Skip to main content
CVE-2025-25062 MEDIUM POC THREAT This Month

An XSS issue was discovered in Backdrop CMS 1.28.x before 1.28.5 and 1.29.x before 1.29.3. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 26.5%.

XSS Backdrop Cms
NVD
CVSS 3.1
4.4
EPSS
26.5%
CVE-2025-24639 MEDIUM This Month

Insertion of Sensitive Information Into Sent Data vulnerability in GREYS Korea for WooCommerce allows Retrieve Embedded Sensitive Data.1.11. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-23527 MEDIUM This Month

Missing Authorization vulnerability in Hemnath Mouli WC Wallet allows Accessing Functionality Not Properly Constrained by ACLs.2.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-22683 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper NotificationX allows Stored XSS.9.5. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-23561 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound MLL Audio Player MP3 Ajax allows Stored XSS.7. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-23747 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nitesh Singh Awesome Timeline allows Stored XSS.0.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-23581 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Digital Zoom Studio Demo User DZS allows Stored XSS.1.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-22292 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Felipe Peixoto Powerful Auto Chat allows Stored XSS.9.8. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-24697 MEDIUM This Month

Missing Authorization vulnerability in Realwebcare Image Gallery - Responsive Photo Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.0.5. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-24643 MEDIUM This Month

Missing Authorization vulnerability in Amento Tech Pvt ltd WPGuppy allows Exploiting Incorrectly Configured Access Control Security Levels.1.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-24642 MEDIUM This Month

Missing Authorization vulnerability in theme funda Setup Default Featured Image allows Exploiting Incorrectly Configured Access Control Security Levels.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2024-11132 MEDIUM This Month

The Eventer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 3.9.9 due to insufficient input sanitization and output escaping on user. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-22701 MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in NotFound Traveler Layout Essential For Elementor.0.8. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

SSRF
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2024-11133 MEDIUM This Month

The Eventer plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'handle_pdf_download_request' function in all versions up to, and including,. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass WordPress
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2025-22686 MEDIUM This Month

Missing Authorization vulnerability in GSheetConnector CF7 Google Sheets Connector allows Exploiting Incorrectly Configured Access Control Security Levels.0.17. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2023-52164 MEDIUM This Month

access_device.cgi on Digiever DS-2105 Pro 3.1.0.71-11 devices allows arbitrary file read. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
5.1
EPSS
0.1%
CVE-2025-24605 MEDIUM This Month

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in realmag777 WOLF allows Path Traversal.0.8.5. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-22677 MEDIUM This Month

Missing Authorization vulnerability in UIUX Lab Uix Shortcodes allows Exploiting Incorrectly Configured Access Control Security Levels.0.3. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
4.8
EPSS
0.1%
CVE-2024-50500 MEDIUM This Month

Missing Authorization vulnerability in By Averta Shortcodes and extra features for Phlox theme allows Exploiting Incorrectly Configured Access Control Security Levels.17.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-22694 MEDIUM This Month

Missing Authorization vulnerability in theDotstore Hide Shipping Method For WooCommerce.5.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-22681 MEDIUM This Month

Missing Authorization vulnerability in Xfinity Soft Content Cloner allows Exploiting Incorrectly Configured Access Control Security Levels.0.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-22260 MEDIUM This Month

Missing Authorization vulnerability in Pixelite Meta Tag Manager.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-22695 MEDIUM This Month

Authorization Bypass Through User-Controlled Key vulnerability in NirWp Team Nirweb support.0.3. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-24029 MEDIUM PATCH This Month

Tuleap is an Open Source Suite to improve management of software developments and collaboration. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Tuleap
NVD GitHub
CVSS 3.1
5.3
EPSS
0.3%
CVE-2025-23210 MEDIUM PATCH Monitor

phpoffice/phpspreadsheet is a pure PHP library for reading and writing spreadsheet files. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP XSS
NVD GitHub
CVSS 4.0
4.8
EPSS
0.1%
CVE-2025-22129 MEDIUM POC PATCH Monitor

