THREAT ALERT

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — January 22, 2025

151 CVEs tracked today. 10 Critical, 97 High, 39 Medium, 1 Low.

CVE-2025-23953 CRITICAL CVSS 10.0
Unrestricted Upload of File with Dangerous Type vulnerability in Innovative Solutions user files allows Upload a Web Shell to a Web Server.4.2. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
CVE-2025-23942 CRITICAL CVSS 9.1
Unrestricted Upload of File with Dangerous Type vulnerability in NgocCode WP Load Gallery allows Upload a Web Shell to a Web Server.1.6. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 44.7% and no vendor patch available.

File Upload
CVE-2025-23932 CRITICAL CVSS 9.8
Deserialization of Untrusted Data vulnerability in NotFound Quick Count allows Object Injection.00. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
CVE-2025-23931 CRITICAL CVSS 9.3
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound WordPress Local SEO allows Blind SQL Injection.3. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress SQLi PHP
CVE-2025-23921 CRITICAL CVSS 9.0
Unrestricted Upload of File with Dangerous Type vulnerability in NotFound Multi Uploader for Gravity Forms allows Upload a Web Shell to a Web Server.1.3. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

File Upload
CVE-2025-23918 CRITICAL CVSS 9.9
Unrestricted Upload of File with Dangerous Type vulnerability in NotFound Smallerik File Browser allows Upload a Web Shell to a Web Server.1. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
CVE-2025-23914 CRITICAL CVSS 9.8
Deserialization of Untrusted Data vulnerability in NotFound Muzaara Google Ads Report allows Object Injection.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Deserialization
CVE-2025-20156 CRITICAL CVSS 9.9
A vulnerability in the REST API of Cisco Meeting Management could allow a remote, authenticated attacker with low privileges to elevate privileges to administrator on an affected device. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Cisco Information Disclosure Meeting Management
CVE-2024-13091 CRITICAL CVSS 9.8
The WPBot Pro Wordpress Chatbot plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'qcld_wpcfb_file_upload' function in all versions up to, and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 10.2% and no vendor patch available.

