CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32158 – WordPress aThemes Addons for Elementor plugin <= 1.0.15 - Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2025-32158
04 Apr 2025 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in aThemes aThemes Addons for Elementor. This issue affects aThemes Addons for Elementor: from n/a through 1.0.15. The aThemes Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.0.15. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server... • https://patchstack.com/database/wordpress/plugin/athemes-addons-for-elementor-lite/vulnerability/wordpress-athemes-addons-for-elementor-plugin-1-0-15-local-file-inclusion-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32160 – WordPress EventON plugin <= 2.3.2 - Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2025-32160
04 Apr 2025 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ashan Perera EventON. This issue affects EventON: from n/a through 2.3.2. The EventON plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.3.2. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. Thi... • https://patchstack.com/database/wordpress/plugin/eventon-lite/vulnerability/wordpress-eventon-plugin-2-3-2-local-file-inclusion-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32192 – WordPress Ultra Addons Lite for Elementor plugin <= 1.1.8 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-32192
04 Apr 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UltraPress Ultra Addons Lite for Elementor allows Stored XSS. This issue affects Ultra Addons Lite for Elementor: from n/a through 1.1.8. The Ultra Addons Lite for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-l... • https://patchstack.com/database/wordpress/plugin/ut-elementor-addons-lite/vulnerability/wordpress-ultra-addons-lite-for-elementor-plugin-1-1-8-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31626 – WordPress Support Helpdesk Ticket System Lite plugin <= 4.5.2 - Reflected Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-31626
02 Apr 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in M. Ali Saleem Support Helpdesk Ticket System Lite allows Reflected XSS. This issue affects Support Helpdesk Ticket System Lite: from n/a through 4.5.2. The Support Helpdesk Ticket System Lite plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 4.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attack... • https://patchstack.com/database/wordpress/plugin/ticket-help-desk-system-lite/vulnerability/wordpress-support-helpdesk-ticket-system-lite-plugin-4-5-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31777 – WordPress Clockinator Lite plugin <= 1.0.7 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2025-31777
01 Apr 2025 — Missing Authorization vulnerability in BeastThemes Clockinator Lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Clockinator Lite: from n/a through 1.0.7. The Clockinator Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.0.7. This makes it possible for unauthenticated attackers to perform an unauthorized action. • https://patchstack.com/database/wordpress/plugin/clockify-lite/vulnerability/wordpress-clockinator-lite-plugin-1-0-7-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31767 – WordPress Post Custom Templates Lite plugin <= 1.14 - Stored Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-31767
01 Apr 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OTWthemes Post Custom Templates Lite allows Stored XSS. This issue affects Post Custom Templates Lite: from n/a through 1.14. The Post Custom Templates Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and ab... • https://patchstack.com/database/wordpress/plugin/post-custom-templates-lite/vulnerability/wordpress-post-custom-templates-lite-plugin-1-14-stored-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31847 – WordPress mFolio Lite plugin <= 1.2.2 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-31847
01 Apr 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themelooks mFolio Lite allows DOM-Based XSS. This issue affects mFolio Lite: from n/a through 1.2.2. The mFolio Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in... • https://patchstack.com/database/wordpress/plugin/mfolio-lite/vulnerability/wordpress-mfolio-lite-plugin-1-2-2-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22277 – WordPress Vitepos plugin <= 3.1.4 - Broken Authentication vulnerability
https://notcve.org/view.php?id=CVE-2025-22277
31 Mar 2025 — Authentication Bypass Using an Alternate Path or Channel vulnerability in appsbd Vitepos allows Authentication Abuse. This issue affects Vitepos: from n/a through 3.1.4. The Vitepos – Point of sale (POS) plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action. • https://patchstack.com/database/wordpress/plugin/vitepos-lite/vulnerability/wordpress-vitepos-plugin-3-1-4-broken-authentication-vulnerability?_s_id=cve • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31597 – WordPress Ultimate Live Cricket WordPress Lite plugin <= 1.4.2 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-31597
31 Mar 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in crazycric Ultimate Live Cricket WordPress Lite allows Stored XSS. This issue affects Ultimate Live Cricket WordPress Lite: from n/a through 1.4.2. The Ultimate Live Cricket WordPress Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with... • https://patchstack.com/database/wordpress/plugin/ultimate-live-cricket-lite/vulnerability/wordpress-ultimate-live-cricket-wordpress-lite-plugin-1-4-2-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30782 – WordPress Subscribe to Download Lite plugin <= 1.2.9 - Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2025-30782
29 Mar 2025 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Shuffle Subscribe to Download Lite allows PHP Local File Inclusion. This issue affects Subscribe to Download Lite: from n/a through 1.2.9. The Subscribe to Download Lite plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.2.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to include and execute arb... • https://patchstack.com/database/wordpress/plugin/subscribe-to-download-lite/vulnerability/wordpress-subscribe-to-download-lite-plugin-1-2-9-local-file-inclusion-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •