Analysis Summary

CVE-2025-24756 CVSS:7.1

Cross-Site Request Forgery (CSRF) vulnerability in mgplugin Roi Calculator allows Stored XSS. This issue affects Roi Calculator: from n/a through 1.0.

CVE-2025-24728 CVSS:8.5

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Yannick Lefebvre Bug Library allows Blind SQL Injection. This issue affects Bug Library: from n/a through 2.1.4.

CVE-2025-24683 CVSS:7.6

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPChill RSVP and Event Management Plugin allows SQL Injection. This issue affects RSVP and Event Management Plugin: from n/a through 2.7.14.

CVE-2025-24669 CVSS:8.5

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SERPed SERPed.net allows SQL Injection. This issue affects SERPed.net: from n/a through 4.4.

CVE-2025-24672 CVSS:8.5

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CodePeople Form Builder CP allows SQL Injection. This issue affects Form Builder CP: from n/a through 1.2.41.

CVE-2025-24659 CVSS:7.6

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WordPress Download Manager Premium Packages allows Blind SQL Injection. This issue affects Premium Packages: from n/a through 5.9.6.

CVE-2025-24663 CVSS:7.6

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tips and Tricks HQ, Ruhul Amin, Josh Lobe Simple Download Monitor allows Blind SQL Injection. This issue affects Simple Download Monitor: from n/a through 3.9.25.

CVE-2025-24650 CVSS:9.1

Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Tourfic allows Upload a Web Shell to a Web Server. This issue affects Tourfic: from n/a through 2.15.3.

CVE-2025-24636 CVSS:7.1

Cross-Site Request Forgery (CSRF) vulnerability in Laymance Technologies LLC MachForm Shortcode allows Stored XSS. This issue affects MachForm Shortcode: from n/a through 1.4.1.

CVE-2025-24562 CVSS:7.1

Cross-Site Request Forgery (CSRF) vulnerability in Optimal Access Inc. KBucket allows Stored XSS. This issue affects KBucket: from n/a through 4.1.6.

CVE-2025-24570 CVSS:7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Atarim Atarim allows Stored XSS. This issue affects Atarim: from n/a through 4.0.8.

CVE-2025-24561 CVSS:7.1

Cross-Site Request Forgery (CSRF) vulnerability in ReviewsTap ReviewsTap allows Stored XSS. This issue affects ReviewsTap: from n/a through 1.1.2.

CVE-2025-24555 CVSS:7.1

Cross-Site Request Forgery (CSRF) vulnerability in SubscriptionDNA.com Subscription DNA allows Stored XSS. This issue affects Subscription DNA: from n/a through 2.1.

Impact

• Data Manipulation
• Cross-Site Scripting
• Gain Access

Indicators of Compromise

CVE

• CVE-2025-24756

• CVE-2025-24728

• CVE-2025-24683

• CVE-2025-24669

• CVE-2025-24672

• CVE-2025-24659

• CVE-2025-24663

• CVE-2025-24650

• CVE-2025-24636

• CVE-2025-24562

• CVE-2025-24570

• CVE-2025-24561

• CVE-2025-24555

Affected Vendors

Remediation

Upgrade to the latest version of the plugin for WordPress, available from the WordPress Plugin Directory.

CVE-2025-24756

CVE-2025-24728

CVE-2025-24683

CVE-2025-24669

CVE-2025-24672

CVE-2025-24659

CVE-2025-24663

CVE-2025-24650

CVE-2025-24636

CVE-2025-24562

CVE-2025-24570

CVE-2025-24561

CVE-2025-24555