Security Vulnerabilities - CVEs Published In July 2025
The Broken Link Notifier plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.0 via the ajax_blinks() function which ultimately calls the check_url_status_code() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
CVSS Score
7.2
EPSS Score
0.019
Published
2025-07-11
The WPC Smart Compare for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shortcode_btn' shortcode in all versions up to, and including, 6.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Score
6.4
EPSS Score
0.001
Published
2025-07-11
The FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-caption-title` & `data-caption-description` HTML attributes in all versions up to, and including, 2.4.31 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Score
6.4
EPSS Score
0.0
Published
2025-07-11
The GeoDirectory WordPress plugin before 2.8.120 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
CVSS Score
5.9
EPSS Score
0.001
Published
2025-07-11
The communication protocol used between client and server had a flaw that could lead to an authenticated user performing a remote code execution attack.
CVSS Score
9.0
EPSS Score
0.026
Published
2025-07-11
The communication protocol used between client
and server had a flaw that could be leveraged to execute a man in the middle attack.
CVSS Score
6.8
EPSS Score
0.0
Published
2025-07-11
The communication protocol used between the
server process and the service control had a flaw that could lead to a local privilege escalation.
CVSS Score
4.8
EPSS Score
0.001
Published
2025-07-11
The AXIS Camera Station Server had a flaw that allowed
to bypass authentication that is normally required.
CVSS Score
5.3
EPSS Score
0.001
Published
2025-07-11
The Order Delivery Date WordPress plugin before 12.6.0 discloses arbitrary post title (such as from draft and private posts) via an unauthenticated AJAX action, allowing attackers to retrieve such information
CVSS Score
4.3
EPSS Score
0.001
Published
2025-07-11
A vulnerability was found in Campcodes Online Recruitment Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/ajax.php?action=delete_vacancy. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVSS Score
5.5
EPSS Score
0.001
Published
2025-07-11