Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
29 vulnerabilities by CreativeMindsSolutions
CVE-2026-2432 (GCVE-0-2026-2432)
Vulnerability from cvelistv5 – Published: 2026-03-20 08:25 – Updated: 2026-04-08 17:30
VLAI?
Title
CM Custom Reports <= 1.2.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Labels
Summary
The CM Custom Reports – Flexible reporting to track what matters most plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity ?
4.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| creativemindssolutions | CM Custom Reports – Flexible reporting to track what matters most |
Affected:
0 , ≤ 1.2.7
(semver)
|
Credits
san6051
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2432",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T15:15:52.167083Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T15:23:02.640Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CM Custom Reports \u2013 Flexible reporting to track what matters most",
"vendor": "creativemindssolutions",
"versions": [
{
"lessThanOrEqual": "1.2.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "san6051"
}
],
"descriptions": [
{
"lang": "en",
"value": "The CM Custom Reports \u2013 Flexible reporting to track what matters most plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:30:09.320Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e642b5e1-62c1-4aa9-b579-6b2338227dd5?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cm-custom-reports/trunk/backend/classes/modules/GraphModule.php#L151"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cm-custom-reports/tags/1.2.7/backend/classes/modules/GraphModule.php#L151"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3464005%40cm-custom-reports\u0026new=3464005%40cm-custom-reports\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-12T21:33:02.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-19T19:57:41.000Z",
"value": "Disclosed"
}
],
"title": "CM Custom Reports \u003c= 1.2.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Labels"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2432",
"datePublished": "2026-03-20T08:25:58.769Z",
"dateReserved": "2026-02-12T21:17:51.101Z",
"dateUpdated": "2026-04-08T17:30:09.320Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2431 (GCVE-0-2026-2431)
Vulnerability from cvelistv5 – Published: 2026-03-07 01:21 – Updated: 2026-04-08 17:30
VLAI?
Title
CM Custom Reports <= 1.2.7 - Reflected Cross-Site Scripting via 'date_from' and 'date_to' Parameters
Summary
The CM Custom Reports plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'date_from' and 'date_to' parameters in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| creativemindssolutions | CM Custom Reports – Flexible reporting to track what matters most |
Affected:
0 , ≤ 1.2.7
(semver)
|
Credits
san6051
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2431",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T19:00:21.560117Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T19:33:15.713Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CM Custom Reports \u2013 Flexible reporting to track what matters most",
"vendor": "creativemindssolutions",
"versions": [
{
"lessThanOrEqual": "1.2.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "san6051"
}
],
"descriptions": [
{
"lang": "en",
"value": "The CM Custom Reports plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u0027date_from\u0027 and \u0027date_to\u0027 parameters in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:30:51.135Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e9b918e1-9bf7-4f90-9e77-829bc8012cbb?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cm-custom-reports/trunk/backend/reports/RegisteredUsersReport.php#L19"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cm-custom-reports/tags/1.2.7/backend/reports/RegisteredUsersReport.php#L19"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-12T21:31:08.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-06T11:33:43.000Z",
"value": "Disclosed"
}
],
"title": "CM Custom Reports \u003c= 1.2.7 - Reflected Cross-Site Scripting via \u0027date_from\u0027 and \u0027date_to\u0027 Parameters"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2431",
"datePublished": "2026-03-07T01:21:24.513Z",
"dateReserved": "2026-02-12T21:16:00.969Z",
"dateUpdated": "2026-04-08T17:30:51.135Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25004 (GCVE-0-2026-25004)
Vulnerability from cvelistv5 – Published: 2026-02-19 08:26 – Updated: 2026-04-01 14:14
VLAI?
Title
WordPress CM Business Directory plugin <= 1.5.3 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CreativeMindsSolutions CM Business Directory cm-business-directory allows Stored XSS.This issue affects CM Business Directory: from n/a through <= 1.5.3.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CreativeMindsSolutions | CM Business Directory |
Affected:
0 , ≤ 1.5.3
(custom)
|
Date Public ?
2026-04-01 16:04
Credits
Arif Shaikh | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-25004",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-26T18:59:43.265263Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-03T18:08:58.106Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "cm-business-directory",
"product": "CM Business Directory",
"vendor": "CreativeMindsSolutions",
"versions": [
{
"changes": [
{
"at": "1.5.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.5.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Arif Shaikh | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:04:57.996Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in CreativeMindsSolutions CM Business Directory cm-business-directory allows Stored XSS.\u003cp\u003eThis issue affects CM Business Directory: from n/a through \u003c= 1.5.3.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in CreativeMindsSolutions CM Business Directory cm-business-directory allows Stored XSS.This issue affects CM Business Directory: from n/a through \u003c= 1.5.3."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:14:40.091Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/cm-business-directory/vulnerability/wordpress-cm-business-directory-plugin-1-5-3-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress CM Business Directory plugin \u003c= 1.5.3 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-25004",
"datePublished": "2026-02-19T08:26:51.689Z",
"dateReserved": "2026-01-28T09:50:57.104Z",
"dateUpdated": "2026-04-01T14:14:40.091Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0691 (GCVE-0-2026-0691)
Vulnerability from cvelistv5 – Published: 2026-01-17 06:42 – Updated: 2026-04-08 17:03
VLAI?
Title
CM E-Mail Blacklist <= 1.6.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'black_email' Parameter
Summary
The CM E-Mail Blacklist – Simple email filtering for safer registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'black_email' parameter in all versions up to, and including, 1.6.2. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity ?
4.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| creativemindssolutions | CM E-Mail Blacklist – Simple email filtering for safer registration |
Affected:
0 , ≤ 1.6.2
(semver)
|
Credits
Phap Nguyen Anh
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0691",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T18:28:29.618825Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T18:28:47.071Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CM E-Mail Blacklist \u2013 Simple email filtering for safer registration",
"vendor": "creativemindssolutions",
"versions": [
{
"lessThanOrEqual": "1.6.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Phap Nguyen Anh"
}
],
"descriptions": [
{
"lang": "en",
"value": "The CM E-Mail Blacklist \u2013 Simple email filtering for safer registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027black_email\u0027 parameter in all versions up to, and including, 1.6.2. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:03:54.008Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/821f4ea9-bc25-4d65-9058-5b77c4f1b230?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cm-email-blacklist/trunk/backend/views/settings/email_blacklist.phtml#L67"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cm-email-blacklist/tags/1.6.2/backend/views/settings/email_blacklist.phtml#L67"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3440158%40cm-email-blacklist\u0026new=3440158%40cm-email-blacklist\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-07T21:09:24.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-16T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "CM E-Mail Blacklist \u003c= 1.6.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via \u0027black_email\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0691",
"datePublished": "2026-01-17T06:42:20.210Z",
"dateReserved": "2026-01-07T20:54:14.552Z",
"dateUpdated": "2026-04-08T17:03:54.008Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-54045 (GCVE-0-2025-54045)
Vulnerability from cvelistv5 – Published: 2025-12-16 08:12 – Updated: 2026-04-01 14:08
VLAI?
