Refine your search
4 vulnerabilities found for by techjewel
CVE-2025-13728 (GCVE-0-2025-13728)
Vulnerability from cvelistv5
Published
2025-12-15 14:25
Modified
2025-12-15 15:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
The FluentAuth – The Ultimate Authorization & Security Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `fluent_auth_reset_password` shortcode in all versions up to, and including, 2.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| techjewel | FluentAuth – The Ultimate Authorization & Security Plugin for WordPress |
Version: * ≤ 2.0.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13728",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-15T15:42:24.971692Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-15T15:45:16.363Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FluentAuth \u2013 The Ultimate Authorization \u0026 Security Plugin for WordPress",
"vendor": "techjewel",
"versions": [
{
"lessThanOrEqual": "2.0.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ"
}
],
"descriptions": [
{
"lang": "en",
"value": "The FluentAuth \u2013 The Ultimate Authorization \u0026 Security Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s `fluent_auth_reset_password` shortcode in all versions up to, and including, 2.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-15T14:25:12.270Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a3187d3e-e1da-4af7-a1fa-9657389f9e22?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3409232/fluent-security/tags/2.1.0/app/Hooks/Handlers/CustomAuthHandler.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-17T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-11-25T23:18:43.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-12-15T02:19:04.000+00:00",
"value": "Disclosed"
}
],
"title": "FluentAuth - Auth Security Plugin \u003c= 2.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027fluent_auth_reset_password\u0027 Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13728",
"datePublished": "2025-12-15T14:25:12.270Z",
"dateReserved": "2025-11-25T23:03:10.530Z",
"dateUpdated": "2025-12-15T15:45:16.363Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13748 (GCVE-0-2025-13748)
Vulnerability from cvelistv5
Published
2025-12-06 06:39
Modified
2025-12-08 21:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Summary
The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.1.7 via the 'submission_id' parameter due to missing validation on a user controlled key within the confirmScaPayment() function. This makes it possible for unauthenticated attackers to mark arbitrary submissions as failed via crafted requests to the endpoint granted they can guess or enumerate a valid submission identifier.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| techjewel | Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder |
Version: * ≤ 6.1.7 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13748",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-08T21:27:32.596858Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T21:27:44.087Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Fluent Forms \u2013 Customizable Contact Forms, Survey, Quiz, \u0026 Conversational Form Builder",
"vendor": "techjewel",
"versions": [
{
"lessThanOrEqual": "6.1.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Md. Moniruzzaman Prodhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Fluent Forms \u2013 Customizable Contact Forms, Survey, Quiz, \u0026 Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.1.7 via the \u0027submission_id\u0027 parameter due to missing validation on a user controlled key within the confirmScaPayment() function. This makes it possible for unauthenticated attackers to mark arbitrary submissions as failed via crafted requests to the endpoint granted they can guess or enumerate a valid submission identifier."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-06T06:39:08.515Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c2aee799-4e4c-4a41-8b76-e2ad576fe2e2?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3406804/fluentform/tags/6.1.8/app/Modules/Payments/PaymentMethods/Stripe/StripeInlineProcessor.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-26T16:13:14.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-12-05T18:10:08.000+00:00",
"value": "Disclosed"
}
],
"title": "Fluent Forms \u003c= 6.1.7 - Unauthenticated Insecure Direct Object Reference to Payment Status Tampering via submission_id"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13748",
"datePublished": "2025-12-06T06:39:08.515Z",
"dateReserved": "2025-11-26T15:56:07.294Z",
"dateUpdated": "2025-12-08T21:27:44.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13756 (GCVE-0-2025-13756)
Vulnerability from cvelistv5
Published
2025-12-03 13:52
Modified
2025-12-03 14:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
The Fluent Booking plugin for WordPress is vulnerable to unauthorized calendar import and management due to a missing capability check on the "importCalendar" function in all versions up to, and including, 1.9.11. This makes it possible for authenticated attackers, with subscriber level access and above, to import arbitrary calendars and manage them.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| techjewel | Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution |
Version: * ≤ 1.9.11 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13756",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T14:40:47.097022Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T14:40:52.227Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Fluent Booking \u2013 The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution",
"vendor": "techjewel",
"versions": [
{
"lessThanOrEqual": "1.9.11",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Md. Moniruzzaman Prodhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Fluent Booking plugin for WordPress is vulnerable to unauthorized calendar import and management due to a missing capability check on the \"importCalendar\" function in all versions up to, and including, 1.9.11. This makes it possible for authenticated attackers, with subscriber level access and above, to import arbitrary calendars and manage them."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T13:52:45.265Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7860dfa8-de76-4ca3-bd80-98550afab56b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3404176/fluent-booking/tags/1.10.0/app/Hooks/Handlers/DataImporter.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-18T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-11-26T20:41:32.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-12-03T00:41:01.000+00:00",
"value": "Disclosed"
}
],
"title": "Fluent Booking \u2013 The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution \u003c= 1.9.11 - Authenticated (Subscriber+) Missing Authorization to Calendar Import and Management"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13756",
"datePublished": "2025-12-03T13:52:45.265Z",
"dateReserved": "2025-11-26T20:26:05.841Z",
"dateUpdated": "2025-12-03T14:40:52.227Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12935 (GCVE-0-2025-12935)
Vulnerability from cvelistv5
Published
2025-11-21 12:28
Modified
2025-11-21 17:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
The FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fluentcrm_content' shortcode in all versions up to, and including, 2.9.84 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| techjewel | FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution |
Version: * ≤ 2.9.84 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12935",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-21T17:42:47.002389Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-21T17:43:05.441Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FluentCRM \u2013 Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution",
"vendor": "techjewel",
"versions": [
{
"lessThanOrEqual": "2.9.84",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ"
}
],
"descriptions": [
{
"lang": "en",
"value": "The FluentCRM \u2013 Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027fluentcrm_content\u0027 shortcode in all versions up to, and including, 2.9.84 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-21T12:28:08.412Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7129e5cb-ce70-477a-a8f1-3acf152dfc21?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/fluent-crm/tags/2.9.84/app/Hooks/actions.php#L172"
},
{
"url": "https://plugins.trac.wordpress.org/browser/fluent-crm/tags/2.9.84/app/Hooks/Handlers/PrefFormHandler.php#L175"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3399640/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-09T22:33:18.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-20T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "FluentCRM - Marketing Automation For WordPress \u003c= 2.9.84 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027fluentcrm_content\u0027 Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12935",
"datePublished": "2025-11-21T12:28:08.412Z",
"dateReserved": "2025-11-09T22:17:40.122Z",
"dateUpdated": "2025-11-21T17:43:05.441Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}