Severity
High
Analysis Summary
CVE-2025-23882 CVSS:7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WP Download Codes allows Reflected XSS. This issue affects WP Download Codes: from n/a through 2.5.4.
CVE-2025-23846 CVSS:7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kolja Nolte Flexible Blogtitle allows Reflected XSS. This issue affects Flexible Blogtitle: from n/a through 0.1.
CVE-2025-23812 CVSS:7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Contact Form 7 Round Robin Lead Distribution allows Reflected XSS. This issue affects Contact Form 7 Round Robin Lead Distribution: from n/a through 1.2.1.
CVE-2025-23768 CVSS:7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound InFunding allows Reflected XSS. This issue affects InFunding: from n/a through 1.0.
CVE-2025-23746 CVSS:7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound CMC MIGRATE allows Reflected XSS. This issue affects CMC MIGRATE: from n/a through 0.0.3.
CVE-2025-23709 CVSS:7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kiro G. Formatted post allows Reflected XSS. This issue affects Formatted post: from n/a through 1.01.
CVE-2025-23643 CVSS:7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound ReadMe Creator allows Reflected XSS. This issue affects ReadMe Creator: from n/a through 1.0.
CVE-2025-23506 CVSS:7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WP IMAP Auth allows Reflected XSS. This issue affects WP IMAP Auth: from n/a through 4.0.1.
CVE-2025-23475 CVSS:7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound History timeline allows Reflected XSS. This issue affects History timeline: from n/a through 0.7.2.
CVE-2025-23462 CVSS:7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound FWD Slider allows Reflected XSS. This issue affects FWD Slider: from n/a through 1.0.
CVE-2025-23449 CVSS:7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Simple shortcode buttons allows Reflected XSS. This issue affects Simple shortcode buttons: from n/a through 1.3.2.
CVE-2025-22772 CVSS:7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Mapbox for WP Advanced allows Reflected XSS. This issue affects Mapbox for WP Advanced: from n/a through 1.0.0.
CVE-2025-23959 CVSS:7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Linus Lundahl Good Old Gallery allows Reflected XSS. This issue affects Good Old Gallery: from n/a through 2.1.2.
CVE-2025-23938 CVSS:7.5
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound Image Gallery Box by CRUDLab allows PHP Local File Inclusion. This issue affects Image Gallery Box by CRUDLab: from n/a through 1.0.3.
CVE-2025-23942 CVSS:9.1
Unrestricted Upload of File with Dangerous Type vulnerability in NgocCode WP Load Gallery allows Upload a Web Shell to a Web Server. This issue affects WP Load Gallery: from n/a through 2.1.6.
CVE-2025-23953 CVSS:10
Unrestricted Upload of File with Dangerous Type vulnerability in Innovative Solutions user files allows Upload a Web Shell to a Web Server. This issue affects user files: from n/a through 2.4.2.
CVE-2025-23949 CVSS:8.1
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mihajlovic Nenad Improved Sale Badges – Free Version allows PHP Local File Inclusion. This issue affects Improved Sale Badges – Free Version: from n/a through 1.0.1.
CVE-2025-23948 CVSS:8.1
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebArea Background animation blocks allows PHP Local File Inclusion. This issue affects Background animation blocks: from n/a through 2.1.5.
Impact
- Cross-Site Scripting
- Gain Access
Indicators of Compromise
CVE
CVE-2025-23882
CVE-2025-23846
CVE-2025-23812
CVE-2025-23768
CVE-2025-23746
CVE-2025-23709
CVE-2025-23643
CVE-2025-23506
CVE-2025-23475
CVE-2025-23462
CVE-2025-23449
CVE-2025-22772
CVE-2025-23959
CVE-2025-23938
CVE-2025-23942
CVE-2025-23953
CVE-2025-23949
CVE-2025-23948
Affected Vendors
- WordPress
Affected Products
- NotFound WP Download Codes - n/a
- Kolja Nolte Flexible Blogtitle - n/a
- NotFound Contact Form 7
- Round Robin Lead Distribution - n/a
- NotFound InFunding - n/a
- NotFound CMC MIGRATE - n/a
- Kiro G. Formatted post - n/a
- NotFound ReadMe Creator - n/a
- NotFound WP IMAP Auth - n/a
- NotFound History timeline - n/a
- NotFound FWD Slider - n/a
- NotFound Simple shortcode buttons - n/a
- NotFound Mapbox for WP Advanced - n/a
- Linus Lundahl Good Old Gallery - n/a
- NotFound Image Gallery Box by CRUDLab - n/a
- NgocCode WP Load Gallery - n/a
- Innovative Solutions user files - n/a
- Mihajlovic Nenad Improved Sale Badges – Free Version - n/a
- WebArea Background animation blocks - n/a
Remediation
Upgrade to the latest version of the plugin for WordPress, available from the WordPress Plugin Directory.