Title
WordPress CM On Demand Search And Replace plugin <= 1.5.5 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in CreativeMindsSolutions CM On Demand Search And Replace cm-on-demand-search-and-replace allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CM On Demand Search And Replace: from n/a through <= 1.5.5.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CreativeMindsSolutions | CM On Demand Search And Replace |
Affected:
0 , ≤ 1.5.5
(custom)
|
Date Public ?
2026-04-01 15:59
Credits
Mika | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-54045",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-16T17:31:42.139719Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-16T17:31:45.293Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "cm-on-demand-search-and-replace",
"product": "CM On Demand Search And Replace",
"vendor": "CreativeMindsSolutions",
"versions": [
{
"lessThanOrEqual": "1.5.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mika | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T15:59:26.288Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in CreativeMindsSolutions CM On Demand Search And Replace cm-on-demand-search-and-replace allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects CM On Demand Search And Replace: from n/a through \u003c= 1.5.5.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in CreativeMindsSolutions CM On Demand Search And Replace cm-on-demand-search-and-replace allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CM On Demand Search And Replace: from n/a through \u003c= 1.5.5."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:08:21.421Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/cm-on-demand-search-and-replace/vulnerability/wordpress-cm-on-demand-search-and-replace-plugin-1-5-4-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress CM On Demand Search And Replace plugin \u003c= 1.5.5 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-54045",
"datePublished": "2025-12-16T08:12:46.351Z",
"dateReserved": "2025-07-16T08:52:07.075Z",
"dateUpdated": "2026-04-01T14:08:21.421Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11167 (GCVE-0-2025-11167)
Vulnerability from cvelistv5 – Published: 2025-10-11 08:29 – Updated: 2026-04-08 17:19
VLAI?
Title
CM Registration – Tailored tool for seamless login and invitation-based registrations <= 2.5.6 - Open Redirect
Summary
The CM Registration – Tailored tool for seamless login and invitation-based registrations plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 2.5.6. This is due to insufficient validation on the redirect url supplied via the 'redirect_url' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.
Severity ?
4.7 (Medium)
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| creativemindssolutions | CM Registration – Tailored tool for seamless login and invitation-based registrations |
Affected:
0 , ≤ 2.5.6
(semver)
|
Credits
Jonas Benjamin Friedli
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11167",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-14T13:30:22.117056Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-14T14:11:07.569Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CM Registration \u2013 Tailored tool for seamless login and invitation-based registrations",
"vendor": "creativemindssolutions",
"versions": [
{
"lessThanOrEqual": "2.5.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonas Benjamin Friedli"
}
],
"descriptions": [
{
"lang": "en",
"value": "The CM Registration \u2013 Tailored tool for seamless login and invitation-based registrations plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 2.5.6. This is due to insufficient validation on the redirect url supplied via the \u0027redirect_url\u0027 parameter. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:19:46.335Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c10286fe-2fdf-4946-b7bb-a2b16f93abb0?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3374121/cm-invitation-codes/trunk/controller/LoginController.php?old=3310298\u0026old_path=cm-invitation-codes%2Ftags%2F2.5.5%2Fcontroller%2FLoginController.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-29T17:07:43.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-10-10T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "CM Registration \u2013 Tailored tool for seamless login and invitation-based registrations \u003c= 2.5.6 - Open Redirect"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-11167",
"datePublished": "2025-10-11T08:29:17.346Z",
"dateReserved": "2025-09-29T16:52:35.968Z",
"dateUpdated": "2026-04-08T17:19:46.335Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10178 (GCVE-0-2025-10178)
Vulnerability from cvelistv5 – Published: 2025-09-26 01:47 – Updated: 2026-04-08 16:43
VLAI?
Title
CM Business Directory <= 1.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Summary
The CM Business Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cmbd_featured_image' shortcode in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| creativemindssolutions | CM Business Directory – Optimise and showcase local business |
Affected:
0 , ≤ 1.5.2
(semver)
|
Credits
Youcef Hamdani
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10178",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-26T19:22:39.256757Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-26T19:22:59.183Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CM Business Directory \u2013 Optimise and showcase local business",
"vendor": "creativemindssolutions",
"versions": [
{
"lessThanOrEqual": "1.5.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Youcef Hamdani"
}
],
"descriptions": [
{
"lang": "en",
"value": "The CM Business Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027cmbd_featured_image\u0027 shortcode in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:43:49.358Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2c1ecd71-57ed-44ba-a007-3b96b98d3bf7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cm-business-directory/trunk/frontend/cm-business-directory-business-page-sc.php#L289"
},
{
"url": "https://wordpress.org/plugins/cm-business-directory/"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cm-business-directory/trunk/frontend/cm-business-directory-business-page-sc.php?rev=3364840#L280"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cm-business-directory/tags/1.5.2/frontend/cm-business-directory-business-page-sc.php#L289"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-18T11:28:46.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-09-25T13:26:06.000Z",
"value": "Disclosed"
}
],
"title": "CM Business Directory \u003c= 1.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-10178",
"datePublished": "2025-09-26T01:47:26.676Z",
"dateReserved": "2025-09-09T14:24:50.742Z",
"dateUpdated": "2026-04-08T16:43:49.358Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-48151 (GCVE-0-2025-48151)
Vulnerability from cvelistv5 – Published: 2025-08-20 08:03 – Updated: 2026-04-01 15:54
VLAI?
Title
WordPress CM Map Locations <= 2.1.6 - Cross Site Scripting (XSS) Vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CreativeMindsSolutions CM Map Locations cm-map-locations allows Reflected XSS.This issue affects CM Map Locations: from n/a through <= 2.1.6.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CreativeMindsSolutions | CM Map Locations |
Affected:
0 , ≤ 2.1.6
(custom)
|
Date Public ?
2026-04-01 16:40
Credits
Nguyen Xuan Chien | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48151",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T17:29:04.657436Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T17:29:11.512Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "cm-map-locations",
"product": "CM Map Locations",
"vendor": "CreativeMindsSolutions",
"versions": [
{
"changes": [
{
"at": "2.1.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.1.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nguyen Xuan Chien | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:40:30.897Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in CreativeMindsSolutions CM Map Locations cm-map-locations allows Reflected XSS.\u003cp\u003eThis issue affects CM Map Locations: from n/a through \u003c= 2.1.6.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in CreativeMindsSolutions CM Map Locations cm-map-locations allows Reflected XSS.This issue affects CM Map Locations: from n/a through \u003c= 2.1.6."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "Reflected XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:54:15.154Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/cm-map-locations/vulnerability/wordpress-cm-map-locations-2-1-6-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress CM Map Locations \u003c= 2.1.6 - Cross Site Scripting (XSS) Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-48151",
"datePublished": "2025-08-20T08:03:33.138Z",
"dateReserved": "2025-05-15T18:01:53.425Z",
"dateUpdated": "2026-04-01T15:54:15.154Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-54727 (GCVE-0-2025-54727)
Vulnerability from cvelistv5 – Published: 2025-08-14 18:21 – Updated: 2026-04-01 15:57
VLAI?
