Vulnerabilities > Medium

DATE CVE VULNERABILITY TITLE RISK
2025-04-23 CVE-2025-1054 The UiCore Elements – Free Elementor widgets and templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the UI Counter, UI Icon Box, UI Testimonial Slider, UI Testimonial Grid, and UI Testimonial Carousel widgets in all versions up to, and including, 1.0.16 due to insufficient input sanitization and output escaping.
network
low complexity
CWE-79
6.4
6.4
2025-04-23 CVE-2025-2595 An unauthenticated remote attacker can bypass the user management in CODESYS Visualization and read visualization template files or static elements by means of forced browsing.
network
low complexity
CWE-425
5.3
5.3
2025-04-22 CVE-2025-31327 SAP Field Logistics Manage Logistics application OData meta-data property is vulnerable to data tampering, due to which certain fields could be externally modified by an attacker causing low impact on integrity of the application.
network
low complexity
CWE-472
4.3
4.3
2025-04-22 CVE-2025-31328 SAP Learning Solution is vulnerable to Cross-Site Request Forgery (CSRF), allowing an attacker to trick authenticated user into sending unintended requests to the server.
network
low complexity
CWE-352
4.6
4.6
2025-04-22 CVE-2025-27907 IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to server-side request forgery (SSRF).
network
low complexity
CWE-918
4.1
4.1
2025-04-22 CVE-2024-11299 The Memberpress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.11.37 via the WordPress core search feature.
network
low complexity
CWE-200
5.3
5.3
2025-04-22 CVE-2025-3457 The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'oceanwp_icon' shortcode in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping on user supplied attributes.
network
low complexity
CWE-79
6.4
6.4
2025-04-22 CVE-2025-3458 The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ocean_gallery_id’ parameter in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping.
network
low complexity
CWE-79
6.4
6.4
2025-04-22 CVE-2025-3472 The Ocean Extra plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.4.6.
network
low complexity
CWE-94
6.5
6.5
2025-04-22 CVE-2025-2839 The WP Import Export Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpiePreviewData’ function in all versions up to, and including, 3.9.27 due to insufficient input sanitization and output escaping.
network
low complexity
CWE-79
6.4
6.4