Vulnerabilities > Medium

DATE CVE VULNERABILITY TITLE RISK
2025-04-25 CVE-2025-2580 The Contact Form by Bit Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.18.3 due to insufficient input sanitization and output escaping.
network
high complexity
CWE-79
4.9
2025-04-25 CVE-2025-3861 The Prevent Direct Access – Protect WordPress Files plugin for WordPress is vulnerable to unauthorized access and modification of data| due to a misconfigured capability check on the 'pda_lite_custom_permission_check' function in versions 2.8.6 to 2.8.8.2.
network
low complexity
CWE-863
5.4
2025-04-25 CVE-2025-3923 The Prevent Direct Access – Protect WordPress Files plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.8 via the 'generate_unique_string' due to insufficient randomness of the generated file name.
network
low complexity
CWE-200
5.3
2025-04-25 CVE-2025-3752 The Able Player, accessible HTML5 media player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘preload’ parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping.
network
low complexity
CWE-79
6.4
2025-04-25 CVE-2025-3775 The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.1.2 via the woolentor_template_proxy function.
network
low complexity
CWE-918
6.5
2025-04-24 CVE-2025-3749 The Breeze Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘cal_size’ parameter in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping.
network
low complexity
CWE-79
6.4
2025-04-24 CVE-2025-46420 A flaw was found in libsoup.
network
low complexity
CWE-401
6.5
2025-04-24 CVE-2025-46421 A flaw was found in libsoup.
network
high complexity
CWE-497
6.8
2025-04-24 CVE-2021-47664 Due to improper authentication mechanism an unauthenticated remote attacker can enumerate valid usernames.
network
low complexity
CWE-203
5.3
2025-04-24 CVE-2024-13307 The Reales WP - Real Estate WordPress Theme theme for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'reales_delete_file', 'reales_delete_file_plans', 'reales_add_to_favourites', and 'reales_remove_from_favourites' functions in all versions up to, and including, 2.1.2.
network
low complexity
CWE-862
5.3