Vulnerabilities
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2025-05-02 | CVE-2025-3488 | Cross-site Scripting vulnerability in Wpml The WPML plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpml_language_switcher shortcode in versions 3.6.0 - 4.7.3 due to insufficient input sanitization and output escaping on user supplied attributes. | 5.4 |
| 2025-05-02 | CVE-2025-47201 | Cross-site Scripting vulnerability in Intrexx In Intrexx Portal Server before 12.0.4, multiple Velocity-Scripts are susceptible to the execution of unrequested JavaScript code in HTML, aka XSS. | 5.4 |
| 2025-05-02 | CVE-2024-12023 | The FULL – Cliente plugin for WordPress is vulnerable to SQL Injection via the 'formId' parameter in all versions 3.1.5 to 3.1.25 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. | 6.5 |
| 2025-05-02 | CVE-2024-13322 | SQL Injection vulnerability in Scripteo ADS PRO The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to SQL Injection via the 'a_id' parameter in all versions up to, and including, 4.88 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. | 7.5 |
| 2025-05-02 | CVE-2024-13344 | SQL Injection vulnerability in Smartcmsmarket Advance Seat Reservation Management for Woocommerce The Advance Seat Reservation Management for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'profileId' parameter in all versions up to, and including, 3.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. | 7.5 |
| 2025-05-02 | CVE-2024-13418 | Unrestricted Upload of File with Dangerous Type vulnerability in G5Plus products Multiple plugins and/or themes for WordPress are vulnerable to Arbitrary File Uploads due to a missing capability check on the ajaxUploadFonts() function in various versions. | 8.8 |
| 2025-05-02 | CVE-2024-13419 | Missing Authorization vulnerability in G5Plus products Multiple plugins and/or themes for WordPress using Smart Framework are vulnerable to Stored Cross-Site Scripting due to a missing capability check on the saveOptions() and importThemeOptions() functions in various versions. | 5.4 |
| 2025-05-02 | CVE-2024-13420 | Code Injection vulnerability in G5Plus products Multiple plugins and/or themes for WordPress are vulnerable to unauthorized access due to a missing capability check on several AJAX actions like 'gsf_reset_section_options', 'gsf_reset_section_options', 'gsf_create_preset_options' and more in various versions. | 4.3 |
| 2025-05-02 | CVE-2025-1326 | Missing Authorization vulnerability in Favethemes Homey The Homey theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the homey_reservation_del() function in all versions up to, and including, 2.4.4. | 4.3 |
| 2025-05-02 | CVE-2025-1327 | Authorization Bypass Through User-Controlled Key vulnerability in Favethemes Homey The Homey theme for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.4 via the 'homey_delete_user_account' action due to missing validation on a user controlled key. | 4.3 |