticated attacker to retrieve the files of other ZendTo users, retrieve files on the host system, or cause a denial of service. | medium |
| CVE-2025-32549 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in mojoomla WPGYM allows PHP Local File Inclusion. This issue affects WPGYM: from n/a through 65.0. | high |
| CVE-2025-32510 | Unrestricted Upload of File with Dangerous Type vulnerability in ovatheme Ovatheme Events Manager allows Using Malicious Files. This issue affects Ovatheme Events Manager: from n/a through 1.7.5. | critical |
| CVE-2025-31919 | Deserialization of Untrusted Data vulnerability in themeton Spare allows Object Injection. This issue affects Spare: from n/a through 1.7. | critical |
| CVE-2025-30988 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in _CreativeMedia_ Elite Video Player allows Stored XSS. This issue affects Elite Video Player: from n/a through 10.0.5. | high |
| CVE-2025-30618 | Deserialization of Untrusted Data vulnerability in yuliaz Rapyd Payment Extension for WooCommerce allows Object Injection. This issue affects Rapyd Payment Extension for WooCommerce: from n/a through 1.2.0. | critical |
| CVE-2025-30562 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpdistillery Navigation Tree Elementor allows Blind SQL Injection. This issue affects Navigation Tree Elementor: from n/a through 1.0.1. | high |
| CVE-2025-29002 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme Simen allows PHP Local File Inclusion. This issue affects Simen: from n/a through 4.6. | high |
| CVE-2025-28991 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme Evon allows PHP Local File Inclusion. This issue affects Evon: from n/a through 3.4. | high |
| CVE-2025-28972 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Suhas Surse WP Employee Attendance System allows Blind SQL Injection. This issue affects WP Employee Attendance System: from n/a through 3.5. | high |
| CVE-2025-24773 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPCRM - CRM for Contact form CF7 & WooCommerce allows SQL Injection. This issue affects WPCRM - CRM for Contact form CF7 & WooCommerce: from n/a through 3.2.0. | critical |
| CVE-2025-24761 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme DSK allows PHP Local File Inclusion. This issue affects DSK: from n/a through 2.2. | high |
