Analysis Summary

CVE-2025-27281 CVSS:8.5

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in cookforweb All In Menu allows Blind SQL Injection. This issue affects All In Menu: from n/a through 1.1.5.

CVE-2025-26978 CVSS:8.5

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound FS Poster. This issue affects FS Poster: from n/a through 6.5.8.

CVE-2025-26972 CVSS:7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound PrivateContent. This issue affects PrivateContent: from n/a through 8.11.5.

CVE-2025-26969 CVSS:8.3

Missing Authorization vulnerability in Aldo Latino PrivateContent. This issue affects PrivateContent: from n/a through 8.11.5.

CVE-2025-26976 CVSS:8.5

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aldo Latino PrivateContent. This issue affects PrivateContent: from n/a through 8.11.4.

CVE-2025-26961 CVSS:8.6

Missing Authorization vulnerability in NotFound Fresh Framework allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Fresh Framework: from n/a through 1.70.0.

CVE-2025-26921 CVSS:8.8

Deserialization of Untrusted Data vulnerability in magepeopleteam Booking and Rental Manager allows Object Injection. This issue affects Booking and Rental Manager: from n/a through 2.2.6.

Impact

• Data Manipulation
• Cross-Site Scripting

Indicators of Compromise

CVE

• CVE-2025-27281

• CVE-2025-26978

• CVE-2025-26972

• CVE-2025-26969

• CVE-2025-26976

• CVE-2025-26961

• CVE-2025-26921

Affected Vendors

Remediation

Update the WordPress plugin to the latest available version.

CVE-2025-27281

CVE-2025-26978

CVE-2025-26972

CVE-2025-26969

CVE-2025-26976

CVE-2025-26961

CVE-2025-26921