Vulnerabilities

DATE CVE VULNERABILITY TITLE RISK
2025-04-24 CVE-2025-3101 The Configurator Theme Core plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.4.7.
network
low complexity
CWE-269
8.8
8.8
2025-04-24 CVE-2025-3280 The ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes plugin for WordPress is vulnerable to SQL Injection via the 'attribute_value_filter' parameter in all versions up to, and including, 1.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.
network
low complexity
CWE-89
6.5
6.5
2025-04-24 CVE-2025-3300 The WPMasterToolKit (WPMTK) – All in one plugin plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.5.2.
network
low complexity
CWE-22
7.2
7.2
2025-04-24 CVE-2025-3603 The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0.
network
low complexity
CWE-620
critical
 9.8
9.8
2025-04-24 CVE-2025-3604 The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0.
network
low complexity
CWE-862
critical
 9.8
9.8
2025-04-24 CVE-2025-3607 The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.7.
network
low complexity
CWE-620
8.8
8.8
2025-04-24 CVE-2025-3776 The Verification SMS with TargetSMS plugin for WordPress is vulnerable to limited Remote Code Execution in all versions up to, and including, 1.5 via the 'targetvr_ajax_handler' function.
network
low complexity
CWE-94
8.3
8.3
2025-04-24 CVE-2025-3793 The Buddypress Force Password Change plugin for WordPress is vulnerable to authenticated account takeover due to the plugin not properly validating a user's identity prior to updating their password through the 'bp_force_password_ajax' function in all versions up to, and including, 0.1.
network
high complexity
CWE-620
4.2
4.2
2025-04-24 CVE-2025-3832 The FuseDesk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘successredirect’ parameter in all versions up to, and including, 6.7 due to insufficient input sanitization and output escaping.
network
low complexity
CWE-79
6.4
6.4
2025-04-24 CVE-2025-3761 The My Tickets – Accessible Event Ticketing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.0.16.
network
low complexity
CWE-269
8.8
8.8