Cross-Site Request Forgery (CSRF) vulnerability in tobias_.MerZ Browser Caching with .htaccess allows Cross Site Request Forgery. This issue affects Browser Caching with .htaccess: from 1.2.1 through n/a.

Cross-Site Request Forgery (CSRF) vulnerability in Benoit De Boeck WP Supersized wp-supersized allows Cross Site Request Forgery.This issue affects WP Supersized: from n/a through <= 3.1.6.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in David Miller WP-OGP wp-ogp allows Stored XSS.This issue affects WP-OGP: from n/a through <= 1.0.5.

Cross-Site Request Forgery (CSRF) vulnerability in Efficient Scripts Microblog Poster microblog-poster allows Stored XSS.This issue affects Microblog Poster: from n/a through <= 2.1.6.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Adrian Tobey FormLift for Infusionsoft Web Forms formlift allows Stored XSS.This issue affects FormLift for Infusionsoft Web Forms: from n/a through <= 7.5.19.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Miguel Sirvent Magic Embeds wp-embed-facebook allows Stored XSS.This issue affects Magic Embeds: from n/a through <= 3.1.2.

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Chop Chop Pop-Up Chop Chop pop-up allows PHP Local File Inclusion.This issue affects Pop-Up Chop Chop: from n/a through <= 2.1.7.

The Administrator Z plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the adminz_import_backup() function in all versions up to, and including, 2025.03.24. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. CVE-2025-26959 is a duplicate of this issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bob Hostel hostel allows Reflected XSS.This issue affects Hostel: from n/a through <= 1.1.5.5.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bestweblayout Slider by BestWebSoft slider-bws allows SQL Injection.This issue affects Slider by BestWebSoft: from n/a through <= 1.1.0.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPXPO PostX ultimate-post allows DOM-Based XSS.This issue affects PostX: from n/a through <= 4.1.25.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in teastudio.pl WP Posts Carousel wp-posts-carousel allows Stored XSS.This issue affects WP Posts Carousel: from n/a through <= 1.3.8.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in redpixelstudios RPS Include Content rps-include-content allows DOM-Based XSS.This issue affects RPS Include Content: from n/a through <= 1.2.1.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in alordiel Dropdown Multisite selector dropdown-multisite-selector allows Stored XSS.This issue affects Dropdown Multisite selector: from n/a through < 0.9.4.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Cozmoslabs Paid Member Subscriptions paid-member-subscriptions allows Stored XSS.This issue affects Paid Member Subscriptions: from n/a through <= 2.14.3.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZEEN101 Leaky Paywall leaky-paywall allows Stored XSS.This issue affects Leaky Paywall: from n/a through <= 4.21.7.

Cross-Site Request Forgery (CSRF) vulnerability in usermaven Usermaven usermaven allows Cross Site Request Forgery.This issue affects Usermaven: from n/a through <= 1.2.1.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ultimate Blocks Ultimate Blocks ultimate-blocks allows DOM-Based XSS.This issue affects Ultimate Blocks: from n/a through <= 3.2.7.

Server-Side Request Forgery (SSRF) vulnerability in WP Compress WP Compress for MainWP wp-compress-mainwp allows Server Side Request Forgery.This issue affects WP Compress for MainWP: from n/a through <= 6.30.03.

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in videowhisper MicroPayments paid-membership allows Stored XSS.This issue affects MicroPayments: from n/a through <= 2.9.29.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bensibley Unlimited unlimited allows Stored XSS.This issue affects Unlimited: from n/a through <= 1.45.

Insertion of Sensitive Information Into Sent Data vulnerability in Shipmondo Shipmondo – A complete shipping solution for WooCommerce pakkelabels-for-woocommerce allows Retrieve Embedded Sensitive Data.This issue affects Shipmondo – A complete shipping solution for WooCommerce: from n/a through <= 5.0.3.

Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in the file deletion process of the USB storage file-sharing function of HGW-BL1500HM Ver 002.002.003 and earlier. If this vulnerability is exploited, an attacker may delete a file on the device or cause a denial of service (DoS) condition.

Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in the file download process of the USB storage file-sharing function of HGW-BL1500HM Ver 002.002.003 and earlier. If this vulnerability is exploited, the product's files may be obtained and/or altered by a crafted HTTP request to specific functions of the product from a device connected to the LAN side.

Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in the file upload process of the USB storage file-sharing function of HGW-BL1500HM Ver 002.002.003 and earlier. If this vulnerability is exploited, the product's files may be obtained and/or altered or arbitrary code may be executed by a crafted HTTP request to specific functions of the product from a device connected to the LAN side.