| CVE-2025-49881 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CyberChimps Responsive Blocks allows Stored XSS. This issue affects Responsive Blocks: from n/a through 2.0.5. | medium |
| CVE-2025-49880 | Missing Authorization vulnerability in Emraan Cheema CubeWP Forms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CubeWP Forms: from n/a through 1.1.5. | medium |
| CVE-2025-49879 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in themezaa Litho allows Path Traversal. This issue affects Litho: from n/a through 3.0. | high |
| CVE-2025-49878 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Greg Winiarski WPAdverts allows DOM-Based XSS. This issue affects WPAdverts: from n/a through 2.2.4. | medium |
| CVE-2025-49877 | Server-Side Request Forgery (SSRF) vulnerability in Metagauss ProfileGrid allows Server Side Request Forgery. This issue affects ProfileGrid : from n/a through 5.9.5.2. | medium |
| CVE-2025-49875 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in IfSo Dynamic Content If-So Dynamic Content Personalization allows Stored XSS. This issue affects If-So Dynamic Content Personalization: from n/a through 1.9.3.1. | medium |
| CVE-2025-49874 | Missing Authorization vulnerability in tychesoftwares Arconix FAQ allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Arconix FAQ: from n/a through 1.9.6. | medium |
| CVE-2025-49872 | Missing Authorization vulnerability in WPExperts.io myCred allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects myCred: from n/a through 2.9.4.2. | medium |
| CVE-2025-49871 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brian Mutende Noptin allows Stored XSS. This issue affects Noptin: from n/a through 3.8.7. | medium |
| CVE-2025-49868 | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FunnelKit Automation By Autonami allows Phishing. This issue affects Automation By Autonami: from n/a through 3.6.0. | medium |
| CVE-2025-49865 | Cross-Site Request Forgery (CSRF) vulnerability in Helmut Wandl Advanced Settings allows Cross Site Request Forgery. This issue affects Advanced Settings: from n/a through 3.0.1. | medium |
| CVE-2025-49864 | Missing Authorization vulnerability in AFS Analytics AFS Analytics allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects AFS Analytics: from n/a through 4.21. | medium |
| CVE-2025-49863 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Codeus Advanced Sermons allows Stored XSS. This issue affects Advanced Sermons: from n/a through 3.6. | medium |
| CVE-2025-49862 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in motov.net Ebook Store allows Stored XSS. This issue affects Ebook Store: from n/a through 5.8008. | medium |
| CVE-2025-49861 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Timur Kamaev Kama Click Counter allows Stored XSS. This issue affects Kama Click Counter: from n/a through 4.0.3. | medium |
| CVE-2025-49859 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in etruel WP Views Counter allows Stored XSS. This issue affects WP Views Counter: from n/a through 2.0.3. | medium |
| CVE-2025-49858 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tychesoftwares Arconix Shortcodes allows Stored XSS. This issue affects Arconix Shortcodes: from n/a through 2.1.17. | medium |
| CVE-2025-49857 | Missing Authorization vulnerability in WPExperts.io myCred allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects myCred: from n/a through 2.9.4.2. | medium |
| CVE-2025-49856 | Cross-Site Request Forgery (CSRF) vulnerability in CyberChimps Responsive Plus allows Cross Site Request Forgery. This issue affects Responsive Plus: from n/a through 3.2.2. | medium |
| CVE-2025-49855 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Meks Meks Flexible Shortcodes allows DOM-Based XSS. This issue affects Meks Flexible Shortcodes: from n/a through 1.3.7. | medium |
| CVE-2025-49854 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Anh Tran Slim SEO allows SQL Injection. This issue affects Slim SEO: from n/a through 4.5.4. | high |
| CVE-2025-49842 | conda-forge-webservices is the web app deployed to run conda-forge admin commands and linting. Prior to version 2025.3.24, the conda_forge_webservice Docker container executes commands without specifying a user. By default, Docker containers run as the root user, which increases the risk of privilege escalation and host compromise if a vulnerability is exploited. This issue has been patched in version 2025.3.24. | low |
| CVE-2025-49823 | (conda) Constructor is a tool which allows constructing an installer for a collection of conda packages. Prior to version 3.11.3, shell installer scripts process the installation prefix (user_prefix) using an eval statement, which executes unsanitized user input as shell code. Although the script runs with user privileges (not root), an attacker could exploit this by injecting arbitrary commands through a malicious path during installation. Exploitation requires explicit user action. This issue has been patched in version 3.11.3. | info |
| CVE-2025-49508 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean CozyStay allows PHP Local File Inclusion. This issue affects CozyStay: from n/a through n/a. | high |
| CVE-2025-4949 | In Eclipse JGit versions 7.2.0.202503040940-r and older, the ManifestParser class used by the repo command and the AmazonS3 class used to implement the experimental amazons3 git transport protocol allowing to store git pack files in an Amazon S3 bucket, are vulnerable to XML External Entity (XXE) attacks when parsing XML files. This vulnerability can lead to information disclosure, denial of service, and other security issues. | medium |
