WordPress is a content management system paired with a MySQL or MariaDB database. Features include a plugin architecture and a template system, referred to within WordPress as Themes.

WordPress

The Simple:Press plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'postitem' parameter manipulated during the profile-save action when modifying a profile signature in versions up to, and including, 6.8 due to insufficient input sanitization and output escaping that makes injecting object and embed tags possible. This makes it possible for authenticated attackers, with minimal permissions, such as a subscriber to inject arbitrary web scripts in pages when modifying a profile signature that will execute whenever a user accesses an injected page.

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-13542	CRITICAL	9.8	WordPress	designthemes-lms	No	Yes	Dec 02, 2025
CVE-2025-13724	HIGH	7.5	WordPress	vikrentcar	No	Yes	Dec 02, 2025
CVE-2025-13731	MEDIUM	6.4	WordPress	nexter-extension	No	Yes	Dec 02, 2025
CVE-2025-12630	MEDIUM	4.9	WordPress	upload-am-file-hosting-vpn	No	Yes	Dec 02, 2025
CVE-2025-13090	MEDIUM	4.9	WordPress	wpdirectorykit	No	Yes	Dec 02, 2025

CVE-2022-4028:
WordPress vulnerability analysis and mitigation

Overview

Technical details

Additional resources

5.4

Related WordPress vulnerabilities:

Benchmark your Cloud Security Posture

Additional Wiz resources

Cloud Vulnerability DB

Cloud Threat Landscape

PEACH

Ready to see Wiz in action?

CVE-2022-4028: WordPress vulnerability analysis and mitigation