Title
WordPress CM On Demand Search And Replace Plugin <= 1.5.2 - Cross Site Scripting (XSS) Vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CreativeMindsSolutions CM On Demand Search And Replace cm-on-demand-search-and-replace allows Stored XSS.This issue affects CM On Demand Search And Replace: from n/a through <= 1.5.2.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CreativeMindsSolutions | CM On Demand Search And Replace |
Affected:
0 , ≤ 1.5.2
(custom)
|
Date Public ?
2026-04-01 16:42
Credits
Bao - BlueRock | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54727",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-14T19:30:46.411308Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-14T19:30:52.184Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "cm-on-demand-search-and-replace",
"product": "CM On Demand Search And Replace",
"vendor": "CreativeMindsSolutions",
"versions": [
{
"changes": [
{
"at": "1.5.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.5.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bao - BlueRock | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:42:30.556Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in CreativeMindsSolutions CM On Demand Search And Replace cm-on-demand-search-and-replace allows Stored XSS.\u003cp\u003eThis issue affects CM On Demand Search And Replace: from n/a through \u003c= 1.5.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in CreativeMindsSolutions CM On Demand Search And Replace cm-on-demand-search-and-replace allows Stored XSS.This issue affects CM On Demand Search And Replace: from n/a through \u003c= 1.5.2."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:57:30.265Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/cm-on-demand-search-and-replace/vulnerability/wordpress-cm-on-demand-search-and-replace-plugin-plugin-1-5-2-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress CM On Demand Search And Replace Plugin \u003c= 1.5.2 - Cross Site Scripting (XSS) Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-54727",
"datePublished": "2025-08-14T18:21:45.295Z",
"dateReserved": "2025-07-28T10:56:33.521Z",
"dateUpdated": "2026-04-01T15:57:30.265Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-54728 (GCVE-0-2025-54728)
Vulnerability from cvelistv5 – Published: 2025-08-14 18:21 – Updated: 2026-04-01 15:57
VLAI?
Title
WordPress CM On Demand Search And Replace Plugin <= 1.5.2 - Cross Site Request Forgery (CSRF) Vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in CreativeMindsSolutions CM On Demand Search And Replace cm-on-demand-search-and-replace allows Cross Site Request Forgery.This issue affects CM On Demand Search And Replace: from n/a through <= 1.5.2.
Severity ?
No CVSS data available.
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CreativeMindsSolutions | CM On Demand Search And Replace |
Affected:
0 , ≤ 1.5.2
(custom)
|
Date Public ?
2026-04-01 16:42
Credits
Bao - BlueRock | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54728",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-14T19:31:10.508787Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-14T19:31:16.535Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "cm-on-demand-search-and-replace",
"product": "CM On Demand Search And Replace",
"vendor": "CreativeMindsSolutions",
"versions": [
{
"changes": [
{
"at": "1.5.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.5.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bao - BlueRock | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:42:30.561Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in CreativeMindsSolutions CM On Demand Search And Replace cm-on-demand-search-and-replace allows Cross Site Request Forgery.\u003cp\u003eThis issue affects CM On Demand Search And Replace: from n/a through \u003c= 1.5.2.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in CreativeMindsSolutions CM On Demand Search And Replace cm-on-demand-search-and-replace allows Cross Site Request Forgery.This issue affects CM On Demand Search And Replace: from n/a through \u003c= 1.5.2."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "Cross Site Request Forgery"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:57:30.463Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/cm-on-demand-search-and-replace/vulnerability/wordpress-cm-on-demand-search-and-replace-plugin-plugin-1-5-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"title": "WordPress CM On Demand Search And Replace Plugin \u003c= 1.5.2 - Cross Site Request Forgery (CSRF) Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-54728",
"datePublished": "2025-08-14T18:21:43.685Z",
"dateReserved": "2025-07-28T10:56:33.521Z",
"dateUpdated": "2026-04-01T15:57:30.463Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-54018 (GCVE-0-2025-54018)
Vulnerability from cvelistv5 – Published: 2025-07-16 10:36 – Updated: 2026-04-01 15:57
VLAI?
Title
WordPress CM Pop-Up banners plugin <= 1.8.4 - Broken Access Control Vulnerability
Summary
Missing Authorization vulnerability in CreativeMindsSolutions CM Pop-Up banners cm-pop-up-banners allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CM Pop-Up banners: from n/a through <= 1.8.4.
Severity ?
No CVSS data available.
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CreativeMindsSolutions | CM Pop-Up banners |
Affected:
0 , ≤ 1.8.4
(custom)
|
Date Public ?
2026-04-01 16:42
Credits
Bao - BlueRock | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54018",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-16T19:51:59.009356Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-16T19:52:22.496Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "cm-pop-up-banners",
"product": "CM Pop-Up banners",
"vendor": "CreativeMindsSolutions",
"versions": [
{
"changes": [
{
"at": "1.8.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.8.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bao - BlueRock | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:42:03.327Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in CreativeMindsSolutions CM Pop-Up banners cm-pop-up-banners allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects CM Pop-Up banners: from n/a through \u003c= 1.8.4.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in CreativeMindsSolutions CM Pop-Up banners cm-pop-up-banners allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CM Pop-Up banners: from n/a through \u003c= 1.8.4."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:57:11.765Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/cm-pop-up-banners/vulnerability/wordpress-cm-pop-up-banners-plugin-1-8-4-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress CM Pop-Up banners plugin \u003c= 1.8.4 - Broken Access Control Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-54018",
"datePublished": "2025-07-16T10:36:43.743Z",
"dateReserved": "2025-07-16T08:51:37.993Z",
"dateUpdated": "2026-04-01T15:57:11.765Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-46246 (GCVE-0-2025-46246)
Vulnerability from cvelistv5 – Published: 2025-04-22 09:53 – Updated: 2026-04-01 15:52
VLAI?
Title
WordPress CM Answers plugin <= 3.3.3 - Cross Site Request Forgery (CSRF) Vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in CreativeMindsSolutions CM Answers cm-answers allows Cross Site Request Forgery.This issue affects CM Answers: from n/a through <= 3.3.3.
Severity ?
No CVSS data available.
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CreativeMindsSolutions | CM Answers |
Affected:
0 , ≤ 3.3.3
(custom)
|
Date Public ?
