Vulnerabilities > Medium

DATE CVE VULNERABILITY TITLE RISK
2025-05-30 CVE-2025-4597 The Woo Slider Pro – Drag Drop Slider Builder For WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the woo_slide_pro_delete_draft_preview AJAX action in all versions up to, and including, 1.12.
network
low complexity
CWE-862
6.5
6.5
2025-05-30 CVE-2025-4944 The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Compare and Google Maps widgets in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping on user supplied attributes.
network
low complexity
CWE-79
6.4
6.4
2025-05-30 CVE-2025-5142 Cross-Site Request Forgery (CSRF) vulnerability in Pluginsandsnippets Simple Page Access Restriction
The Simple Page Access Restriction plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.31.
network
low complexity
pluginsandsnippets CWE-352
6.5
6.5
2025-05-30 CVE-2025-5235 Cross-site Scripting vulnerability in Opensheetmusicdisplay
The OpenSheetMusicDisplay plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping.
network
low complexity
opensheetmusicdisplay CWE-79
5.4
5.4
2025-05-30 CVE-2025-48334 Missing Authorization vulnerability in Binarycarpenter WOO Slider PRO
Missing Authorization vulnerability in BinaryCarpenter Woo Slider Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Woo Slider Pro: from n/a through 1.12. Affected action "woo_slide_pro_delete_slider".
network
low complexity
binarycarpenter CWE-862
4.3
4.3
2025-05-30 CVE-2025-48912 Unspecified vulnerability in Apache Superset
An authenticated malicious actor using specially crafted requests could bypass row level security configuration by injecting SQL into 'sqlExpression' fields.
network
low complexity
apache
6.5
6.5
2025-05-30 CVE-2025-4431 Improper Access Control vulnerability in Krasenslavov Featured Image Plus
The Featured Image Plus – Quick & Bulk Edit with Unsplash plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the fip_save_attach_featured function in all versions up to, and including, 1.6.3.
network
low complexity
krasenslavov CWE-284
4.3
4.3
2025-05-30 CVE-2025-5236 Cross-site Scripting vulnerability in Ninjateam Chat for Telegram
The NinjaTeam Chat for Telegram plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘username’ parameter in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping.
network
low complexity
ninjateam CWE-79
5.4
5.4
2025-05-30 CVE-2025-41406 Cross-site Scripting vulnerability in Uchida Wivia 5 Firmware
Cross-site scripting vulnerability exists in wivia 5 all versions.
network
low complexity
uchida CWE-79
6.1
6.1
2025-05-30 CVE-2025-48485 Cross-site Scripting vulnerability in Freescout
FreeScout is a free self-hosted help desk and shared mailbox.
network
low complexity
freescout CWE-79
5.4
5.4