| CVE-2025-53296 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ecoal95 EC Stars Rating allows Stored XSS. This issue affects EC Stars Rating: from n/a through 1.0.11. | medium |
| CVE-2025-53295 | Missing Authorization vulnerability in iCount iCount Payment Gateway allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects iCount Payment Gateway: from n/a through 2.0.6. | medium |
| CVE-2025-53294 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Smart Agenda Smart Agenda allows Stored XSS. This issue affects Smart Agenda: from n/a through 4.9. | medium |
| CVE-2025-53293 | Missing Authorization vulnerability in Morten Dalgaard Johansen Dashboard Widget Sidebar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Dashboard Widget Sidebar: from n/a through 1.2.3. | medium |
| CVE-2025-53292 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in samsk WP DataTable allows DOM-Based XSS. This issue affects WP DataTable: from n/a through 0.2.7. | medium |
| CVE-2025-53290 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MS WP Visual Sitemap allows Stored XSS. This issue affects WP Visual Sitemap: from n/a through 1.0.2. | medium |
| CVE-2025-53288 | Missing Authorization vulnerability in Adrian Ladó PlatiOnline Payments allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PlatiOnline Payments: from n/a through 6.3.2. | medium |
| CVE-2025-53287 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Robert Cummings Quick Favicon allows Stored XSS. This issue affects Quick Favicon: from n/a through 0.22.8. | medium |
| CVE-2025-53285 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in The Website Flip Add & Replace Affiliate Links for Amazon allows Stored XSS. This issue affects Add & Replace Affiliate Links for Amazon: from n/a through 1.0.6. | medium |
| CVE-2025-53284 | Missing Authorization vulnerability in pankaj.sakaria CMS Blocks allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CMS Blocks: from n/a through 1.1. | medium |
| CVE-2025-53282 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aviplugins.com Thumbnail Editor allows Stored XSS. This issue affects Thumbnail Editor: from n/a through 2.3.3. | medium |
| CVE-2025-53281 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WPBean WPB Category Slider for WooCommerce allows PHP Local File Inclusion. This issue affects WPB Category Slider for WooCommerce: from n/a through 1.71. | high |
| CVE-2025-53280 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AntoineH Football Pool allows Stored XSS. This issue affects Football Pool: from n/a through 2.12.5. | medium |
| CVE-2025-53279 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aman Popup addon for Ninja Forms allows DOM-Based XSS. This issue affects Popup addon for Ninja Forms: from n/a through 3.4. | medium |
| CVE-2025-53278 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPeka WP AdCenter allows Stored XSS. This issue affects WP AdCenter: from n/a through 2.6.0. | medium |
| CVE-2025-53277 | Cross-Site Request Forgery (CSRF) vulnerability in Infigo Software IS-theme-companion allows Object Injection. This issue affects IS-theme-companion: from n/a through 1.57. | high |
| CVE-2025-53276 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in omnipressteam Omnipress allows DOM-Based XSS. This issue affects Omnipress: from n/a through 1.6.3. | medium |
| CVE-2025-53275 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VaultDweller Leyka allows DOM-Based XSS. This issue affects Leyka: from n/a through 3.31.9. | medium |
| CVE-2025-53274 | Cross-Site Request Forgery (CSRF) vulnerability in Hossin Asaadi WP Permalink Translator allows Stored XSS. This issue affects WP Permalink Translator: from n/a through 1.7.6. | high |
| CVE-2025-53273 | Cross-Site Request Forgery (CSRF) vulnerability in Slickstream Slickstream allows Cross Site Request Forgery. This issue affects Slickstream: from n/a through 2.0.3. | medium |
| CVE-2025-53272 | Cross-Site Request Forgery (CSRF) vulnerability in opicron Image Cleanup allows Cross Site Request Forgery. This issue affects Image Cleanup: from n/a through 1.9.2. | medium |
| CVE-2025-53271 | Cross-Site Request Forgery (CSRF) vulnerability in Anton Bond Additional Order Filters for WooCommerce allows Stored XSS. This issue affects Additional Order Filters for WooCommerce: from n/a through 1.22. | high |
| CVE-2025-53270 | Cross-Site Request Forgery (CSRF) vulnerability in Blend Media WordPress CTA allows Cross Site Request Forgery. This issue affects WordPress CTA: from n/a through 1.6.9. | medium |
| CVE-2025-53269 | Cross-Site Request Forgery (CSRF) vulnerability in imw3 My Wp Brand allows Cross Site Request Forgery. This issue affects My Wp Brand: from n/a through 1.1.3. | medium |
| CVE-2025-53268 | Cross-Site Request Forgery (CSRF) vulnerability in ryanpcmcquen Import external attachments allows Cross Site Request Forgery. This issue affects Import external attachments: from n/a through 1.5.12. | medium |
| CVE-2025-53267 | Cross-Site Request Forgery (CSRF) vulnerability in Aftab Husain Hide Admin Bar From Front End allows Cross Site Request Forgery. This issue affects Hide Admin Bar From Front End: from n/a through 1.0.0. | medium |
| CVE-2025-53266 | Missing Authorization vulnerability in EdwardBock Cron Logger allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cron Logger: from n/a through 1.3.0. | medium |
| CVE-2025-53265 | Cross-Site Request Forgery (CSRF) vulnerability in Elena Yamshikova Virusdie allows Cross Site Request Forgery. This issue affects Virusdie: from n/a through 1.1.3. | medium |
| CVE-2025-53264 | Cross-Site Request Forgery (CSRF) vulnerability in Konrád Koller ONet Regenerate Thumbnails allows Cross Site Request Forgery. This issue affects ONet Regenerate Thumbnails: from n/a through 1.5. | medium |