2026-04-01 16:39
Credits
ch4r0n | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46246",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T16:08:28.947133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T16:08:49.917Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "cm-answers",
"product": "CM Answers",
"vendor": "CreativeMindsSolutions",
"versions": [
{
"changes": [
{
"at": "3.3.4",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.3.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "ch4r0n | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:39:39.777Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in CreativeMindsSolutions CM Answers cm-answers allows Cross Site Request Forgery.\u003cp\u003eThis issue affects CM Answers: from n/a through \u003c= 3.3.3.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in CreativeMindsSolutions CM Answers cm-answers allows Cross Site Request Forgery.This issue affects CM Answers: from n/a through \u003c= 3.3.3."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "Cross Site Request Forgery"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:52:41.866Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/cm-answers/vulnerability/wordpress-cm-answers-3-3-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"title": "WordPress CM Answers plugin \u003c= 3.3.3 - Cross Site Request Forgery (CSRF) Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-46246",
"datePublished": "2025-04-22T09:53:31.292Z",
"dateReserved": "2025-04-22T09:21:43.074Z",
"dateUpdated": "2026-04-01T15:52:41.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-46245 (GCVE-0-2025-46245)
Vulnerability from cvelistv5 – Published: 2025-04-22 09:53 – Updated: 2026-04-01 15:52
VLAI?
Title
WordPress CM Ad Changer plugin <= 2.0.5 - Cross Site Request Forgery (CSRF) Vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in CreativeMindsSolutions CM Ad Changer cm-ad-changer allows Cross Site Request Forgery.This issue affects CM Ad Changer: from n/a through <= 2.0.5.
Severity ?
No CVSS data available.
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CreativeMindsSolutions | CM Ad Changer |
Affected:
0 , ≤ 2.0.5
(custom)
|
Date Public ?
2026-04-01 16:39
Credits
ch4r0n | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46245",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T16:21:16.504162Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T16:23:06.221Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "cm-ad-changer",
"product": "CM Ad Changer",
"vendor": "CreativeMindsSolutions",
"versions": [
{
"changes": [
{
"at": "2.0.6",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.0.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "ch4r0n | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:39:39.520Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in CreativeMindsSolutions CM Ad Changer cm-ad-changer allows Cross Site Request Forgery.\u003cp\u003eThis issue affects CM Ad Changer: from n/a through \u003c= 2.0.5.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in CreativeMindsSolutions CM Ad Changer cm-ad-changer allows Cross Site Request Forgery.This issue affects CM Ad Changer: from n/a through \u003c= 2.0.5."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "Cross Site Request Forgery"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:52:41.696Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/cm-ad-changer/vulnerability/wordpress-cm-ad-changer-2-0-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"title": "WordPress CM Ad Changer plugin \u003c= 2.0.5 - Cross Site Request Forgery (CSRF) Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-46245",
"datePublished": "2025-04-22T09:53:30.649Z",
"dateReserved": "2025-04-22T09:21:43.074Z",
"dateUpdated": "2026-04-01T15:52:41.696Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-32210 (GCVE-0-2025-32210)
Vulnerability from cvelistv5 – Published: 2025-04-10 08:09 – Updated: 2026-04-01 15:50
VLAI?
Title
WordPress CM Registration and Invitation Codes plugin <= 2.5.6 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in CreativeMindsSolutions CM Registration and Invitation Codes cm-invitation-codes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CM Registration and Invitation Codes: from n/a through <= 2.5.6.
Severity ?
No CVSS data available.
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CreativeMindsSolutions | CM Registration and Invitation Codes |
Affected:
0 , ≤ 2.5.6
(custom)
|
Date Public ?
2026-04-01 16:38
Credits
Trương Hữu Phúc (truonghuuphuc) | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32210",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T19:26:04.897150Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T19:26:43.227Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "cm-invitation-codes",
"product": "CM Registration and Invitation Codes",
"vendor": "CreativeMindsSolutions",
"versions": [
{
"changes": [
{
"at": "3.3.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.5.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:38:22.507Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in CreativeMindsSolutions CM Registration and Invitation Codes cm-invitation-codes allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects CM Registration and Invitation Codes: from n/a through \u003c= 2.5.6.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in CreativeMindsSolutions CM Registration and Invitation Codes cm-invitation-codes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CM Registration and Invitation Codes: from n/a through \u003c= 2.5.6."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:50:27.758Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/cm-invitation-codes/vulnerability/wordpress-cm-registration-and-invitation-codes-plugin-2-5-2-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress CM Registration and Invitation Codes plugin \u003c= 2.5.6 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-32210",
"datePublished": "2025-04-10T08:09:44.744Z",
"dateReserved": "2025-04-04T10:01:35.761Z",
"dateUpdated": "2026-04-01T15:50:27.758Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-31091 (GCVE-0-2025-31091)
Vulnerability from cvelistv5 – Published: 2025-04-03 13:27 – Updated: 2026-04-01 15:48
VLAI?
Title
WordPress CM Header and Footer plugin <= 1.2.4 - Cross Site Scripting (XSS) Vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CreativeMindsSolutions CM Header and Footer cm-header-footer-script-loader allows Stored XSS.This issue affects CM Header and Footer: from n/a through <= 1.2.4.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CreativeMindsSolutions | CM Header and Footer |
Affected:
0 , ≤ 1.2.4
(custom)
|
Date Public ?
2026-04-01 16:36
Credits
Nguyen Xuan Chien | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31091",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-03T14:59:13.819260Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T15:09:18.049Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "cm-header-footer-script-loader",
"product": "CM Header and Footer",
"vendor": "CreativeMindsSolutions",
"versions": [
{
"changes": [
{
"at": "1.2.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.2.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nguyen Xuan Chien | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:36:47.610Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in CreativeMindsSolutions CM Header and Footer cm-header-footer-script-loader allows Stored XSS.\u003cp\u003eThis issue affects CM Header and Footer: from n/a through \u003c= 1.2.4.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in CreativeMindsSolutions CM Header and Footer cm-header-footer-script-loader allows Stored XSS.This issue affects CM Header and Footer: from n/a through \u003c= 1.2.4."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:48:35.323Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/cm-header-footer-script-loader/vulnerability/wordpress-cm-header-and-footer-1-2-4-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress CM Header and Footer plugin \u003c= 1.2.4 - Cross Site Scripting (XSS) Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-31091",
"datePublished": "2025-04-03T13:27:09.308Z",
"dateReserved": "2025-03-26T09:26:11.885Z",
"dateUpdated": "2026-04-01T15:48:35.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-30910 (GCVE-0-2025-30910)
Vulnerability from cvelistv5 – Published: 2025-04-01 05:31 – Updated: 2026-04-01 15:47
VLAI?
Title
WordPress CM Download Manager plugin <= 2.9.6 - Arbitrary File Deletion vulnerability
Summary
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in CreativeMindsSolutions CM Download Manager cm-download-manager allows Path Traversal.This issue affects CM Download Manager: from n/a through <= 2.9.6.
Severity ?
No CVSS data available.
