Security Vulnerabilities
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.8.3. This makes it possible for authenticated attackers, with tutor-level access and above, to view assignments for courses they don't teach which may contain sensitive information.
CVSS Score
4.3
EPSS Score
0.0
Published
2025-10-25
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check while verifying webhook signatures on the "verifyAndCreateOrderData" function
in all versions up to, and including, 3.8.3. This makes it possible for unauthenticated attackers to bypass payment verification and mark orders as paid by submitting forged webhook requests with `payment_type` set to 'recurring'.
CVSS Score
5.3
EPSS Score
0.001
Published
2025-10-25
The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_exist_text' parameter in the 'wishsuite_button' shortcode in all versions up to, and including, 3.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Score
6.4
EPSS Score
0.0
Published
2025-10-25
Wasmtime is a runtime for WebAssembly. In versions from 38.0.0 to before 38.0.3, the implementation of component-model related host-to-wasm trampolines in Wasmtime contained a bug where it's possible to carefully craft a component, which when called in a specific way, would crash the host with a segfault or assert failure. Wasmtime 38.0.3 has been released and is patched to fix this issue. There are no workarounds.
CVSS Score
3.1
EPSS Score
0.0
Published
2025-10-24
FlashMQ is a MQTT broker/server, designed for multi-CPU environments. Prior to version 1.23.2, any authenticated user can create sessions and have them collect QoS messages. When not sent to a client, these are then not released upon (eventual) session expiration. Version 1.23.2 fixes the issue.
CVSS Score
4.3
EPSS Score
0.0
Published
2025-10-24
Emlog is an open source website building system. In version 2.5.23, Emlog Pro is vulnerable to a session verification code error due to a clearing logic error. This means the verification code could be reused anywhere an email verification code is required. This issue has been fixed in commit 1f726df.
CVSS Score
9.1
EPSS Score
0.0
Published
2025-10-24
Microweber CMS 2.0 has Weak Password Requirements. The application does not enforce minimum password length or complexity during password resets. Users can set extremely weak passwords, including single-character passwords, which can lead to account compromise, including administrative accounts.
CVSS Score
8.3
EPSS Score
0.001
Published
2025-10-24
PerfreeBlog v4.0.11 has a File Upload vulnerability in the installTheme function
CVSS Score
7.6
EPSS Score
0.001
Published
2025-10-24
PerfreeBlog v4.0.11 has a File Upload vulnerability in the installPlugin function
CVSS Score
7.6
EPSS Score
0.001
Published
2025-10-24
PerfreeBlog v4.0.11 has an arbitrary file read vulnerability in the validThemeFilePath function
CVSS Score
5.3
EPSS Score
0.001
Published
2025-10-24