2026-01-13 Daily Vulns
NEW:
| CVE | vendor-product | description | metric | Referenceurl | title | GithubURL | |
|---|---|---|---|---|---|---|---|
| CVE-2025-12379 | averta - Shortcodes and extra features for Phlox theme | The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a combination of the ‘tag’ and ‘title_tag’ parameters in all versions up to, and including, 2.17.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | CVSS3.1: 6.4 - MEDIUM | 0 1 2 | Exploitation: noneAutomatable: noTechnical Impact: partial | Shortcodes and extra features for Phlox theme <= 2.17.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via Modern Heading Widget | github |
| CVE-2025-61674 | octobercms - october | October is a Content Management System (CMS) and web platform. Prior to versions 3.7.13 and 4.0.12, a cross-site scripting (XSS) vulnerability was identified in October CMS backend configuration forms. A user with the Global Editor Settings permission could inject malicious HTML/JS into the stylesheet input at Markup Styles. A specially crafted input could break out of the intended |
This post is licensed under CC BY 4.0 by the author.