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CreativeMindsSolutions | CM Download Manager |
Affected:
0 , ≤ 2.9.6
(custom)
|
Date Public ?
2026-04-01 16:36
Credits
Trương Hữu Phúc (truonghuuphuc) | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30910",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-01T15:49:20.930849Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-01T15:49:30.428Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "cm-download-manager",
"product": "CM Download Manager",
"vendor": "CreativeMindsSolutions",
"versions": [
{
"changes": [
{
"at": "3.0.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.9.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:36:37.412Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in CreativeMindsSolutions CM Download Manager cm-download-manager allows Path Traversal.\u003cp\u003eThis issue affects CM Download Manager: from n/a through \u003c= 2.9.6.\u003c/p\u003e"
}
],
"value": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) vulnerability in CreativeMindsSolutions CM Download Manager cm-download-manager allows Path Traversal.This issue affects CM Download Manager: from n/a through \u003c= 2.9.6."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "Path Traversal"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:47:58.962Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/cm-download-manager/vulnerability/wordpress-cm-download-manager-plugin-2-9-6-arbitrary-file-deletion-vulnerability?_s_id=cve"
}
],
"title": "WordPress CM Download Manager plugin \u003c= 2.9.6 - Arbitrary File Deletion vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-30910",
"datePublished": "2025-04-01T05:31:40.624Z",
"dateReserved": "2025-03-26T09:21:38.618Z",
"dateUpdated": "2026-04-01T15:47:58.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-2166 (GCVE-0-2025-2166)
Vulnerability from cvelistv5 – Published: 2025-03-14 04:22 – Updated: 2026-04-08 17:05
VLAI?
Title
CM FAQ – Simplify support with an intuitive FAQ management tool <= 1.2.5 - Reflected Cross-Site Scripting
Summary
The CM FAQ – Simplify support with an intuitive FAQ management tool plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| creativemindssolutions | CM FAQ – Simplify support with an intuitive FAQ management tool |
Affected:
0 , ≤ 1.2.5
(semver)
|
Credits
Peter Thaleikis
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2166",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-14T13:57:36.206288Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T13:59:06.925Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CM FAQ \u2013 Simplify support with an intuitive FAQ management tool",
"vendor": "creativemindssolutions",
"versions": [
{
"lessThanOrEqual": "1.2.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Thaleikis"
}
],
"descriptions": [
{
"lang": "en",
"value": "The CM FAQ \u2013 Simplify support with an intuitive FAQ management tool plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:05:50.722Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8b8d21cb-fe87-4947-a44b-7d670cf2123e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cm-faq/tags/1.2.4/package/cminds-free.php#L2662"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cm-faq/tags/1.2.5/package/cminds-free.php#L2662"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cm-faq/tags/1.2.6/package/cminds-free.php#L2662"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-13T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "CM FAQ \u2013 Simplify support with an intuitive FAQ management tool \u003c= 1.2.5 - Reflected Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-2166",
"datePublished": "2025-03-14T04:22:33.305Z",
"dateReserved": "2025-03-10T13:49:38.619Z",
"dateUpdated": "2026-04-08T17:05:50.722Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-24758 (GCVE-0-2025-24758)
Vulnerability from cvelistv5 – Published: 2025-03-03 13:30 – Updated: 2026-04-01 15:44
VLAI?
Title
WordPress CM Map Locations plugin <= 2.0.8 - Reflected Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CreativeMindsSolutions CM Map Locations cm-map-locations allows Reflected XSS.This issue affects CM Map Locations: from n/a through <= 2.0.8.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CreativeMindsSolutions | CM Map Locations |
Affected:
0 , ≤ 2.0.8
(custom)
|
Date Public ?
2026-04-01 16:34
Credits
SOPROBRO | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24758",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-03T16:00:38.875085Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-03T17:38:01.887Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "cm-map-locations",
"product": "CM Map Locations",
"vendor": "CreativeMindsSolutions",
"versions": [
{
"changes": [
{
"at": "2.0.9",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.0.8",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "SOPROBRO | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:34:50.008Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in CreativeMindsSolutions CM Map Locations cm-map-locations allows Reflected XSS.\u003cp\u003eThis issue affects CM Map Locations: from n/a through \u003c= 2.0.8.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in CreativeMindsSolutions CM Map Locations cm-map-locations allows Reflected XSS.This issue affects CM Map Locations: from n/a through \u003c= 2.0.8."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "Reflected XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:44:43.151Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/cm-map-locations/vulnerability/wordpress-cm-map-locations-plugin-2-0-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress CM Map Locations plugin \u003c= 2.0.8 - Reflected Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-24758",
"datePublished": "2025-03-03T13:30:21.486Z",
"dateReserved": "2025-01-23T14:53:08.866Z",
"dateUpdated": "2026-04-01T15:44:43.151Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-24694 (GCVE-0-2025-24694)
Vulnerability from cvelistv5 – Published: 2025-03-03 13:30 – Updated: 2026-04-01 15:44
VLAI?
Title
WordPress CM Pop-Up Banners plugin <= 1.7.6 - Reflected Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CreativeMindsSolutions CM Pop-Up banners cm-pop-up-banners allows Reflected XSS.This issue affects CM Pop-Up banners: from n/a through <= 1.7.6.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CreativeMindsSolutions | CM Pop-Up banners |
Affected:
0 , ≤ 1.7.6
(custom)
|
Date Public ?
2026-04-01 16:34
Credits
Peter Thaleikis | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24694",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-03T16:32:05.594546Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-03T19:01:33.226Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "cm-pop-up-banners",
"product": "CM Pop-Up banners",
"vendor": "CreativeMindsSolutions",
"versions": [
{
"changes": [
{
"at": "1.7.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.7.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Thaleikis | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:34:38.062Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in CreativeMindsSolutions CM Pop-Up banners cm-pop-up-banners allows Reflected XSS.\u003cp\u003eThis issue affects CM Pop-Up banners: from n/a through \u003c= 1.7.6.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in CreativeMindsSolutions CM Pop-Up banners cm-pop-up-banners allows Reflected XSS.This issue affects CM Pop-Up banners: from n/a through \u003c= 1.7.6."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "Reflected XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:44:31.136Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/cm-pop-up-banners/vulnerability/wordpress-cm-pop-up-banners-plugin-1-7-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress CM Pop-Up Banners plugin \u003c= 1.7.6 - Reflected Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-24694",
"datePublished": "2025-03-03T13:30:21.298Z",
"dateReserved": "2025-01-23T14:52:23.104Z",
"dateUpdated": "2026-04-01T15:44:31.136Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-54267 (GCVE-0-2024-54267)
Vulnerability from cvelistv5 – Published: 2024-12-13 14:24 – Updated: 2026-04-01 15:39
VLAI?
Title
WordPress CM Answers plugin <= 3.2.6 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in CreativeMindsSolutions CM Answers cm-answers allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CM Answers: from n/a through <= 3.2.6.
Severity ?
No CVSS data available.
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CreativeMindsSolutions | CM Answers |
Affected:
0 , ≤ 3.2.6
(custom)
|
Date Public ?
2026-04-01 16:30
Credits
Muhammad Zidan Ali Mansur | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-54267",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-13T16:34:06.373683Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T16:34:13.586Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "cm-answers",
"product": "CM Answers",
"vendor": "CreativeMindsSolutions",
"versions": [
{
"changes": [
{
"at": "3.2.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.2.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Zidan Ali Mansur | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:30:23.787Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in CreativeMindsSolutions CM Answers cm-answers allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects CM Answers: from n/a through \u003c= 3.2.6.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in CreativeMindsSolutions CM Answers cm-answers allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CM Answers: from n/a through \u003c= 3.2.6."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:39:37.462Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/cm-answers/vulnerability/wordpress-cm-answers-plugin-3-2-6-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress CM Answers plugin \u003c= 3.2.6 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-54267",
"datePublished": "2024-12-13T14:24:44.880Z",
"dateReserved": "2024-12-02T12:04:05.093Z",
"dateUpdated": "2026-04-01T15:39:37.462Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-11202 (GCVE-0-2024-11202)
Vulnerability from cvelistv5 – Published: 2024-11-26 07:31 – Updated: 2026-04-08 17:27
VLAI?
Title
Multiple Plugins <= (Various Versions) - Reflected Cross-Site Scripting via cminds_free_guide Shortcode
Summary
Multiple plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the cminds_free_guide shortcode in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| creativemindssolutions | CM Header and Footer – Add custom scripts and styles to your header and footer with ease |
Affected:
0 , ≤ 1.2.1
(semver)
|
||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||
Credits
Peter Thaleikis
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-11202",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-26T14:03:41.646023Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T14:09:25.025Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CM Header and Footer \u2013 Add custom scripts and styles to your header and footer with ease",
"vendor": "creativemindssolutions",
"versions": [
{
"lessThanOrEqual": "1.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "CM Business Directory \u2013 Optimise and showcase local business",
"vendor": "creativemindssolutions",
"versions": [
{
"lessThanOrEqual": "1.4.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "CM Search And Replace \u2013 Optimize content edits with a powerful search and replace tool",
"vendor": "creativemindssolutions",
"versions": [
{
"lessThanOrEqual": "1.4.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "CM E-Mail Blacklist \u2013 Simple email filtering for safer registration",
"vendor": "creativemindssolutions",
"versions": [
{
"lessThanOrEqual": "1.5.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "CM Pop-Up \u2013 Create engaging popups to capture attention and boost interaction",
"vendor": "creativemindssolutions",
"versions": [
{
"lessThanOrEqual": "1.7.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "CM Video Lessons Manager \u2013 Simplify video lessons management for better education",
"vendor": "creativemindssolutions",
"versions": [
{
"lessThanOrEqual": "1.8.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "CM Tooltip Glossary",
"vendor": "creativemindssolutions",
"versions": [
{
"lessThanOrEqual": "4.3.11",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Thaleikis"
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the cminds_free_guide shortcode in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:27:35.857Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/db759c60-9ce9-407d-8d1f-cbbfd09759d5?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cm-pop-up-banners/trunk/package/cminds-free.php#L1471"
},
{
"url": "https://wordpress.org/plugins/cm-pop-up-banners/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cm-header-footer-script-loader/trunk/package/cminds-free.php#L1465"
},
{
"url": "https://plugins.trac.wordpress.org/browser/enhanced-tooltipglossary/trunk/package/cminds-free.php#L1465"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cm-business-directory/trunk/package/cminds-free.php#L1465"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cm-video-lesson-manager/trunk/package/cminds-free.php#L1465"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cm-email-blacklist/trunk/package/cminds-free.php#L1465"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cm-on-demand-search-and-replace/trunk/package/cminds-free.php#L1469"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3191536/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3192416/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3193808/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3192354/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3194393/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3192808/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3192381/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-25T19:30:14.000Z",
"value": "Disclosed"
}
],
"title": "Multiple Plugins \u003c= (Various Versions) - Reflected Cross-Site Scripting via cminds_free_guide Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-11202",
"datePublished": "2024-11-26T07:31:31.790Z",
"dateReserved": "2024-11-14T00:00:21.262Z",
"dateUpdated": "2026-04-08T17:27:35.857Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-48041 (GCVE-0-2024-48041)
Vulnerability from cvelistv5 – Published: 2024-10-11 18:27 – Updated: 2026-04-01 15:35
VLAI?
Title
WordPress CM Tooltip Glossary plugin <= 4.3.9 - Stored Cross-Site Scripting vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CreativeMindsSolutions CM Tooltip Glossary enhanced-tooltipglossary allows Stored XSS.This issue affects CM Tooltip Glossary: from n/a through <= 4.3.9.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CreativeMindsSolutions | CM Tooltip Glossary |
Affected:
0 , ≤ 4.3.9
(custom)
|
Date Public ?
2026-04-01 16:28
Credits
Robert DeVore | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-48041",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-11T18:45:11.226268Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-11T18:45:21.738Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "enhanced-tooltipglossary",
"product": "CM Tooltip Glossary",
"vendor": "CreativeMindsSolutions",
"versions": [
{
"changes": [
{
"at": "4.3.11",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.3.9",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Robert DeVore | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:28:10.429Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in CreativeMindsSolutions CM Tooltip Glossary enhanced-tooltipglossary allows Stored XSS.\u003cp\u003eThis issue affects CM Tooltip Glossary: from n/a through \u003c= 4.3.9.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in CreativeMindsSolutions CM Tooltip Glossary enhanced-tooltipglossary allows Stored XSS.This issue affects CM Tooltip Glossary: from n/a through \u003c= 4.3.9."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:35:47.893Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/enhanced-tooltipglossary/vulnerability/wordpress-cm-tooltip-glossary-plugin-4-3-9-privilege-escalation-vulnerability?_s_id=cve"
}
],
"title": "WordPress CM Tooltip Glossary plugin \u003c= 4.3.9 - Stored Cross-Site Scripting vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-48041",
"datePublished": "2024-10-11T18:27:15.935Z",
"dateReserved": "2024-10-08T13:14:57.116Z",
"dateUpdated": "2026-04-01T15:35:47.893Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-43149 (GCVE-0-2024-43149)
Vulnerability from cvelistv5 – Published: 2024-08-12 22:13 – Updated: 2024-08-13 14:05
VLAI?