| CVE-2025-53263 | Cross-Site Request Forgery (CSRF) vulnerability in PluginsCafe Address Autocomplete via Google for Gravity Forms allows Cross Site Request Forgery. This issue affects Address Autocomplete via Google for Gravity Forms: from n/a through 1.3.4. | medium |
| CVE-2025-53262 | Cross-Site Request Forgery (CSRF) vulnerability in Writesonic Writesonic allows Cross Site Request Forgery. This issue affects Writesonic: from n/a through 1.0.4. | medium |
| CVE-2025-53261 | Cross-Site Request Forgery (CSRF) vulnerability in macbookandrew WP YouTube Live allows Cross Site Request Forgery. This issue affects WP YouTube Live: from n/a through 1.10.0. | medium |
| CVE-2025-53260 | Unrestricted Upload of File with Dangerous Type vulnerability in getredhawkstudio File Manager Plugin For Wordpress allows Upload a Web Shell to a Web Server. This issue affects File Manager Plugin For Wordpress: from n/a through 7.5. | critical |
| CVE-2025-53259 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in nicdark Hotel Booking allows PHP Local File Inclusion. This issue affects Hotel Booking: from n/a through 3.7. | high |
| CVE-2025-53257 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Serhii Pasyuk Gmedia Photo Gallery allows PHP Local File Inclusion. This issue affects Gmedia Photo Gallery: from n/a through 1.23.0. | high |
| CVE-2025-53255 | Missing Authorization vulnerability in Nabil Lemsieh HurryTimer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HurryTimer: from n/a through 2.13.1. | medium |
| CVE-2025-53254 | Cross-Site Request Forgery (CSRF) vulnerability in webcraftic Cyrlitera allows Cross Site Request Forgery. This issue affects Cyrlitera: from n/a through 1.2.0. | medium |
| CVE-2025-53253 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Josh WP Edit allows Stored XSS. This issue affects WP Edit: from n/a through 4.0.4. | medium |
| CVE-2025-53211 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Roland Beaussant Audio Editor & Recorder allows Retrieve Embedded Sensitive Data. This issue affects Audio Editor & Recorder: from n/a through 2.2.3. | medium |
| CVE-2025-53206 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Mega – Absolute Addons for WPBakery Page Builder allows Stored XSS. This issue affects HT Mega – Absolute Addons for WPBakery Page Builder: from n/a through 1.0.8. | medium |
| CVE-2025-53203 | Cross-Site Request Forgery (CSRF) vulnerability in EDGARROJAS WooCommerce PDF Invoice Builder allows Cross Site Request Forgery. This issue affects WooCommerce PDF Invoice Builder: from n/a through 1.2.148. | medium |
| CVE-2025-53202 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CyberChimps Responsive Blocks allows DOM-Based XSS. This issue affects Responsive Blocks: from n/a through 2.0.6. | medium |
| CVE-2025-53200 | Missing Authorization vulnerability in QuantumCloud ChatBot allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ChatBot: from n/a through 6.7.3. | medium |
| CVE-2025-53199 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Slider For Elementor allows DOM-Based XSS. This issue affects HT Slider For Elementor: from n/a through 1.6.5. | medium |
| CVE-2025-53197 | Cross-Site Request Forgery (CSRF) vulnerability in cookiebot Cookiebot allows Cross Site Request Forgery. This issue affects Cookiebot: from n/a through 4.5.8. | medium |
| CVE-2025-53193 | Cross-Site Request Forgery (CSRF) vulnerability in Burst Statistics B.V. Burst Statistics allows Cross Site Request Forgery. This issue affects Burst Statistics: from n/a through 2.0.6. | medium |
| CVE-2025-53122 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in OpenNMS Horizon and Meridian applications allows SQL Injection. Users should upgrade to Meridian 2024.2.6 or newer, or Horizon 33.16 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. | medium |
| CVE-2025-53121 | Multiple stored XSS were found on different nodes with unsanitized parameters in OpenMNS Horizon 33.0.8 and versions earlier than 33.1.6 on multiple platforms that allow an attacker to store on database and then inject HTML and/or Javascript on the page. The solution is to upgrade to Horizon 33.1.6, 33.1.7 or Meridian 2024.2.6, 2024.2.7 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Fábio Tomé for reporting this issue. | medium |
| CVE-2025-5310 | Dover Fueling Solutions ProGauge MagLink LX Consoles expose an undocumented and unauthenticated target communication framework (TCF) interface on a specific port. Files can be created, deleted, or modified, potentially leading to remote code execution. | critical |
| CVE-2025-53097 | Roo Code is an AI-powered autonomous coding agent. Prior to version 3.20.3, there was an issue where the Roo Code agent's `search_files` tool did not respect the setting to disable reads outside of the VS Code workspace. This means that an attacker who was able to inject a prompt into the agent could potentially read a sensitive file and then write the information to a JSON schema. Users have the option to disable schema fetching in VS Code, but the feature is enabled by default. For users with this feature enabled, writing to the schema would trigger a network request without the user having a chance to deny. This issue is of moderate severity, since it requires the attacker to already be able to submit prompts to the agent. Version 3.20.3 fixed the issue where `search_files` did not respect the setting to limit it to the workspace. This reduces the scope of the damage if an attacker is able to take control of the agent through prompt injection or another vector. | medium |
