Vulnerabilities

DATE CVE VULNERABILITY TITLE RISK
2025-05-07 CVE-2025-2821 The Search Exclude plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the get_rest_permission function in all versions up to, and including, 2.4.9.
network
low complexity
CWE-862
5.3
2025-05-07 CVE-2025-3844 The PeproDev Ultimate Profile Solutions plugin for WordPress is vulnerable to Authentication Bypass in versions 1.9.1 to 7.5.2.
network
low complexity
CWE-288
critical
9.8
2025-05-07 CVE-2025-3851 The Download Manager and Payment Form WordPress Plugin – WP SmartPay plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 1.1.0 to 2.7.13 via the show() function due to missing validation on a user controlled key.
network
low complexity
CWE-200
4.3
2025-05-07 CVE-2025-3852 The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 2.0.0 to 2.6.0.
network
low complexity
CWE-269
8.8
2025-05-07 CVE-2025-3853 The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 2.0.0 to 2.6.0 via the callback_generate_api_key() due to missing validation on a user controlled key.
network
low complexity
CWE-639
6.5
2025-05-07 CVE-2025-3860 The CarDealerPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘saleclass' parameter in all versions up to, and including, 6.7.2504.00 due to insufficient input sanitization and output escaping.
network
low complexity
CWE-79
6.4
2025-05-07 CVE-2025-3921 The PeproDev Ultimate Profile Solutions plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handel_ajax_req() function in versions 1.9.1 to 7.5.2.
network
low complexity
CWE-285
8.2
2025-05-07 CVE-2025-3924 The PeproDev Ultimate Profile Solutions plugin for WordPress is vulnerable to unauthorized access of data via its publicly exposed reset-password endpoint.
network
low complexity
CWE-285
5.3
2025-05-07 CVE-2025-4054 The Relevanssi – A Better Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the highlights functionality in all versions up to, and including, 4.24.3 due to insufficient input sanitization and output escaping.
network
low complexity
CWE-79
6.1
2025-05-07 CVE-2025-4055 The Multiple Post Type Order plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mpto' shortcode in all versions up to, and including, 1.10.0 due to insufficient input sanitization and output escaping on user supplied attributes.
network
low complexity
CWE-79
6.4