Severity
High
Analysis Summary
CVE-2025-24756 CVSS:7.1
Cross-Site Request Forgery (CSRF) vulnerability in mgplugin Roi Calculator allows Stored XSS. This issue affects Roi Calculator: from n/a through 1.0.
CVE-2025-24728 CVSS:8.5
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Yannick Lefebvre Bug Library allows Blind SQL Injection. This issue affects Bug Library: from n/a through 2.1.4.
CVE-2025-24683 CVSS:7.6
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPChill RSVP and Event Management Plugin allows SQL Injection. This issue affects RSVP and Event Management Plugin: from n/a through 2.7.14.
CVE-2025-24669 CVSS:8.5
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SERPed SERPed.net allows SQL Injection. This issue affects SERPed.net: from n/a through 4.4.
CVE-2025-24672 CVSS:8.5
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CodePeople Form Builder CP allows SQL Injection. This issue affects Form Builder CP: from n/a through 1.2.41.
CVE-2025-24659 CVSS:7.6
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WordPress Download Manager Premium Packages allows Blind SQL Injection. This issue affects Premium Packages: from n/a through 5.9.6.
CVE-2025-24663 CVSS:7.6
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tips and Tricks HQ, Ruhul Amin, Josh Lobe Simple Download Monitor allows Blind SQL Injection. This issue affects Simple Download Monitor: from n/a through 3.9.25.
CVE-2025-24650 CVSS:9.1
Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Tourfic allows Upload a Web Shell to a Web Server. This issue affects Tourfic: from n/a through 2.15.3.
CVE-2025-24636 CVSS:7.1
Cross-Site Request Forgery (CSRF) vulnerability in Laymance Technologies LLC MachForm Shortcode allows Stored XSS. This issue affects MachForm Shortcode: from n/a through 1.4.1.
CVE-2025-24562 CVSS:7.1
Cross-Site Request Forgery (CSRF) vulnerability in Optimal Access Inc. KBucket allows Stored XSS. This issue affects KBucket: from n/a through 4.1.6.
CVE-2025-24570 CVSS:7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Atarim Atarim allows Stored XSS. This issue affects Atarim: from n/a through 4.0.8.
CVE-2025-24561 CVSS:7.1
Cross-Site Request Forgery (CSRF) vulnerability in ReviewsTap ReviewsTap allows Stored XSS. This issue affects ReviewsTap: from n/a through 1.1.2.
CVE-2025-24555 CVSS:7.1
Cross-Site Request Forgery (CSRF) vulnerability in SubscriptionDNA.com Subscription DNA allows Stored XSS. This issue affects Subscription DNA: from n/a through 2.1.
Impact
- Data Manipulation
- Cross-Site Scripting
- Gain Access
Indicators of Compromise
CVE
CVE-2025-24756
CVE-2025-24728
CVE-2025-24683
CVE-2025-24669
CVE-2025-24672
CVE-2025-24659
CVE-2025-24663
CVE-2025-24650
CVE-2025-24636
CVE-2025-24562
CVE-2025-24570
CVE-2025-24561
CVE-2025-24555
Affected Vendors
- WordPress
Affected Products
- mgplugin Roi Calculator - n/a
- Yannick Lefebvre Bug Library - n/a
- WPChill RSVP and Event Management Plugin - n/a
- SERPed SERPed.net - n/a
- CodePeople Form Builder CP - n/a
- WordPress Download Manager Premium Packages - n/a
- Themefic Tourfic - n/a
- Laymance Technologies LLC MachForm Shortcode - n/a
- Optimal Access Inc. KBucket - n/a
- Atarim Atarim - n/a
- ReviewsTap ReviewsTap - n/a
- SubscriptionDNA.com Subscription DNA - n/a
Remediation
Upgrade to the latest version of the plugin for WordPress, available from the WordPress Plugin Directory.