Total CVEs

142,588

Critical Severity

4,002

High Severity

14,356

Last 7 Days

1,797
Quick preset (or use dates below)
Clear Filters
Showing 13,961 - 13,980 of 14,783 CVEs
CVE-2025-13892 MEDIUM - 6.1

The MG AdvancedOptions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to ...

Published: Jan 09, 2026
Source: NVD
CVE-2025-13862 MEDIUM - 6.4

The Menu Card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `category` parameter in all versions up to, and including, 0.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and a...

Published: Jan 09, 2026
Source: NVD
CVE-2025-13854 MEDIUM - 6.4

The Curved Text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'radius' parameter of the arctext shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wi...

Published: Jan 09, 2026
Source: NVD
CVE-2025-13852 MEDIUM - 6.4

The Debt.com Business in a Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'configuration' parameter of the lead_form shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping. This makes it possible for a...

Published: Jan 09, 2026
Source: NVD
CVE-2025-13717 MEDIUM - 5.3

The Contact Form vCard Generator plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wp_gvccf_check_download_request' function in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to export s...

Published: Jan 09, 2026
Source: NVD
CVE-2025-13704 MEDIUM - 6.4

The Autogen Headers Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'head_class' parameter of the 'autogen_menu' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible...

Published: Jan 09, 2026
Source: NVD
CVE-2025-13701 MEDIUM - 6.1

The Shabat Keeper plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $_SERVER['PHP_SELF'] parameter in all versions up to, and including, 0.4.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inje...

Published: Jan 09, 2026
Source: NVD
CVE-2025-11453 MEDIUM - 6.4

The Header and Footer Scripts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _inpost_head_script parameter in all versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contr...

Published: Jan 09, 2026
Source: NVD
CVE-2025-9222 MEDIUM - 5.4

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2.2 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to achieve stored cross-site scripting by exploiting GitLab Flavored Markdown.

Vendor: gitlab
Product: gitlab
Published: Jan 09, 2026
Source: NVD
CVE-2025-13900 MEDIUM - 6.4

The WP Popup Magic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter of the [wppum_end] shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attack...

Published: Jan 09, 2026
Source: NVD
CVE-2025-13895 MEDIUM - 6.1

The Top Position Google Finance plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 0.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated at...

Published: Jan 09, 2026
Source: NVD
CVE-2025-13853 MEDIUM - 6.4

The Nearby Now Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data_tech' parameter of the nn-tech shortcode in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated att...

Published: Jan 09, 2026
Source: NVD
CVE-2025-13781 MEDIUM - 6.5

GitLab has remediated an issue in GitLab EE affecting all versions from 18.5 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to modify instance-wide AI feature provider settings by exploiting missing authorization checks in GraphQL mutations.

Vendor: gitlab
Product: gitlab
Published: Jan 09, 2026
Source: NVD
CVE-2025-13772 MEDIUM - 4.3

GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to access and utilize AI model settings from unauthorized namespaces by manipulating namespace identifiers in API reque...

Vendor: gitlab
Product: gitlab
Published: Jan 09, 2026
Source: NVD
CVE-2025-13729 MEDIUM - 6.4

The Entry Views plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'entry-views' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for aut...

Published: Jan 09, 2026
Source: NVD
CVE-2025-11246 MEDIUM - 5.4

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.4 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user with specific permissions to remove all project runners from unrelated projects by manipulating GraphQL runner assoc...

Vendor: gitlab
Product: gitlab
Published: Jan 09, 2026
Source: NVD
CVE-2025-10569 MEDIUM - 6.5

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.5.5, 18.6 before 18.6.3, and 18.7 before 18.7.1 that could have allowed an authenticated user to create a denial of service condition by providing crafted responses to external API calls.

Vendor: gitlab
Product: gitlab
Published: Jan 09, 2026
Source: NVD
CVE-2026-0627 MEDIUM - 6.4

The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file content that only removes `<script>` tags while allowing other XSS vectors such as event hand...

Published: Jan 09, 2026
Source: NVD
CVE-2026-21409 MEDIUM - 5.9

Improper authorization vulnerability exists in RICOH Streamline NX 3.5.1 to 24R3. If a man-in-the-middle attack is conducted on the communication between the affected product and its user, and some crafted request is processed by the product, the user's registration information and/or OIDC (Ope...

Published: Jan 09, 2026
Source: NVD
CVE-2025-14146 MEDIUM - 5.3

The Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.14.10 via the `WPBC_FLEXTIMELINE_NAV` AJAX action. This is due to the nonce verification being conditionally disabled by default (`booking_is_nonce_at_front_end` option ...

Published: Jan 09, 2026
Source: NVD