RCE File Upload WordPress Wpot
CVE-2024-12857 CRITICAL CVSS 9.8
The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.1.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass WordPress Adforest
CVE-2025-24399 HIGH CVSS 8.8
Jenkins OpenId Connect Authentication Plugin 4.452.v2849b_d3945fa_ and earlier, except 4.438.440.v3f5f201de5dc, treats usernames as case-insensitive, allowing attackers on Jenkins instances. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Jenkins Openid Connect Authentication
CVE-2025-24398 HIGH CVSS 8.8
Jenkins Bitbucket Server Integration Plugin 2.1.0 through 4.1.3 (both inclusive) allows attackers to craft URLs that would bypass the CSRF protection of any target URL in Jenkins. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Jenkins Bitbucket Server Integration
CVE-2025-23966 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AlaFalaki a Gateway for Pasargad Bank on WooCommerce allows Reflected XSS.5.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS PHP
CVE-2025-23959 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Linus Lundahl Good Old Gallery allows Reflected XSS.1.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23949 HIGH CVSS 8.1
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mihajlovic Nenad Improved Sale Badges - Free Version allows PHP Local File. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Lfi Information Disclosure PHP
CVE-2025-23948 HIGH CVSS 8.1
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebArea Background animation blocks allows PHP Local File Inclusion.1.5. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Lfi Information Disclosure PHP
CVE-2025-23944 HIGH CVSS 8.8
Deserialization of Untrusted Data vulnerability in WOOEXIM.COM WOOEXIM allows Object Injection.0.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
CVE-2025-23938 HIGH CVSS 7.5
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound Image Gallery Box by CRUDLab allows PHP Local File Inclusion.0.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Lfi Information Disclosure PHP
CVE-2025-23910 HIGH CVSS 8.5
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound Menus Plus+ allows SQL Injection.9.6. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
CVE-2025-23882 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WP Download Codes allows Reflected XSS.5.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23874 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WP Block Pack allows Reflected XSS.1.6. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23867 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WordPress File Search allows Reflected XSS.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS PHP
CVE-2025-23866 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound EU DSGVO Helper allows Reflected XSS.0.6.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23846 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kolja Nolte Flexible Blogtitle allows Reflected XSS.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23812 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Contact Form 7 Round Robin Lead Distribution allows Reflected XSS.2.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23811 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WP2APP allows Reflected XSS.6.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23809 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Blue Wrench Video Widget allows Reflected XSS.1.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23806 HIGH CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in ThemeFarmer Ultimate Subscribe allows Reflected XSS.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
CVE-2025-23803 HIGH CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in PQINA Snippy allows Reflected XSS.4.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
CVE-2025-23784 HIGH CVSS 7.6
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound Contact Form 7 Round Robin Lead Distribution allows SQL Injection.2.1. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
CVE-2025-23781 HIGH CVSS 7.5
Insertion of Sensitive Information Into Sent Data vulnerability in NotFound WM Options Import Export allows Retrieve Embedded Sensitive Data.0.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
CVE-2025-23774 HIGH CVSS 7.5
Insertion of Sensitive Information Into Sent Data vulnerability in NotFound WPDB to Sql allows Retrieve Embedded Sensitive Data.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
CVE-2025-23770 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Fast Tube allows Reflected XSS.3.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23769 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Content Mirror allows Reflected XSS.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23768 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound InFunding allows Reflected XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23758 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Pootle button allows Reflected XSS.2.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23746 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound CMC MIGRATE allows Reflected XSS.0.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23732 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Easy Filtering allows Reflected XSS.5.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23709 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kiro G. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23706 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Jet Skinner for BuddyPress allows Reflected XSS.2.5. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23701 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Matthew Blackford, LimeSquare Pty Ltd Lime Developer Login allows Reflected XSS.4.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23700 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Yonatan Reinberg yCyclista allows Reflected XSS.2.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23697 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebDeal s.r.o. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23696 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Staging CDN allows Reflected XSS.0.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23695 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound CtyGrid Hyp3rL0cal Search allows Reflected XSS.1.1.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23686 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Callum Richards Admin Menu Organizer allows Reflected XSS.0.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23683 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound MACME allows Reflected XSS.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23682 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Preloader Quotes allows Reflected XSS.0.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23681 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jannatqualitybacklinks.com REDIRECTION PLUS allows Reflected XSS.0.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23679 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Moshiur Rahman Mehedi FP RSS Category Excluder allows Reflected XSS.0.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23678 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound LocalGrid allows Reflected XSS.0.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23676 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound LH Email allows Reflected XSS.12. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23674 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Bit.ly linker allows Reflected XSS.ly linker: from n/a through 1.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23672 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Instant Appointment allows Reflected XSS.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23643 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound ReadMe Creator allows Reflected XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23631 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Content Planner allows Reflected XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23630 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Cyber Slider allows Reflected XSS.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23625 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AWcode, PDSonline Unique UX allows Reflected XSS.9.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23611 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WH Cache & Security allows Reflected XSS.1.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23610 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Ultimate Events allows Reflected XSS.3.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23609 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Helmuth Lammer Tagesteller allows Reflected XSS.1.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23607 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Camoo Sarl CAMOO SMS allows Reflected XSS.0.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23606 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Calendi allows Reflected XSS.1.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23605 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LamPD Call To Action Popup allows Reflected XSS.0.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23604 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Rezdy Reloaded allows Stored XSS.0.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23603 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Group category creator allows Reflected XSS.3.0.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23602 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound EELV Newsletter allows Reflected XSS.8.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23601 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Tab My Content allows Reflected XSS.0.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23597 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Riosis Private Limited Rio Photo Gallery allows Reflected XSS.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23592 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound dForms allows Reflected XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23589 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound ContentOptin Lite allows Reflected XSS.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23583 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Explara Explara Membership allows Reflected XSS.0.7. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23578 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Custom CSS Addons allows Reflected XSS.9.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23548 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bilal TAS Responsivity allows Reflected XSS.0.6. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23535 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in clickandsell REAL WordPress Sidebar allows Stored XSS.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS PHP
CVE-2025-23512 HIGH CVSS 7.5
Missing Authorization vulnerability in Team118GROUP Team 118GROUP Agent allows Exploiting Incorrectly Configured Access Control Security Levels.6.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-23509 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound HyperComments allows Reflected XSS.9.6. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23507 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Blrt Blrt WP Embed allows Reflected XSS.6.9. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23506 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WP IMAP Auth allows Reflected XSS.0.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23503 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Customizable Captcha and Contact Us allows Reflected XSS.0.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23500 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Faaiq Ahmed, Technial Architect,faaiqsj@gmail.com Simple Custom post type custom field allows. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23498 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Translation.Pro allows Reflected XSS.Pro: from n/a through 1.0.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23495 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WooCommerce Order Search allows Reflected XSS.1.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS PHP
CVE-2025-23475 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound History timeline allows Reflected XSS.7.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23462 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound FWD Slider allows Reflected XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23449 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Simple shortcode buttons allows Reflected XSS.3.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23083 HIGH CVSS 7.7
With the aid of the diagnostics_channel utility, an event can be hooked into whenever a worker thread is created. Rated high severity (CVSS 7.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Node.js Authentication Bypass Redhat Suse
CVE-2025-22772 HIGH CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Mapbox for WP Advanced allows Reflected XSS.0.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-22450 HIGH CVSS 7.5
Inclusion of undocumented features issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
CVE-2025-20617 HIGH CVSS 7.2
Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection
CVE-2025-20165 HIGH CVSS 7.5
A vulnerability in the SIP processing subsystem of Cisco BroadWorks could allow an unauthenticated, remote attacker to halt the processing of incoming SIP requests, resulting in a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cisco Denial Of Service Broadworks Network Server
CVE-2025-0638 HIGH CVSS 7.5
The initial code parsing the manifest did not check the content of the file names yet later code assumed that it was checked and panicked when encountering illegal characters, resulting in a crash of. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service
CVE-2025-0612 HIGH CVSS 7.5
Out of bounds memory access in V8 in Google Chrome prior to 132.0.6834.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Buffer Overflow Information Disclosure Chrome Suse
CVE-2025-0611 HIGH CVSS 8.2
Object corruption in V8 in Google Chrome prior to 132.0.6834.110 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Heap Overflow Buffer Overflow Google Chrome Suse
CVE-2025-0429 HIGH CVSS 7.2
The "AI Power: Complete AI Pack" plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.8.96 via deserialization of untrusted input from the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization WordPress Information Disclosure PHP Aipower
CVE-2025-0428 HIGH CVSS 7.2
The "AI Power: Complete AI Pack" plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.8.96 via deserialization of untrusted input from the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization WordPress Information Disclosure PHP Aipower
CVE-2024-56924 HIGH CVSS 7.3
A Cross Site Request Forgery (CSRF) vulnerability in Code Astro Internet banking system 2.0.0 allows remote attackers to execute arbitrary JavaScript on the admin page (pages_account), potentially. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Internet Banking System
CVE-2024-55957 HIGH CVSS 7.8
In Thermo Fisher Scientific Xcalibur before 4.7 SP1 and Thermo Foundation Instrument Control Software (ICSW) before 3.1 SP10, the driver packages have a local privilege escalation vulnerability due. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Microsoft Privilege Escalation Windows
CVE-2024-34235 HIGH CVSS 8.6
Open5GS MME versions <= 2.6.4 contains an assertion that can be remotely triggered via a malformed ASN.1 packet over the S1AP interface. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Open5gs
CVE-2024-31903 HIGH CVSS 8.8
IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.2 allow an attacker on the local network to execute arbitrary code on the system, caused by the. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Epss exploitation probability 18.2% and no vendor patch available.

RCE Deserialization IBM Sterling B2b Integrator
CVE-2024-24430 HIGH CVSS 7.5
A reachable assertion in the mme_ue_find_by_imsi function of Open5GS <= 2.6.4 allows attackers to cause a Denial of Service (DoS) via a crafted NAS packet. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Open5gs
CVE-2024-24429 HIGH CVSS 8.6
A reachable assertion in the nas_eps_send_emm_to_esm function of Open5GS <= 2.6.4 allows attackers to cause a Denial of Service (DoS) via a crafted NGAP packet. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Open5gs
CVE-2024-13499 HIGH CVSS 7.3
The The GamiPress - Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution via gamipress_do_shortcode(). Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection WordPress Gamipress
CVE-2024-13496 HIGH CVSS 7.5
The GamiPress - Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 21.0%.

WordPress SQLi Gamipress
CVE-2024-13495 HIGH CVSS 7.3
The The GamiPress - Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution via the. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection WordPress Gamipress
CVE-2024-11218 HIGH CVSS 8.6
A vulnerability was found in `podman build` and `buildah.` This issue occurs in a container breakout by using --jobs=2 and a race condition when building a malicious Containerfile. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Redhat Suse
CVE-2024-11166 HIGH CVSS 7.1
For TCAS II systems using transponders compliant with MOPS earlier than RTCA DO-181F, an attacker can impersonate a ground station and issue a Comm-A Identity Request. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
CVE-2025-24403 MEDIUM CVSS 4.3
A missing permission check in Jenkins Azure Service Fabric Plugin 1.6 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of Azure credentials stored in Jenkins. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Microsoft Authentication Bypass Jenkins Azure Service Fabric
CVE-2025-24402 MEDIUM CVSS 4.3
A cross-site request forgery (CSRF) vulnerability in Jenkins Azure Service Fabric Plugin 1.6 and earlier allows attackers to connect to a Service Fabric URL using attacker-specified credentials IDs. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Microsoft CSRF Jenkins Azure Service Fabric
CVE-2025-24401 MEDIUM CVSS 6.8
Jenkins Folder-based Authorization Strategy Plugin 217.vd5b_18537403e and earlier does not verify that permissions configured to be granted are enabled, potentially allowing users formerly granted. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Folder Based Authorization Strategy
CVE-2025-24400 MEDIUM CVSS 4.3
Jenkins Eiffel Broadcaster Plugin 2.8.0 through 2.10.2 (both inclusive) uses the credential ID as the cache key during signing operations, allowing attackers able to create a credential with the same. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jenkins Eiffel Broadcaster
CVE-2025-24397 MEDIUM CVSS 4.3
An incorrect permission check in Jenkins GitLab Plugin 1.9.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Gitlab Jenkins
CVE-2025-24027 MEDIUM CVSS 6.2
ps_contactinfo, a PrestaShop module for displaying store contact information, has a cross-site scripting (XSS) vulnerability in versions up to and including 3.3.2. Rated medium severity (CVSS 6.2), this vulnerability is remotely exploitable. No vendor patch available.

XSS SQLi
CVE-2025-23992 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Leetoo Toocheke Companion allows Stored XSS.166. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
CVE-2025-23798 MEDIUM CVSS 6.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eliott Robson Mass Messaging in BuddyPress allows Reflected XSS.2.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
CVE-2025-23684 MEDIUM CVSS 4.3
Missing Authorization vulnerability in Eugen Bobrowski Debug Tool allows Exploiting Incorrectly Configured Access Control Security Levels.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-23562 MEDIUM CVSS 5.8
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in NotFound XLSXviewer allows Path Traversal.1.1. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal
CVE-2025-23486 MEDIUM CVSS 6.5
Missing Authorization vulnerability in NotFound Database Sync allows Exploiting Incorrectly Configured Access Control Security Levels.5.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
CVE-2025-23237 MEDIUM CVSS 6.6
Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in UD-LT2 firmware Ver.1.00.008_SE and earlier. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.

Command Injection
CVE-2025-23047 MEDIUM CVSS 6.5
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Kubernetes Cilium Suse
CVE-2025-23028 MEDIUM CVSS 5.3
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Kubernetes Denial Of Service Cilium Suse
CVE-2025-22980 MEDIUM CVSS 6.7
A SQL Injection vulnerability exists in Senayan Library Management System SLiMS 9 Bulian 9.6.1 via the tempLoanID parameter in the loan form on /admin/modules/circulation/loan.php. Rated medium severity (CVSS 6.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Senayan Library Management System Bulian
CVE-2025-20128 MEDIUM CVSS 5.3
A vulnerability in the Object Linking and Embedding 2 (OLE2) decryption routine of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Heap Overflow Cisco Buffer Overflow Denial Of Service Clamav
CVE-2025-0651 MEDIUM CVSS 6.1
Improper Privilege Management vulnerability in Cloudflare WARP on Windows allows File Manipulation. Rated medium severity (CVSS 6.1), this vulnerability is low attack complexity. No vendor patch available.

Microsoft Privilege Escalation Warp Windows
CVE-2025-0604 MEDIUM CVSS 5.4
A flaw was found in Keycloak. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Redhat
CVE-2025-0395 MEDIUM CVSS 6.2
When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a. Rated medium severity (CVSS 6.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Redhat Suse
CVE-2024-56923 MEDIUM CVSS 5.4
Stored Cross-Site Scripting (XSS) Vulnerability in the Categorization Option of My Subscriptions Functionality in Silverpeas Core 6.3.1 <= 6.4.1 allows a remote attacker to execute arbitrary. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Silverpeas
CVE-2024-56914 MEDIUM CVSS 5.7
D-Link DSL-3782 v1.01 is vulnerable to Buffer Overflow in /New_GUI/ParentalControl.asp. Rated medium severity (CVSS 5.7), this vulnerability is low attack complexity. No vendor patch available.

D-Link Buffer Overflow Dsl 3782 Firmware
CVE-2024-55488 MEDIUM CVSS 6.5
A stored cross-site scripting (XSS) vulnerability in Umbraco CMS v14.3.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Umbraco Cms
CVE-2024-51457 MEDIUM CVSS 4.4
IBM Robotic Process Automation for Cloud Pak 21.0.0 through 21.0.7.19 and 23.0.0 through 23.0.19 is vulnerable to cross-site scripting. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.

