CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32589 – WordPress Flexi – Guest Submit Plugin <= 4.28 - Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2025-32589
09 Apr 2025 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in odude Flexi – Guest Submit allows PHP Local File Inclusion. This issue affects Flexi – Guest Submit: from n/a through 4.28. The Flexi – Guest Submit plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 4.28. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP co... • https://patchstack.com/database/wordpress/plugin/flexi/vulnerability/wordpress-flexi-guest-submit-plugin-4-28-local-file-inclusion-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-2328 – Flexi Quote Rotator <= 0.9.4 - Admin+ Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-2328
06 Jul 2022 — The Flexi Quote Rotator WordPress plugin through 0.9.4 does not sanitise and escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. El plugin Flexi Quote Rotator de WordPress versiones hasta 0.9.4, no sanea ni escapa de su configuración, permitiendo a usuarios con altos privilegios, como el administrador, llevar a cabo ataques de tipo Cross-Site Scripting incluso cuando la capacidad unfiltered_html está... • https://wpscan.com/vulnerability/dbac391b-fc48-4e5e-b63a-2b3ddb0d5552 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •