CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30777 – WordPress Support Genix <= 1.4.11 - Insecure Direct Object References (IDOR) Vulnerability
https://notcve.org/view.php?id=CVE-2025-30777
27 Mar 2025 — Authorization Bypass Through User-Controlled Key vulnerability in PalsCode Support Genix allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Support Genix: from n/a through 1.4.11. The Support Genix – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.11 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subs... • https://patchstack.com/database/wordpress/plugin/support-genix-lite/vulnerability/wordpress-support-genix-1-4-11-insecure-direct-object-references-idor-vulnerability?_s_id=cve • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30785 – WordPress Subscribe to Download Lite <= 1.2.9 - Local File Inclusion Vulnerability
https://notcve.org/view.php?id=CVE-2025-30785
27 Mar 2025 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Shuffle Subscribe to Download Lite allows PHP Local File Inclusion. This issue affects Subscribe to Download Lite: from n/a through 1.2.9. The Subscribe to Download Lite plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.2.9. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute ar... • https://patchstack.com/database/wordpress/plugin/subscribe-to-download-lite/vulnerability/wordpress-subscribe-to-download-lite-1-2-9-local-file-inclusion-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30865 – WordPress 3DPrint Lite plugin <= 2.1.3.5 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2025-30865
27 Mar 2025 — Cross-Site Request Forgery (CSRF) vulnerability in fuzzoid 3DPrint Lite allows Cross Site Request Forgery. This issue affects 3DPrint Lite: from n/a through 2.1.3.5. The 3DPrint Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.3.5. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an... • https://patchstack.com/database/wordpress/plugin/3dprint-lite/vulnerability/wordpress-3dprint-lite-plugin-2-1-3-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30775 – WordPress WPGuppy plugin <= 1.1.3 - SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2025-30775
27 Mar 2025 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AmentoTech Private Limited WPGuppy allows SQL Injection. This issue affects WPGuppy: from n/a through 1.1.3. The WPGuppy plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.1.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level a... • https://patchstack.com/database/wordpress/plugin/wpguppy-lite/vulnerability/wordpress-wpguppy-plugin-1-1-3-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30806 – WordPress Vimeotheque plugin <= 2.3.4.2 - SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2025-30806
27 Mar 2025 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Constantin Boiangiu Vimeotheque allows SQL Injection. This issue affects Vimeotheque: from n/a through 2.3.4.2. The Vimeotheque plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 2.3.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contribut... • https://patchstack.com/database/wordpress/plugin/codeflavors-vimeo-video-post-lite/vulnerability/wordpress-vimeotheque-plugin-2-3-4-2-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30859 – WordPress AliNext plugin <= 3.5.1 - Open Redirection vulnerability
https://notcve.org/view.php?id=CVE-2025-30859
27 Mar 2025 — URL Redirection to Untrusted Site ('Open Redirect') vulnerability in ali2woo AliNext allows Phishing. This issue affects AliNext: from n/a through 3.5.1. The AliExpress Dropshipping Plugin for WooCommerce – AliNext plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 3.5.1. This is due to insufficient validation on a redirect url. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into... • https://patchstack.com/database/wordpress/plugin/ali2woo-lite/vulnerability/wordpress-alinext-plugin-3-5-1-open-redirection-vulnerability?_s_id=cve • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30921 – WordPress Newsletters plugin <= 4.9.9.7 - SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2025-30921
27 Mar 2025 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tribulant Software Newsletters allows SQL Injection. This issue affects Newsletters: from n/a through 4.9.9.7. The Newsletters plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 4.9.9.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administra... • https://patchstack.com/database/wordpress/plugin/newsletters-lite/vulnerability/wordpress-newsletters-plugin-4-9-9-7-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30769 – WordPress WIP WooCarousel Lite plugin <= 1.1.7 - Cross Site Request Forgery (CSRF) to Stored XSS vulnerability
https://notcve.org/view.php?id=CVE-2025-30769
26 Mar 2025 — Cross-Site Request Forgery (CSRF) vulnerability in alexvtn WIP WooCarousel Lite allows Stored XSS. This issue affects WIP WooCarousel Lite: from n/a through 1.1.7. The WIP WooCarousel Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.7. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can tr... • https://patchstack.com/database/wordpress/plugin/wip-woocarousel-lite/vulnerability/wordpress-wip-woocarousel-lite-plugin-1-1-7-cross-site-request-forgery-csrf-to-stored-xss-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26742 – WordPress Gallery for Social Photo plugin <= 1.0.0.35 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-26742
25 Mar 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GhozyLab Gallery for Social Photo allows Stored XSS.This issue affects Gallery for Social Photo: from n/a through 1.0.0.35. The Gallery for Social Photo plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.0.0.36 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access an... • https://patchstack.com/database/wordpress/plugin/feed-instagram-lite/vulnerability/wordpress-gallery-for-social-photo-plugin-1-0-0-35-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26736 – WordPress MorningTime Lite theme <= 1.3.2 - Stored Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-26736
24 Mar 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in viktoras MorningTime Lite allows Stored XSS.This issue affects MorningTime Lite: from n/a through 1.3.2. The MorningTime Lite theme for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web sc... • https://patchstack.com/database/wordpress/theme/morningtime-lite/vulnerability/wordpress-morningtime-lite-theme-1-3-2-stored-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •