Severity
High
Analysis Summary
CVE-2025-27281 CVSS:8.5
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in cookforweb All In Menu allows Blind SQL Injection. This issue affects All In Menu: from n/a through 1.1.5.
CVE-2025-26978 CVSS:8.5
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound FS Poster. This issue affects FS Poster: from n/a through 6.5.8.
CVE-2025-26972 CVSS:7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound PrivateContent. This issue affects PrivateContent: from n/a through 8.11.5.
CVE-2025-26969 CVSS:8.3
Missing Authorization vulnerability in Aldo Latino PrivateContent. This issue affects PrivateContent: from n/a through 8.11.5.
CVE-2025-26976 CVSS:8.5
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aldo Latino PrivateContent. This issue affects PrivateContent: from n/a through 8.11.4.
CVE-2025-26961 CVSS:8.6
Missing Authorization vulnerability in NotFound Fresh Framework allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Fresh Framework: from n/a through 1.70.0.
CVE-2025-26921 CVSS:8.8
Deserialization of Untrusted Data vulnerability in magepeopleteam Booking and Rental Manager allows Object Injection. This issue affects Booking and Rental Manager: from n/a through 2.2.6.
Impact
- Data Manipulation
- Cross-Site Scripting
Indicators of Compromise
CVE
CVE-2025-27281
CVE-2025-26978
CVE-2025-26972
CVE-2025-26969
CVE-2025-26976
CVE-2025-26961
CVE-2025-26921
Affected Vendors
- WordPress
Affected Products
- cookforweb All In Menu - n/a
- NotFound FS Poster - n/a
- NotFound PrivateContent - n/a
- Aldo Latino PrivateContent - n/a
- magepeopleteam Booking and Rental Manager - n/a
Remediation
Update the WordPress plugin to the latest available version.