Vulnerabilities > Medium

DATE CVE VULNERABILITY TITLE RISK
2025-04-24 CVE-2025-46420 A flaw was found in libsoup.
network
low complexity
CWE-401
6.5
2025-04-24 CVE-2025-46421 A flaw was found in libsoup.
network
high complexity
CWE-497
6.8
2025-04-24 CVE-2021-47664 Due to improper authentication mechanism an unauthenticated remote attacker can enumerate valid usernames.
network
low complexity
CWE-203
5.3
2025-04-24 CVE-2024-13307 The Reales WP - Real Estate WordPress Theme theme for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'reales_delete_file', 'reales_delete_file_plans', 'reales_add_to_favourites', and 'reales_remove_from_favourites' functions in all versions up to, and including, 2.1.2.
network
low complexity
CWE-862
5.3
2025-04-24 CVE-2025-1284 The Woocommerce Automatic Order Printing | ( Formerly WooCommerce Google Cloud Print) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1 via the xc_woo_printer_preview AJAX action due to missing validation on a user controlled key.
network
low complexity
CWE-639
4.3
2025-04-24 CVE-2025-2543 The Advanced Accordion Gutenberg Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping.
network
low complexity
CWE-79
6.4
2025-04-24 CVE-2025-2579 The Lottie Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via File uploads in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping.
network
low complexity
CWE-79
6.4
2025-04-24 CVE-2025-3280 The ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes plugin for WordPress is vulnerable to SQL Injection via the 'attribute_value_filter' parameter in all versions up to, and including, 1.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.
network
low complexity
CWE-89
6.5
2025-04-24 CVE-2025-3793 The Buddypress Force Password Change plugin for WordPress is vulnerable to authenticated account takeover due to the plugin not properly validating a user's identity prior to updating their password through the 'bp_force_password_ajax' function in all versions up to, and including, 0.1.
network
high complexity
CWE-620
4.2
2025-04-24 CVE-2025-3832 The FuseDesk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘successredirect’ parameter in all versions up to, and including, 6.7 due to insufficient input sanitization and output escaping.
network
low complexity
CWE-79
6.4