Title
WordPress CM Tooltip Glossary Plugin <= 4.3.7 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CreativeMindsSolutions CM Tooltip Glossary allows Stored XSS.This issue affects CM Tooltip Glossary: from n/a through 4.3.7.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CreativeMindsSolutions | CM Tooltip Glossary |
Affected:
n/a , ≤ 4.3.7
(custom)
|
Credits
LVT-tholv2k (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43149",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-13T13:50:58.967525Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-13T14:05:24.229Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "enhanced-tooltipglossary",
"product": "CM Tooltip Glossary",
"vendor": "CreativeMindsSolutions",
"versions": [
{
"changes": [
{
"at": "4.3.9",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.3.7",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "LVT-tholv2k (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in CreativeMindsSolutions CM Tooltip Glossary allows Stored XSS.\u003cp\u003eThis issue affects CM Tooltip Glossary: from n/a through 4.3.7.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in CreativeMindsSolutions CM Tooltip Glossary allows Stored XSS.This issue affects CM Tooltip Glossary: from n/a through 4.3.7."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-12T22:13:29.806Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/enhanced-tooltipglossary/wordpress-cm-tooltip-glossary-plugin-4-3-7-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 4.3.9 or a higher version."
}
],
"value": "Update to 4.3.9 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress CM Tooltip Glossary Plugin \u003c= 4.3.7 - Cross Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-43149",
"datePublished": "2024-08-12T22:13:29.806Z",
"dateReserved": "2024-08-07T09:19:26.673Z",
"dateUpdated": "2024-08-13T14:05:24.229Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4086 (GCVE-0-2024-4086)
Vulnerability from cvelistv5 – Published: 2024-05-02 16:52 – Updated: 2026-04-08 17:32
VLAI?
Title
CM Tooltip Glossary – Powerful Glossary Plugin <= 4.2.11 - Cross-Site Request Forgery
Summary
The CM Tooltip Glossary – Powerful Glossary Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.11. This is due to missing or incorrect nonce validation when saving settings. This makes it possible for unauthenticated attackers to change the plugin's settings or reset them via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| creativemindssolutions | CM Tooltip Glossary |
Affected:
0 , ≤ 4.2.11
(semver)
|
Credits
Benedictus Jovan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4086",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-09T19:14:05.978645Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:54:09.504Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:33:51.657Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f3e2ddde-1421-4352-b93a-1492574f624e?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3076616/enhanced-tooltipglossary/trunk/settings/CMTT_Settings.php?contextall=1\u0026old=3029791\u0026old_path=%2Fenhanced-tooltipglossary%2Ftrunk%2Fsettings%2FCMTT_Settings.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CM Tooltip Glossary",
"vendor": "creativemindssolutions",
"versions": [
{
"lessThanOrEqual": "4.2.11",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Benedictus Jovan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The CM Tooltip Glossary \u2013 Powerful Glossary Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.11. This is due to missing or incorrect nonce validation when saving settings. This makes it possible for unauthenticated attackers to change the plugin\u0027s settings or reset them via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:32:59.143Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f3e2ddde-1421-4352-b93a-1492574f624e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3076616/enhanced-tooltipglossary/trunk/settings/CMTT_Settings.php?contextall=1\u0026old=3029791\u0026old_path=%2Fenhanced-tooltipglossary%2Ftrunk%2Fsettings%2FCMTT_Settings.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-04-24T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "CM Tooltip Glossary \u2013 Powerful Glossary Plugin \u003c= 4.2.11 - Cross-Site Request Forgery"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-4086",
"datePublished": "2024-05-02T16:52:51.436Z",
"dateReserved": "2024-04-23T16:24:44.990Z",
"dateUpdated": "2026-04-08T17:32:59.143Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-30750 (GCVE-0-2023-30750)
Vulnerability from cvelistv5 – Published: 2023-12-20 17:06 – Updated: 2024-08-02 14:37
VLAI?
Title
WordPress CM Pop-Up banners Plugin <= 1.5.10 is vulnerable to SQL Injection
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CreativeMindsSolutions CM Popup Plugin for WordPress.This issue affects CM Popup Plugin for WordPress: from n/a through 1.5.10.
Severity ?
8.5 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CreativeMindsSolutions | CM Popup Plugin for WordPress |
Affected:
n/a , ≤ 1.5.10
(custom)
|
Credits
Dave Jong (Patchstack)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:37:15.579Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/cm-pop-up-banners/wordpress-cm-pop-up-banners-for-wordpress-plugin-1-5-10-sql-injection-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "cm-pop-up-banners",
"product": "CM Popup Plugin for WordPress",
"vendor": "CreativeMindsSolutions",
"versions": [
{
"changes": [
{
"at": "1.6.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.5.10",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Dave Jong (Patchstack)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in CreativeMindsSolutions CM Popup Plugin for WordPress.\u003cp\u003eThis issue affects CM Popup Plugin for WordPress: from n/a through 1.5.10.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in CreativeMindsSolutions CM Popup Plugin for WordPress.This issue affects CM Popup Plugin for WordPress: from n/a through 1.5.10.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-20T17:06:20.367Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/cm-pop-up-banners/wordpress-cm-pop-up-banners-for-wordpress-plugin-1-5-10-sql-injection-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;1.6.0 or a higher version."
}
],
"value": "Update to\u00a01.6.0 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress CM Pop-Up banners Plugin \u003c= 1.5.10 is vulnerable to SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-30750",
"datePublished": "2023-12-20T17:06:20.367Z",
"dateReserved": "2023-04-14T07:08:36.339Z",
"dateUpdated": "2024-08-02T14:37:15.579Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-28749 (GCVE-0-2023-28749)
Vulnerability from cvelistv5 – Published: 2023-11-22 13:02 – Updated: 2024-08-02 13:51
VLAI?
Title
WordPress CM On Demand Search And Replace Plugin <= 1.3.0 is vulnerable to Cross Site Request Forgery (CSRF)
Summary
Cross-Site Request Forgery (CSRF) vulnerability in CreativeMindsSolutions CM On Demand Search And Replace plugin <= 1.3.0 versions.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CreativeMindsSolutions | CM On Demand Search And Replace |
Affected:
n/a , ≤ 1.3.0
(custom)
|
Credits
Abdi Pranata (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T13:51:37.968Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/cm-on-demand-search-and-replace/wordpress-cm-on-demand-search-and-replace-plugin-1-3-0-cross-site-request-forgery-csrf?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "cm-on-demand-search-and-replace",
"product": "CM On Demand Search And Replace",
"vendor": "CreativeMindsSolutions",
"versions": [
{
"changes": [
{
"at": "1.3.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.3.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Abdi Pranata (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in CreativeMindsSolutions CM On Demand Search And Replace plugin \u0026lt;=\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp;1.3.0 versions.\u003c/span\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in CreativeMindsSolutions CM On Demand Search And Replace plugin \u003c=\u00a01.3.0 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-22T13:02:55.222Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/cm-on-demand-search-and-replace/wordpress-cm-on-demand-search-and-replace-plugin-1-3-0-cross-site-request-forgery-csrf?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;1.3.1 or a higher version."