| CVE-2025-4948 | A flaw was found in the soup_multipart_new_from_message() function of the libsoup HTTP library, which is commonly used by GNOME and other applications to handle web communications. The issue occurs when the library processes specially crafted multipart messages. Due to improper validation, an internal calculation can go wrong, leading to an integer underflow. This can cause the program to access invalid memory and crash. As a result, any application or server using libsoup could be forced to exit unexpectedly, creating a denial-of-service (DoS) risk. | high |
| CVE-2025-49452 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Adrian Ladó PostaPanduri allows SQL Injection. This issue affects PostaPanduri: from n/a through 2.1.3. | critical |
| CVE-2025-49451 | Path Traversal vulnerability in yannisraft Aeroscroll Gallery – Infinite Scroll Image Gallery & Post Grid with Photo Gallery allows Path Traversal. This issue affects Aeroscroll Gallery – Infinite Scroll Image Gallery & Post Grid with Photo Gallery: from n/a through 1.0.12. | high |
| CVE-2025-49447 | Unrestricted Upload of File with Dangerous Type vulnerability in Fastw3b LLC FW Food Menu allows Using Malicious Files. This issue affects FW Food Menu : from n/a through 6.0.0. | critical |
| CVE-2025-49444 | Unrestricted Upload of File with Dangerous Type vulnerability in merkulove Reformer for Elementor allows Upload a Web Shell to a Web Server. This issue affects Reformer for Elementor: from n/a through 1.0.5. | critical |
| CVE-2025-49415 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Fastw3b LLC FW Gallery allows Path Traversal. This issue affects FW Gallery: from n/a through 8.0.0. | high |
| CVE-2025-49331 | Deserialization of Untrusted Data vulnerability in impleCode eCommerce Product Catalog allows Object Injection. This issue affects eCommerce Product Catalog: from n/a through 3.4.3. | high |
| CVE-2025-49330 | Deserialization of Untrusted Data vulnerability in CRM Perks Integration for Contact Form 7 and Zoho CRM, Bigin allows Object Injection. This issue affects Integration for Contact Form 7 and Zoho CRM, Bigin: from n/a through 1.3.0. | critical |
| CVE-2025-4932 | A vulnerability, which was classified as critical, has been found in projectworlds Online Lawyer Management System 1.0. Affected by this issue is some unknown functionality of the file /lawyer_registation.php. The manipulation of the argument email leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | medium |
| CVE-2025-49316 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saleswonder Team Tobias WP2LEADS allows Reflected XSS. This issue affects WP2LEADS: from n/a through 3.5.0. | high |
| CVE-2025-49312 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeRevolution Echo RSS Feed Post Generator Plugin for WordPress allows Reflected XSS. This issue affects Echo RSS Feed Post Generator Plugin for WordPress: from n/a through 5.4.8.1. | high |
| CVE-2025-49266 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rustaurius Ultimate Reviews allows Reflected XSS. This issue affects Ultimate Reviews: from n/a through 3.2.14. | high |
| CVE-2025-49261 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Diza allows PHP Local File Inclusion. This issue affects Diza: from n/a through 1.3.8. | high |
| CVE-2025-49260 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Aora allows PHP Local File Inclusion. This issue affects Aora: from n/a through 1.3.9. | high |
| CVE-2025-49259 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Hara allows PHP Local File Inclusion. This issue affects Hara: from n/a through 1.2.10. | high |
| CVE-2025-49258 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Maia allows PHP Local File Inclusion. This issue affects Maia: from n/a through 1.1.15. | high |
| CVE-2025-49257 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Zota allows PHP Local File Inclusion. This issue affects Zota: from n/a through 1.3.8. | high |
| CVE-2025-49256 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Sapa allows PHP Local File Inclusion. This issue affects Sapa: from n/a through 1.1.14. | high |
| CVE-2025-49255 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Ruza allows PHP Local File Inclusion. This issue affects Ruza: from n/a through 1.0.7. | high |
| CVE-2025-49254 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Nika allows PHP Local File Inclusion. This issue affects Nika: from n/a through 1.2.8. | high |
| CVE-2025-49253 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Lasa allows PHP Local File Inclusion. This issue affects Lasa: from n/a through 1.1. | high |
| CVE-2025-49252 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Besa allows PHP Local File Inclusion. This issue affects Besa: from n/a through 2.3.8. | high |
| CVE-2025-49251 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Fana allows PHP Local File Inclusion. This issue affects Fana: from n/a through 1.1.28. | high |
| CVE-2025-49234 | Missing Authorization vulnerability in Deepak anand WP Dummy Content Generator allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Dummy Content Generator: from n/a through 3.4.6. | medium |
| CVE-2025-49180 | A flaw was found in the RandR extension, where the RRChangeProviderProperty function does not properly validate input. This issue leads to an integer overflow when computing the total size to allocate. | medium |
