The Internal Links Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.1. This is due to missing or incorrect nonce validation on the link deletion functionality in the process_bulk_action() function. This makes it possible for unauthenticated attackers to delete SEO links via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE Database V5

Detailed information about CVE-2025-9949: CWE-352 Cross-Site Request Forgery (CSRF) in webraketen Internal Links Manager affecting webraketen Internal Links Man

CVE-2025-9949: CWE-352 Cross-Site Request Forgery (CSRF) in webraketen Internal Links Manager - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-9949: CWE-352 Cross-Site Request Forgery (CSRF) in webraketen Internal Links Manager

The SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more plugin for WordPress is vulnerable to unauthorized creation of forms due to a missing capability check on the register_post_types() function in all versions up to, and including, 1.12.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to create forms when the user interface specifically prohibits it.

Detailed information about CVE-2025-10489: CWE-862 Missing Authorization in brainstormforce SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, C

CVE-2025-10489: CWE-862 Missing Authorization in brainstormforce SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-10489: CWE-862 Missing Authorization in brainstormforce SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more

The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'drafts' shortcode in all versions up to, and including, 2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Detailed information about CVE-2025-10181: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in dartiss Draft List aff

CVE-2025-10181: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in dartiss Draft List - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-10181: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in dartiss Draft List

The ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages plugin for WordPress is vulnerable to SQL Injection via the export_csv() function in all versions up to, and including, 2.5.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This may be exploitable by lower level users if access to the plugin is granted.

CVE-2025-10002 is a medium-severity SQL Injection vulnerability affecting the ClickWhale WordPress plugin, which is used for managing links, shortening URLs, and tracking affiliate link clicks. The vulnerability exists in the export_csv() function across all versions up to and including 2.5.0. The root cause is insufficient sanitization and escaping of user-supplied parameters combined with a lack of proper query preparation. This allows an authenticated attacker with Administrator-level privileges or higher to inject arbitrary SQL code into existing queries. The injection can be used to extract sensitive data from the underlying database, compromising confidentiality. Although the vulnerability requires high privileges, it may be exploitable by lower-privileged users if they have access to the plugin interface. The CVSS 3.1 score is 4.9 (medium), reflecting network attack vector, low attack complexity, high privileges required, no user interaction, unchanged scope, high confidentiality impact, and no impact on integrity or availability. No known exploits are reported in the wild yet. The vulnerability highlights the importance of proper input validation and use of parameterized queries in WordPress plugins handling sensitive data exports.

Detailed information about CVE-2025-10002: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in clickwhale ClickWhale 

CVE-2025-10002: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in clickwhale ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-10002: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in clickwhale ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages

The Secure Passkeys plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the delete_passkey() and passkeys_list() function in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view and delete passkeys.

Detailed information about CVE-2025-10305: CWE-862 Missing Authorization in endisha Secure Passkeys affecting endisha Secure Passkeys. Get real-time updates, te

CVE-2025-10305: CWE-862 Missing Authorization in endisha Secure Passkeys

CVE-2025-10305: CWE-862 Missing Authorization in endisha Secure Passkeys

Description

Technical Details

Related Threats

CVE-2025-9949: CWE-352 Cross-Site Request Forgery (CSRF) in webraketen Internal Links Manager

CVE-2025-10489: CWE-862 Missing Authorization in brainstormforce SureForms – Drag and Drop Contact Form Builder – Multi-step Forms, Conversational Forms and more

CVE-2025-10181: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in dartiss Draft List

CVE-2025-10002: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in clickwhale ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages

CVE-2025-10756: Buffer Overflow in UTT HiPER 840G

Actions

External Links

Need enhanced features?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility