Vulnerabilities
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2025-02-18 | CVE-2025-0817 | Cross-site Scripting vulnerability in Ncrafts Formcraft The FormCraft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.9.11 due to insufficient input sanitization and output escaping. | 6.1 |
| 2025-02-18 | CVE-2024-13369 | SQL Injection vulnerability in Goodlayers Tour Master The Tour Master - Tour Booking, Travel, Hotel plugin for WordPress is vulnerable to time-based SQL Injection via the ‘review_id’ parameter in all versions up to, and including, 5.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. | 8.8 |
| 2025-02-18 | CVE-2025-0981 | Cross-site Scripting vulnerability in Churchcrm A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to hijack a user's session by exploiting a Stored Cross Site Scripting (XSS) vulnerability in the Group Editor page. | 6.1 |
| 2025-02-18 | CVE-2025-1023 | SQL Injection vulnerability in Churchcrm A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection vulnerability in the EditEventTypes functionality. | 9.8 |
| 2025-02-18 | CVE-2024-12860 | Unspecified vulnerability in Carspot Project Carspot The CarSpot – Dealership Wordpress Classified Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.4.3. | 9.8 |
| 2025-02-18 | CVE-2024-13316 | Missing Authorization vulnerability in Akashmalik Scracth & WIN The Scratch & Win – Giveaways and Contests. | 5.3 |
| 2025-02-18 | CVE-2024-13395 | Cross-site Scripting vulnerability in Kerryoco Threepress The Threepress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'threepress' shortcode in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. | 5.4 |
| 2025-02-18 | CVE-2024-13718 | Cross-Site Request Forgery (CSRF) vulnerability in Wpdesk Flexible Wishlist for Woocommerce The Flexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.26. | 4.3 |
| 2025-02-18 | CVE-2024-11376 | Cross-site Scripting vulnerability in Clavaque S2Member The s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 241114. | 6.1 |
| 2025-02-18 | CVE-2024-11895 | Cross-site Scripting vulnerability in Vcita Online Payments - GET Paid With Paypal, Square & Stripe The Online Payments – Get Paid with PayPal, Square & Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.20.0 due to insufficient input sanitization and output escaping on user supplied attributes. | 5.4 |