Common Vulnerabilities and Exposures (CVE)

CVE-2025-12181

Dec 5, 2025 05:31:24 UTC

The ContentStudio plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the cstu_update_post() function in all versions up to, and including, 1.3.7. This makes it possible for authenticated atta...

CVE-2025-13625

Dec 5, 2025 05:31:24 UTC

The WP-SOS-Donate Donation Sidebar Plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 0.9.2 due to insufficient input sanitization and output e...

CVE-2025-13360

Dec 5, 2025 05:31:23 UTC

The Quantic Social Image Hover plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.8. This is due to missing nonce validation on the settings update functionality. This makes it possibl...

CVE-2025-12368

Dec 5, 2025 05:31:23 UTC

The Sermon Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `sermon-views` shortcode in all versions up to, and including, 2.30.0. This is due to insufficient input sanitization and output escaping on user-s...

CVE-2025-13621

Dec 5, 2025 05:31:22 UTC

The dream gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'dreampluginsmain' AJAX action. This makes it possible...

CVE-2025-12165

Dec 5, 2025 05:31:22 UTC

The Webcake – Landing Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'webcake_save_config' AJAX endpoint in all versions up to, and including, 1.1. This makes it...

CVE-2025-12163

Dec 5, 2025 05:31:21 UTC

The Omnipress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenti...

CVE-2025-13512

Dec 5, 2025 05:31:21 UTC

The CoSign Single Signon plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 0.3.1 due to insufficient input sanitization and output escaping. T...

CVE-2025-12124

Dec 5, 2025 05:31:20 UTC

The FitVids for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping. This makes it possible fo...

CVE-2025-13144

Dec 5, 2025 05:31:20 UTC

The ContentStudio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.7. This is due to missing or insufficient nonce validation on the add_cstu_settings function. This makes it possibl...

CVE-2025-66270

Dec 5, 2025 05:25:41 UTC

The KDE Connect protocol 8 before 2025-11-28 does not correlate device IDs across two packets. This affects KDE Connect before 25.12 on desktop, KDE Connect before 0.5.4 on iOS, KDE Connect before 1.34.4 on Android, GSConnect before 68, and...

CVE-2025-32901

Dec 5, 2025 05:12:40 UTC

In KDE Connect before 1.33.0 on Android, malicious device IDs (sent via broadcast UDP) could cause an application crash.

CVE-2025-29846

Dec 5, 2025 04:56:30 UTC

A vulnerability in portenable cgi allows remote authenticated users to get the status of installed packages.

CVE-2025-66476

Dec 5, 2025 04:56:29 UTC

Vim is an open source, command line text editor. Prior to version 9.1.1947, an uncontrolled search path vulnerability on Windows allows Vim to execute malicious executables placed in the current working directory for the current edited file...

CVE-2025-32899

Dec 5, 2025 04:45:51 UTC

In KDE Connect before 1.33.0 on Android, a packet can be crafted that causes two paired devices to unpair. Specifically, it is an invalid discovery packet sent over broadcast UDP.