Security Vulnerabilities - CVEs Published In June 2025
The VR Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.7. This is due to missing or incorrect nonce validation on the syncCalendar() function. This makes it possible for unauthenticated attackers to trigger a calendar sync via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Score
4.3
EPSS Score
0.0
Published
2025-06-27
The Osom Blocks – Custom Post Type listing block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class_name’ parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Score
6.4
EPSS Score
0.001
Published
2025-06-27
The Firelight Lightbox WordPress plugin before 2.3.16 does not sanitise and escape title attributes before outputting them in the page, which could allow users with a role as low as contributors to perform stored Cross-Site Scripting attacks.
CVSS Score
5.4
EPSS Score
0.0
Published
2025-06-27
The Responsive Lightbox & Gallery WordPress plugin before 2.5.2 use the Swipebox library which does not validate and escape title attributes before outputting them back in a page/post where used, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
CVSS Score
5.4
EPSS Score
0.0
Published
2025-06-27
The WP Map Block WordPress plugin before 2.0.3 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
CVSS Score
4.8
EPSS Score
0.001
Published
2025-06-27
The BuddyPress Docs WordPress plugin before 2.2.5 lacks proper access controls and allows a logged in user to view and download files belonging to another user
CVSS Score
4.3
EPSS Score
0.001
Published
2025-06-27
An issue in NetEase (Hangzhou) Network Co., Ltd NeacSafe64 Driver before v1.0.0.8 allows attackers to escalate privileges via sending crafted IOCTL commands to the NeacSafe64.sys component.
CVSS Score
6.5
EPSS Score
0.001
Published
2025-06-27
Flock Safety Gunshot Detection devices before 1.3 have a hardcoded password for a system.
CVSS Score
2.2
EPSS Score
0.0
Published
2025-06-27
Flock Safety LPR (License Plate Reader) devices with firmware through 2.2 have an on-chip debug interface with improper access control.
CVSS Score
6.4
EPSS Score
0.0
Published
2025-06-27
Flock Safety LPR (License Plate Reader) devices with firmware through 2.2 have a hardcoded password for a system.
CVSS Score
2.2
EPSS Score
0.0
Published
2025-06-27