Severity
Medium
Analysis Summary
CVE-2025-47491 CVSS:7.4
Cross-Site Request Forgery (CSRF) vulnerability in A WP Life Contact Form Widget allows Cross Site Request Forgery. This issue affects Contact Form Widget: from n/a through 1.4.6.
CVE-2025-47490 CVSS:8.5
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Rustaurius Ultimate WP Mail allows SQL Injection. This issue affects Ultimate WP Mail: from n/a through 1.3.4.
CVE-2025-47494 CVSS:7.5
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ashan Perera EventON allows PHP Local File Inclusion. This issue affects EventON: from n/a through 2.4.1.
CVE-2025-47496 CVSS:7.5
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PublishPress PublishPress Authors allows PHP Local File Inclusion. This issue affects PublishPress Authors: from n/a through 4.7.5.
CVE-2025-47498 CVSS:7.5
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in nicdark Hotel Booking allows PHP Local File Inclusion. This issue affects Hotel Booking: from n/a through 3.6.
Impact
- Cross-Site Scripting
- Data Manipulation
- Gain Access
Indicators of Compromise
CVE
CVE-2025-47491
CVE-2025-47490
CVE-2025-47494
CVE-2025-47496
CVE-2025-47498
Affected Vendors
- WordPress
Affected Products
- PublishPress PublishPress Authors - n/a
- A WP Life Contact Form Widget - n/a
- Rustaurius Ultimate WP Mail - n/a
- Ashan Perera EventON - n/a
- nicdark Hotel Booking - n/a
Remediation
Update the WordPress plugin to the latest available version.