IBM XSS Robotic Process Automation For Cloud Pak
CVE-2024-42013 MEDIUM CVSS 6.4
In GRAU DATA Blocky before 3.1, Blocky-Gui has a Client-Side Enforcement of Server-Side Security vulnerability. Rated medium severity (CVSS 6.4). No vendor patch available.

Microsoft Authentication Bypass Windows
CVE-2024-42012 MEDIUM CVSS 5.7
GRAU DATA Blocky before 3.1 stores passwords encrypted rather than hashed. Rated medium severity (CVSS 5.7). No vendor patch available.

Microsoft Information Disclosure Windows
CVE-2024-24432 MEDIUM CVSS 5.3
A reachable assertion in the ogs_kdf_hash_mme function of Open5GS <= 2.6.4 allows attackers to cause a Denial of Service (DoS) via a crafted NAS packet. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Open5gs
CVE-2024-13590 MEDIUM CVSS 6.4
The Ketchup Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'spacer' shortcode in all versions up to, and including, 0.1.2 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Ketchup Shortcodes
CVE-2024-13584 MEDIUM CVSS 6.4
The Picture Gallery - Frontend Image Uploads, AJAX Photo List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'videowhisper_pictures' shortcode in all versions up. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Picture Gallery
CVE-2024-13447 MEDIUM CVSS 4.3
The WP Hotel Booking plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the hotel_booking_load_order_user AJAX action in all versions up to, and. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass WordPress Wp Hotel Booking
CVE-2024-13426 MEDIUM CVSS 5.4
The WP-Polls plugin for WordPress is vulnerable to SQL Injection via COOKIE in all versions up to, and including, 2.77.2 due to insufficient escaping on the user supplied parameter and lack of. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required.

WordPress XSS SQLi Wp Polls
CVE-2024-13406 MEDIUM CVSS 6.1
The XML for Google Merchant Center plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'feed_id' parameter in all versions up to, and including, 3.0.11 due to insufficient. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Google WordPress XSS Xml For Google Merchant Center
CVE-2024-13361 MEDIUM CVSS 6.3
The AI Power: Complete AI Pack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpaicg_save_image_media function in all versions up to, and. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass WordPress Aipower
CVE-2024-13360 MEDIUM CVSS 5.4
The AI Power: Complete AI Pack plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.8.96 via the wpaicg_troubleshoot_add_vector(). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

WordPress SSRF Aipower
CVE-2024-13319 MEDIUM CVSS 6.1
The Themify Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including,. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Themify Builder
CVE-2024-12879 MEDIUM CVSS 4.3
The WPBot Pro Wordpress Chatbot plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'qc_wp_latest_update_check_pro' function in all. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass WordPress Wpot
CVE-2024-12477 MEDIUM CVSS 6.4
The Avada Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.11.11 due to insufficient input sanitization. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS Avada Builder
CVE-2024-12117 MEDIUM CVSS 6.4
The Stackable - Page Builder Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter of the Button block in all versions up to, and including,. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Stackable
CVE-2024-10929 MEDIUM CVSS 5.1
In certain circumstances, an issue in Arm Cortex-A57, Cortex-A72 (revisions before r1p0), Cortex-A73 and Cortex-A75 may allow an adversary to gain a weak form of control over the victim's branch. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Cortex A57 Firmware Cortex A72 Firmware Cortex A73 Firmware Cortex A75 Firmware
CVE-2024-9310 MEDIUM CVSS 6.0
By utilizing software-defined radios and a custom low-latency processing pipeline, RF signals with spoofed location data can be transmitted to aircraft targets. Rated medium severity (CVSS 6.0), this vulnerability is no authentication required. No vendor patch available.

Information Disclosure
CVE-2025-23090 None
Rejected reason: This CVE record has been withdrawn due to a duplicate entry CVE-2025-23083. No vendor patch available.

Information Disclosure
CVE-2025-23089 None
Rejected reason: This Record was REJECTED after determining it is not in compliance with CVE Program requirements regarding assignment for vulnerabilities. No vendor patch available.

Information Disclosure
CVE-2025-23088 None
Rejected reason: This Record was REJECTED after determining it is not in compliance with CVE Program requirements regarding assignment for vulnerabilities. No vendor patch available.

Information Disclosure
CVE-2025-23087 None
Rejected reason: This Record was REJECTED after determining it is not in compliance with CVE Program requirements regarding assignment for vulnerabilities. No vendor patch available.

Information Disclosure
CVE-2025-0625 LOW CVSS 2.3
A vulnerability, which was classified as problematic, was found in CampCodes School Management Software 1.0. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Information Disclosure School Management Software

Today's Vulnerabilities Vulnerabilities