| CVE-2025-42921 | In JetBrains Toolbox App before 2.6 host key verification was missing in SSH plugin | medium |
| CVE-2025-39596 | Weak Authentication vulnerability in Quentn.com GmbH Quentn WP allows Privilege Escalation. This issue affects Quentn WP: from n/a through 1.2.8. | critical |
| CVE-2025-39595 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Quentn.com GmbH Quentn WP allows SQL Injection. This issue affects Quentn WP: from n/a through 1.2.8. | critical |
| CVE-2025-39594 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bob Arigato Autoresponder and Newsletter allows Reflected XSS. This issue affects Arigato Autoresponder and Newsletter: from n/a through 2.7.2.4. | high |
| CVE-2025-39588 | Deserialization of Untrusted Data vulnerability in bdthemes Ultimate Store Kit Elementor Addons allows Object Injection. This issue affects Ultimate Store Kit Elementor Addons: from n/a through 2.4.0. | critical |
| CVE-2025-39587 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stylemix Cost Calculator Builder allows SQL Injection. This issue affects Cost Calculator Builder: from n/a through 3.2.65. | critical |
| CVE-2025-39586 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Metagauss ProfileGrid allows SQL Injection. This issue affects ProfileGrid : from n/a through 5.9.4.8. | high |
| CVE-2025-39583 | Missing Authorization vulnerability in berthaai BERTHA AI allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BERTHA AI: from n/a through 1.12.10.2. | high |
| CVE-2025-39580 | Missing Authorization vulnerability in jidaikobo Dashi allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Dashi: from n/a through 3.1.8. | medium |
| CVE-2025-39569 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in taskbuilder Taskbuilder allows Blind SQL Injection. This issue affects Taskbuilder: from n/a through 4.0.1. | high |
| CVE-2025-39568 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Arture B.V. StoreContrl Woocommerce allows Path Traversal. This issue affects StoreContrl Woocommerce: from n/a through 4.1.3. | high |
| CVE-2025-39567 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shamalli Web Directory Free allows Reflected XSS. This issue affects Web Directory Free: from n/a through 1.7.8. | high |
| CVE-2025-39562 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codepeople Payment Form for PayPal Pro allows Stored XSS. This issue affects Payment Form for PayPal Pro: from n/a through 1.1.72. | medium |
| CVE-2025-39559 | Missing Authorization vulnerability in Eivin Landa Bring Fraktguiden for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Bring Fraktguiden for WooCommerce: from n/a through 1.11.4. | medium |
| CVE-2025-39558 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks CRM Perks allows Reflected XSS. This issue affects CRM Perks: from n/a through 1.1.7. | high |
| CVE-2025-39554 | Missing Authorization vulnerability in Elliot Sowersby / RelyWP AI Text to Speech allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects AI Text to Speech: from n/a through 3.0.3. | medium |
| CVE-2025-39551 | Deserialization of Untrusted Data vulnerability in Mahmudul Hasan Arif FluentBoards allows Object Injection. This issue affects FluentBoards: from n/a through 1.47. | critical |
| CVE-2025-39550 | Deserialization of Untrusted Data vulnerability in Shahjahan Jewel FluentCommunity allows Object Injection. This issue affects FluentCommunity: from n/a through 1.2.15. | critical |
| CVE-2025-39542 | Incorrect Privilege Assignment vulnerability in Jauhari Xelion Xelion Webchat allows Privilege Escalation. This issue affects Xelion Webchat: from n/a through 9.1.0. | high |
| CVE-2025-39535 | Authentication Bypass Using an Alternate Path or Channel vulnerability in appsbd Vitepos allows Authentication Abuse. This issue affects Vitepos: from n/a through 3.1.7. | high |
| CVE-2025-39533 | Missing Authorization vulnerability in Starfish Reviews Starfish Review Generation & Marketing allows Privilege Escalation. This issue affects Starfish Review Generation & Marketing: from n/a through 3.1.14. | high |
| CVE-2025-39532 | Missing Authorization vulnerability in spicethemes Spice Blocks allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Spice Blocks: from n/a through 2.0.7.1. | high |
| CVE-2025-39527 | Deserialization of Untrusted Data vulnerability in bestwebsoft Rating by BestWebSoft allows Object Injection. This issue affects Rating by BestWebSoft: from n/a through 1.7. | high |
| CVE-2025-39526 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in nicdark Hotel Booking allows PHP Local File Inclusion. This issue affects Hotel Booking: from n/a through 3.6. | high |
| CVE-2025-39521 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ashish Ajani Contact Form vCard Generator allows Reflected XSS. This issue affects Contact Form vCard Generator: from n/a through 2.4. | high |
