| CVE-2025-47671 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LETSCMS MLM Software Binary MLM Plan allows SQL Injection. This issue affects Binary MLM Plan: from n/a through 3.0. | high |
| CVE-2025-47670 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in miniOrange WordPress Social Login and Register allows PHP Local File Inclusion. This issue affects WordPress Social Login and Register: from n/a through 7.6.10. | high |
| CVE-2025-47663 | Unrestricted Upload of File with Dangerous Type vulnerability in mojoomla Hospital Management System allows Upload a Web Shell to a Web Server. This issue affects Hospital Management System: from 47.0(20 through 11. | critical |
| CVE-2025-47660 | Deserialization of Untrusted Data vulnerability in Codexpert, Inc WC Affiliate allows Object Injection. This issue affects WC Affiliate: from n/a through 2.9.1. | high |
| CVE-2025-47658 | Unrestricted Upload of File with Dangerous Type vulnerability in ELEXtensions ELEX WordPress HelpDesk & Customer Ticketing System allows Upload a Web Shell to a Web Server. This issue affects ELEX WordPress HelpDesk & Customer Ticketing System: from n/a through 3.2.7. | critical |
| CVE-2025-47646 | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Gilblas Ngunte Possi PSW Front-end Login & Registration allows Password Recovery Exploitation. This issue affects PSW Front-end Login & Registration: from n/a through 1.13. | critical |
| CVE-2025-47642 | Unrestricted Upload of File with Dangerous Type vulnerability in Ajar Productions Ajar in5 Embed allows Upload a Web Shell to a Web Server. This issue affects Ajar in5 Embed: from n/a through 3.1.5. | critical |
| CVE-2025-47641 | Unrestricted Upload of File with Dangerous Type vulnerability in printcart Printcart Web to Print Product Designer for WooCommerce allows Upload a Web Shell to a Web Server. This issue affects Printcart Web to Print Product Designer for WooCommerce: from n/a through 2.3.8. | critical |
| CVE-2025-47640 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in printcart Printcart Web to Print Product Designer for WooCommerce allows SQL Injection. This issue affects Printcart Web to Print Product Designer for WooCommerce: from n/a through 2.3.8. | critical |
| CVE-2025-47637 | Unrestricted Upload of File with Dangerous Type vulnerability in STAGGS STAGGS allows Upload a Web Shell to a Web Server. This issue affects STAGGS: from n/a through 2.11.0. | critical |
| CVE-2025-47631 | Incorrect Privilege Assignment vulnerability in mojoomla Hospital Management System allows Privilege Escalation. This issue affects Hospital Management System: from 47.0(20 through 11. | high |
| CVE-2025-47619 | Missing Authorization vulnerability in 6Storage 6Storage Rentals allows Path Traversal. This issue affects 6Storage Rentals: from n/a through 2.19.4. | medium |
| CVE-2025-47618 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mortgage Calculator BMI Adult & Kid Calculator allows Reflected XSS. This issue affects BMI Adult & Kid Calculator: from n/a through 1.2.2. | high |
| CVE-2025-47613 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mojoomla School Management allows Reflected XSS. This issue affects School Management: from n/a through 92.0.0. | high |
| CVE-2025-47612 | Missing Authorization vulnerability in flowdee ClickWhale allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ClickWhale: from n/a through 2.4.6. | high |
| CVE-2025-47611 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Khaled User Meta allows Reflected XSS. This issue affects User Meta: from n/a through 3.1.2. | high |
| CVE-2025-47603 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Belingo belingoGeo allows Path Traversal. This issue affects belingoGeo: from n/a through 1.12.0. | high |
| CVE-2025-47599 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in facturante Facturante allows SQL Injection. This issue affects Facturante: from n/a through 1.11. | critical |
| CVE-2025-47575 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla School Management allows SQL Injection. This issue affects School Management: from n/a through 92.0.0. | high |
| CVE-2025-47568 | Deserialization of Untrusted Data vulnerability in ZoomIt ZoomSounds allows Object Injection. This issue affects ZoomSounds: from n/a through 6.91. | critical |
| CVE-2025-47558 | Missing Authorization vulnerability in RomanCode MapSVG allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects MapSVG: from n/a through 8.5.31. | high |
| CVE-2025-47541 | Insertion of Sensitive Information Into Sent Data vulnerability in WPFunnels Mail Mint allows Retrieve Embedded Sensitive Data. This issue affects Mail Mint: from n/a through 1.17.7. | high |
| CVE-2025-47539 | Incorrect Privilege Assignment vulnerability in Themewinter Eventin allows Privilege Escalation. This issue affects Eventin: from n/a through 4.0.26. | critical |
| CVE-2025-47535 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in wpopal Opal Woo Custom Product Variation allows Path Traversal. This issue affects Opal Woo Custom Product Variation: from n/a through 1.2.0. | high |
| CVE-2025-47532 | Deserialization of Untrusted Data vulnerability in CoinPayments CoinPayments.net Payment Gateway for WooCommerce allows Object Injection. This issue affects CoinPayments.net Payment Gateway for WooCommerce: from n/a through 1.0.17. | critical |
| CVE-2025-47530 | Deserialization of Untrusted Data vulnerability in WPFunnels WPFunnels allows Object Injection. This issue affects WPFunnels: from n/a through 3.5.18. | critical |
| CVE-2025-47529 | Missing Authorization vulnerability in UX Design Experts Experto CTA Widget – Call To Action, Sticky CTA, Floating Button Plugin allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Experto CTA Widget – Call To Action, Sticky CTA, Floating Button Plugin: from n/a through 1.1.1. | medium |
