CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-5844 – Radius Blocks <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via subHeadingTagName Parameter
https://notcve.org/view.php?id=CVE-2025-5844
14 Aug 2025 — The Radius Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘subHeadingTagName’ parameter in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://www.wordfence.com/threat-intel/vulnerabilities/id/ff41796a-0ba8-468f-8b79-274064da154e?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-7327 – Widget for Google Reviews <= 1.0.15 - Authenticated (Subscriber+) Directory Traversal to Local File Inclusion
https://notcve.org/view.php?id=CVE-2025-7327
07 Jul 2025 — The Widget for Google Reviews plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.0.15 via the layout parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be up... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3316262%40business-reviews-wp%2Ftrunk&old=3201057%40business-reviews-wp%2Ftrunk&sfp_email=&sfph_mail= • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1707 – Review Schema <= 2.2.4 - Authenticated (Contributor+) Local File Inclusion via Post Meta
https://notcve.org/view.php?id=CVE-2025-1707
11 Mar 2025 — The Review Schema plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.4 via post meta. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. • https://plugins.trac.wordpress.org/browser/review-schema/tags/2.2.4/app/Shortcodes/ReviewSchema.php#L108 • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1063 – Classified Listing – Classified ads & Business Directory Plugin <= 4.0.4 - Unauthenticated Settings Exposure
https://notcve.org/view.php?id=CVE-2025-1063
24 Feb 2025 — The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.4 via the rtcl_taxonomy_settings_export function. This makes it possible for unauthenticated attackers to extract sensitive data including API keys and tokens. El complemento Classified Listing – Classified ads & Business Directory Plugin para WordPress es vulnerable a la exposición de información confidencial en todas las vers... • https://plugins.trac.wordpress.org/changeset/3241883/classified-listing • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13439 – Team – Team Members Showcase Plugin <= 4.4.9 - Missing Authorization to Authenticated (Subscriber+) Settings Update
https://notcve.org/view.php?id=CVE-2024-13439
14 Feb 2025 — The Team – Team Members Showcase Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the response() function in all versions up to, and including, 4.4.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings. • https://plugins.svn.wordpress.org/tlp-team/tags/4.4.7/app/Controllers/Admin/Ajax/Settings.php • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13415 – Food Menu – Restaurant Menu & Online Ordering for WooCommerce <= 5.1.4 - Missing Authorization to Authenticated (Subscriber+) Settings Update
https://notcve.org/view.php?id=CVE-2024-13415
30 Jan 2025 — The Food Menu – Restaurant Menu & Online Ordering for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the response() function in all versions up to, and including, 5.1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin's settings. • https://plugins.svn.wordpress.org/tlp-food-menu/tags/5.1.4/app/Controllers/Admin/Ajax/Settings.php • CWE-862: Missing Authorization •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11194 – Classified Listing – Classified ads & Business Directory Plugin <= 3.1.15.1 - Authenticated (Subscriber+) Limited Arbitrary Option Update
https://notcve.org/view.php?id=CVE-2024-11194
18 Nov 2024 — The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a misconfigured check on the 'rtcl_import_settings' function in all versions up to, and including, 3.1.15.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update limited arbitrary options on the WordPress site. This can be leveraged to update the Subscriber role with Administra... • https://plugins.trac.wordpress.org/browser/classified-listing/tags/3.1.12/app/Controllers/Ajax/Import.php#L309 • CWE-862: Missing Authorization •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7888 – Classified Listing – Classified ads & Business Directory Plugin <= 3.1.7 - Missing Authorization
https://notcve.org/view.php?id=CVE-2024-7888
12 Sep 2024 — The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions like export_forms(), import_forms(), update_fb_options(), and many more in all versions up to, and including, 3.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify forms and various other settings. • https://www.wordfence.com/threat-intel/vulnerabilities/id/494d2e69-0759-419a-a603-e8870c157e49?source=cve • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7418 – The Post Grid <= 7.7.11 - Authenticated (Contributor+) Information Disclosure
https://notcve.org/view.php?id=CVE-2024-7418
28 Aug 2024 — The The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.7.11 via the post_query_guten and post_query functions. This makes it possible for authenticated attackers, with contributor-level access and above, to extract information from posts that are not public (i.e. draft, future, etc..). • https://plugins.trac.wordpress.org/changeset/3142599/the-post-grid/trunk/app/Controllers/Blocks/BlockBase.php • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3936 – The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid <= 7.6.1 - Missing Authorization
https://notcve.org/view.php?id=CVE-2024-3936
30 Apr 2024 — The The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the rtTPGSaveSettings function in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with subscriber access or higher, to change the plugin's settings and invoke other functions hooked by AJAX actions. El complemento The Post Grid – Shortcode, Gutenberg Blocks y Elementor Addon... • https://plugins.trac.wordpress.org/browser/the-post-grid/trunk/app/Controllers/AjaxController.php#L130 • CWE-862: Missing Authorization •