| CVE-2025-39519 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rtpHarry Bulk Page Stub Creator allows Reflected XSS. This issue affects Bulk Page Stub Creator: from n/a through 1.1. | high |
| CVE-2025-39464 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rtowebsites AdminQuickbar allows Reflected XSS. This issue affects AdminQuickbar: from n/a through 1.9.1. | high |
| CVE-2025-39462 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in teamzt Smart Agreements allows PHP Local File Inclusion. This issue affects Smart Agreements: from n/a through 1.0.3. | high |
| CVE-2025-39461 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Nawawi Jamili Docket Cache allows PHP Local File Inclusion. This issue affects Docket Cache: from n/a through 24.07.02. | high |
| CVE-2025-39457 | Missing Authorization vulnerability in magepeopleteam Booking and Rental Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Booking and Rental Manager: from n/a through 2.2.8. | medium |
| CVE-2025-39456 | Missing Authorization vulnerability in iTRON WP Logger allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Logger: from n/a through 2.2. | medium |
| CVE-2025-39455 | Cross-Site Request Forgery (CSRF) vulnerability in ip2location IP2Location Variables allows Reflected XSS. This issue affects IP2Location Variables: from n/a through 2.9.5. | high |
| CVE-2025-39453 | Cross-Site Request Forgery (CSRF) vulnerability in algol.plus Advanced Dynamic Pricing for WooCommerce allows Cross Site Request Forgery. This issue affects Advanced Dynamic Pricing for WooCommerce: from n/a through 4.9.3. | medium |
| CVE-2025-39452 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Themewinter WPCafe allows PHP Local File Inclusion. This issue affects WPCafe: from n/a through 2.2.32. | high |
| CVE-2025-39444 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in maxfoundry MaxButtons allows Stored XSS. This issue affects MaxButtons: from n/a through 9.8.3. | medium |
| CVE-2025-39443 | Cross-Site Request Forgery (CSRF) vulnerability in Soft8Soft LLC Verge3D allows Cross Site Request Forgery. This issue affects Verge3D: from n/a through 4.9.0. | medium |
| CVE-2025-39442 | Cross-Site Request Forgery (CSRF) vulnerability in MessageMetric Review Wave – Google Places Reviews allows Stored XSS. This issue affects Review Wave – Google Places Reviews: from n/a through 1.4.7. | high |
| CVE-2025-39441 | Cross-Site Request Forgery (CSRF) vulnerability in swedish boy Dashboard Notepads allows Stored XSS. This issue affects Dashboard Notepads: from n/a through 1.2.1. | high |
| CVE-2025-39440 | Cross-Site Request Forgery (CSRF) vulnerability in Rajesh Broken Links Remover allows Stored XSS. This issue affects Broken Links Remover: from n/a through 1.2.2. | high |
| CVE-2025-39439 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Markus Drubba wpLike2Get allows Retrieve Embedded Sensitive Data. This issue affects wpLike2Get: from n/a through 1.2.9. | medium |
| CVE-2025-39438 | Cross-Site Request Forgery (CSRF) vulnerability in momen2009 Theme Changer allows Cross Site Request Forgery. This issue affects Theme Changer: from n/a through 1.3. | medium |
| CVE-2025-39437 | Cross-Site Request Forgery (CSRF) vulnerability in Boone Gorges Anthologize allows Cross Site Request Forgery. This issue affects Anthologize: from n/a through 0.8.3. | medium |
| CVE-2025-39436 | Unrestricted Upload of File with Dangerous Type vulnerability in aidraw I Draw allows Using Malicious Files. This issue affects I Draw: from n/a through 1.0. | critical |
| CVE-2025-39435 | Cross-Site Request Forgery (CSRF) vulnerability in davidfcarr My Marginalia allows Stored XSS. This issue affects My Marginalia: from n/a through 1.0.6. | high |
| CVE-2025-39434 | Authorization Bypass Through User-Controlled Key vulnerability in Scott Taylor Avatar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Avatar: from n/a through 0.1.4. | medium |
| CVE-2025-39433 | Cross-Site Request Forgery (CSRF) vulnerability in beke_ro Bknewsticker allows Stored XSS. This issue affects Bknewsticker: from n/a through 1.0.5. | high |
| CVE-2025-39432 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in antonchanning bbPress2 shortcode whitelist allows Stored XSS. This issue affects bbPress2 shortcode whitelist: from n/a through 2.2.1. | high |
| CVE-2025-39431 | Cross-Site Request Forgery (CSRF) vulnerability in Aaron Forgue Amazon Showcase WordPress Plugin allows Stored XSS. This issue affects Amazon Showcase WordPress Plugin: from n/a through 2.2. | high |
| CVE-2025-39430 | Cross-Site Request Forgery (CSRF) vulnerability in Alexander Rauscha mLanguage allows Stored XSS. This issue affects mLanguage: from n/a through 1.6.1. | high |
| CVE-2025-39429 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Földesi, Mihály Széchenyi 2020 Logo allows PHP Local File Inclusion. This issue affects Széchenyi 2020 Logo: from n/a through 1.1. | high |