| CVE-2025-47513 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in James Laforge Infocob CRM Forms allows Path Traversal. This issue affects Infocob CRM Forms: from n/a through 2.4.0. | medium |
| CVE-2025-47512 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in tainacan Tainacan allows Path Traversal. This issue affects Tainacan: from n/a through 0.21.14. | high |
| CVE-2025-47492 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in add-ons.org Drag and Drop File Upload for Elementor Forms allows Path Traversal. This issue affects Drag and Drop File Upload for Elementor Forms: from n/a through 1.4.3. | high |
| CVE-2025-47478 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Metagauss ProfileGrid allows SQL Injection. This issue affects ProfileGrid : from n/a through 5.9.5.0. | high |
| CVE-2025-47461 | Authentication Bypass Using an Alternate Path or Channel vulnerability in mediaticus Subaccounts for WooCommerce allows Authentication Abuse. This issue affects Subaccounts for WooCommerce: from n/a through 1.6.6. | high |
| CVE-2025-47458 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in B2itech B2i Investor Tools allows Reflected XSS. This issue affects B2i Investor Tools: from n/a through 1.0.7.9. | high |
| CVE-2025-47453 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Xylus Themes WP Smart Import allows PHP Local File Inclusion. This issue affects WP Smart Import: from n/a through 1.1.3. | high |
| CVE-2025-47181 | Improper link resolution before file access ('link following') in Microsoft Edge (Chromium-based) allows an authorized attacker to elevate privileges locally. | high |
| CVE-2025-47149 | The optional feature 'Anti-Virus & Sandbox' of i-FILTER contains an issue with improper pattern file validation. If exploited, the product may treat an unauthorized pattern file as an authorized. If the product uses a specially crafted pattern file, information in the server where the product is running may be retrieved, and/or cause a denial of service (DoS) condition. | medium |
| CVE-2025-4692 | Actors can use a maliciously crafted JavaScript object notation (JSON) web token (JWT) to perform privilege escalation by submitting the malicious JWT to a vulnerable method exposed on the cloud platform. If the exploit is successful, the user can escalate privileges to access any device managed by the ABUP Cloud Update Platform. | medium |
| CVE-2025-46716 | Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. Starting in version 1.3.0 and prior to version 1.15.12, Api_SetSecureParam fails to sanitize incoming pointers, and implicitly trusts that the pointer the user has passed in is safe to read from. SetRegValue then reads an arbitrary address, which can be a kernel pointer, into a HKLM Security SBIE registry value. This can later be retrieved by API_GET_SECURE_PARAM. Version 1.15.12 fixes the issue. | medium |
| CVE-2025-46715 | Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. Starting in version 1.3.0 and prior to version 1.15.12, Api_GetSecureParam fails to sanitize incoming pointers, and implicitly trusts that the pointer the user has passed in is safe to write to. GetRegValue then writes the contents of the SBIE registry entry selected to this address. An attacker can pass in a kernel pointer and the driver dumps the registry key contents we requested to it. This can be triggered by anyone on the system, including low integrity windows processes. Version 1.15.12 fixes the issue. | high |
| CVE-2025-46714 | Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. Starting in version 1.3.0 and prior to 1.15.12, API_GET_SECURE_PARAM has an arithmetic overflow leading to a small memory allocation and then a extremely large copy into the small allocation. Version 1.15.12 fixes the issue. | high |
| CVE-2025-46713 | Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. Starting in version 0.0.1 and prior to 1.15.12, API_SET_SECURE_PARAM may have an arithmetic overflow deep in the memory allocation subsystem that would lead to a smaller allocation than requested, and a buffer overflow. Version 1.15.12 fixes the issue. | high |
| CVE-2025-46539 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPFable Fable Extra allows Blind SQL Injection. This issue affects Fable Extra: from n/a through 1.0.6. | critical |
| CVE-2025-46537 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ctltwp Section Widget allows Reflected XSS. This issue affects Section Widget: from n/a through 3.3.1. | high |
| CVE-2025-46527 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in LikeCoin Web3Press allows Path Traversal. This issue affects Web3Press: from n/a through 3.2.0. | medium |
| CVE-2025-46526 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in janekniefeldt My Custom Widgets allows Reflected XSS. This issue affects My Custom Widgets: from n/a through 2.0.5. | high |
| CVE-2025-46518 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in phpaddicted IGIT Related Posts With Thumb Image After Posts allows Stored XSS. This issue affects IGIT Related Posts With Thumb Image After Posts: from n/a through 4.5.3. | medium |
| CVE-2025-46515 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in M A Vinoth Kumar Category Widget allows Reflected XSS. This issue affects Category Widget: from n/a through 2.0.2. | high |
| CVE-2025-46493 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wordwebsoftware Crossword Compiler Puzzles allows Stored XSS. This issue affects Crossword Compiler Puzzles: from n/a through 5.3. | medium |
| CVE-2025-46490 | Unrestricted Upload of File with Dangerous Type vulnerability in wordwebsoftware Crossword Compiler Puzzles allows Upload a Web Shell to a Web Server. This issue affects Crossword Compiler Puzzles: from n/a through 5.2. | critical |
| CVE-2025-46488 | Missing Authorization vulnerability in dastan800 Visual Builder allows Reflected XSS. This issue affects Visual Builder: from n/a through 1.2.2. | high |