}
],
"value": "Update to\u00a01.3.1 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress CM On Demand Search And Replace Plugin \u003c= 1.3.0 is vulnerable to Cross Site Request Forgery (CSRF)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-28749",
"datePublished": "2023-11-22T13:02:55.222Z",
"dateReserved": "2023-03-22T16:47:14.447Z",
"dateUpdated": "2024-08-02T13:51:37.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-31228 (GCVE-0-2023-31228)
Vulnerability from cvelistv5 – Published: 2023-08-18 12:57 – Updated: 2024-09-25 14:39
VLAI?
Title
WordPress CM On Demand Search And Replace Plugin <= 1.3.0 is vulnerable to Cross Site Scripting (XSS)
Summary
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in CreativeMindsSolutions CM On Demand Search And Replace plugin <= 1.3.0 versions.
Severity ?
5.9 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CreativeMindsSolutions | CM On Demand Search And Replace |
Affected:
n/a , ≤ 1.3.0
(custom)
|
Credits
Abdi Pranata (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:53:30.697Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/cm-on-demand-search-and-replace/wordpress-cm-on-demand-search-and-replace-plugin-1-3-0-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-31228",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T14:31:51.551340Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T14:39:30.385Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "cm-on-demand-search-and-replace",
"product": "CM On Demand Search And Replace",
"vendor": "CreativeMindsSolutions",
"versions": [
{
"changes": [
{
"at": "1.3.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.3.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Abdi Pranata (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in CreativeMindsSolutions CM On Demand Search And Replace plugin \u0026lt;=\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp;1.3.0 versions.\u003c/span\u003e"
}
],
"value": "Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in CreativeMindsSolutions CM On Demand Search And Replace plugin \u003c=\u00a01.3.0 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-18T12:57:43.899Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/cm-on-demand-search-and-replace/wordpress-cm-on-demand-search-and-replace-plugin-1-3-0-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;1.3.1 or a higher version."
}
],
"value": "Update to\u00a01.3.1 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress CM On Demand Search And Replace Plugin \u003c= 1.3.0 is vulnerable to Cross Site Scripting (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-31228",
"datePublished": "2023-08-18T12:57:43.899Z",
"dateReserved": "2023-04-26T15:10:10.074Z",
"dateUpdated": "2024-09-25T14:39:30.385Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25992 (GCVE-0-2023-25992)
Vulnerability from cvelistv5 – Published: 2023-03-23 16:18 – Updated: 2025-01-10 19:16
VLAI?
Title
WordPress CM Answers Plugin <= 3.1.9 is vulnerable to Cross Site Scripting (XSS)
Summary
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in CreativeMindsSolutions CM Answers plugin <= 3.1.9 versions.
Severity ?
5.9 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CreativeMindsSolutions | CM Answers |
Affected:
n/a , ≤ 3.1.9
(custom)
|
Credits
MyungJu Kim (Patchstack Alliance)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:39:06.132Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/cm-answers/wordpress-cm-answers-plugin-3-1-9-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25992",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-10T17:45:55.247289Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-10T19:16:35.188Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "cm-answers",
"product": "CM Answers",
"vendor": "CreativeMindsSolutions",
"versions": [
{
"changes": [
{
"at": "3.2.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.1.9",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "MyungJu Kim (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in CreativeMindsSolutions CM Answers plugin \u0026lt;=\u003cspan style=\"background-color: var(--wht);\"\u003e\u0026nbsp;3.1.9 \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eversions\u003c/span\u003e.\u003c/span\u003e"
}
],
"value": "Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in CreativeMindsSolutions CM Answers plugin \u003c=\u00a03.1.9 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-23T16:18:28.849Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/cm-answers/wordpress-cm-answers-plugin-3-1-9-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;3.2.0 or a higher version."
}
],
"value": "Update to\u00a03.2.0 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress CM Answers Plugin \u003c= 3.1.9 is vulnerable to Cross Site Scripting (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-25992",
"datePublished": "2023-03-23T16:18:28.849Z",
"dateReserved": "2023-02-17T13:47:16.259Z",
"dateUpdated": "2025-01-10T19:16:35.188Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24713 (GCVE-0-2021-24713)
Vulnerability from cvelistv5 – Published: 2021-11-23 19:16 – Updated: 2024-08-03 19:42
VLAI?
Title
Video Lessons Manager - Admin+ Stored Cross-Site Scripting
Summary
The Video Lessons Manager WordPress plugin before 1.7.2 and Video Lessons Manager Pro WordPress plugin before 3.5.9 do not properly sanitize and escape values when updating their settings, which could allow high privilege users to perform Cross-Site Scripting attacks
Severity ?
No CVSS data available.
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| TODO | Video Lessons Manager – Best Video Course LMS |
Affected:
1.7.2 , < 1.7.2
(custom)
|
|||||||
|
|||||||||
Credits
Shivam Rai
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:42:16.189Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/4a90be69-41eb-43e9-962d-34316497b4df"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Video Lessons Manager \u2013 Best Video Course LMS",
"vendor": "TODO",
"versions": [
{
"lessThan": "1.7.2",
"status": "affected",
"version": "1.7.2",
"versionType": "custom"
}
]
},
{
"product": "Video Lessons Manager Pro \u2013 Best Video Course LMS",
"vendor": "TODO",
"versions": [
{
"lessThan": "3.5.9",
"status": "affected",
"version": "3.5.9",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Shivam Rai"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Video Lessons Manager WordPress plugin before 1.7.2 and Video Lessons Manager Pro WordPress plugin before 3.5.9 do not properly sanitize and escape values when updating their settings, which could allow high privilege users to perform Cross-Site Scripting attacks"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-23T19:16:09.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpscan.com/vulnerability/4a90be69-41eb-43e9-962d-34316497b4df"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Video Lessons Manager - Admin+ Stored Cross-Site Scripting",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24713",
"STATE": "PUBLIC",
"TITLE": "Video Lessons Manager - Admin+ Stored Cross-Site Scripting"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Video Lessons Manager \u2013 Best Video Course LMS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.7.2",
"version_value": "1.7.2"
}
]
}
},
{
"product_name": "Video Lessons Manager Pro \u2013 Best Video Course LMS",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.5.9",
"version_value": "3.5.9"
}
]
}
}
]
},
"vendor_name": "TODO"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Shivam Rai"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Video Lessons Manager WordPress plugin before 1.7.2 and Video Lessons Manager Pro WordPress plugin before 3.5.9 do not properly sanitize and escape values when updating their settings, which could allow high privilege users to perform Cross-Site Scripting attacks"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/4a90be69-41eb-43e9-962d-34316497b4df",
"refsource": "MISC",
"url": "https://wpscan.com/vulnerability/4a90be69-41eb-43e9-962d-34316497b4df"
}
]
},
"source": {
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24713",
"datePublished": "2021-11-23T19:16:09.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:42:16.189Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}