Tuleap is an Open Source Suite to improve management of software developments and collaboration. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Tuleap
NVD GitHub
CVSS 3.1
4.3
EPSS
0.3%
CVE-2024-47770 MEDIUM PATCH Monitor

Wazuh is a free and open source platform used for threat prevention, detection, and response. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Wazuh Suse
NVD GitHub
CVSS 3.1
4.6
EPSS
0.1%
CVE-2025-24961 MEDIUM PATCH This Month

org.gaul S3Proxy implements the S3 API and proxies requests. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal
NVD GitHub
CVSS 4.0
6.0
EPSS
0.4%
CVE-2024-44449 MEDIUM This Month

Cross Site Scripting vulnerability in Quorum onQ OS v.6.0.0.5.2064 allows a remote attacker to obtain sensitive information via the msg parameter in the Login page. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2025-25181 MEDIUM POC KEV THREAT Act Now

A SQL injection vulnerability in timeoutWarning.asp in Advantive VeraCore through 2025.1.0 allows remote attackers to execute arbitrary SQL commands via the PmSess1 parameter. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

SQLi Veracore
NVD
CVSS 3.1
5.8
EPSS
72.1%
CVE-2025-25065 MEDIUM This Month

SSRF vulnerability in the RSS feed parser in Zimbra Collaboration 9.0.0 before Patch 43, 10.0.x before 10.0.12, and 10.1.x before 10.1.4 allows unauthorized redirection to internal network endpoints. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Zimbra Collaboration Suite
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2024-57498 MEDIUM POC Monitor

Cross Site Scripting vulnerability in sayski ForestBlog 20241223 allows a remote attacker to escalate privileges via the article editing function. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Forestblog
NVD GitHub
CVSS 3.1
4.8
EPSS
0.3%
CVE-2024-57097 MEDIUM POC Monitor

ClassCMS 4.8 is vulnerable to Cross Site Scripting (XSS) in class/admin/channel.php. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Classcms
NVD GitHub
CVSS 3.1
4.8
EPSS
0.7%
CVE-2024-56946 MEDIUM PATCH This Month

Denial of service in DNS-over-QUIC in Technitium DNS Server <= v13.2.2 allows remote attackers to permanently stop the server from accepting new DNS-over-QUIC connections by triggering unhandled. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Dnsserver
NVD GitHub
CVSS 3.1
5.3
EPSS
0.9%
CVE-2024-11134 MEDIUM Monitor

The Eventer plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'eventer_export_bookings_csv' function in all versions up to, and including,. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass WordPress Eventer
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2024-57237 MEDIUM This Month

Prolink 4G LTE Mobile Wi-Fi DL-7203E V4.0.0B05 is vulnerable to Cross Site Scripting (XSS) in the /reqproc/proc_get endpoint. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
6.3
EPSS
0.1%
CVE-2024-57004 MEDIUM POC This Month

Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail 1.6.9 allows remote authenticated users to upload a malicious file as an email attachment, leading to the triggering of the XSS by. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Webmail Suse
NVD GitHub
CVSS 3.1
6.1
EPSS
3.1%
CVE-2024-50656 MEDIUM POC This Month

itsourcecode Placement Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via the Full Name field in registration.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Placement Management System
NVD GitHub
CVSS 3.1
6.1
EPSS
0.2%
CVE-2024-12510 MEDIUM This Month

If LDAP settings are accessed, authentication could be redirected to another server, potentially exposing credentials. Rated medium severity (CVSS 6.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
6.7
EPSS
0.1%
CVE-2025-24898 MEDIUM PATCH This Month

rust-openssl is a set of OpenSSL bindings for the Rust programming language. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

OpenSSL Memory Corruption Use After Free Denial Of Service Red Hat +1
NVD GitHub
CVSS 4.0
6.3
EPSS
0.1%
CVE-2024-57967 MEDIUM Monitor

PVWA (Password Vault Web Access) in CyberArk Privileged Access Manager Self-Hosted before 14.4 has potentially elevated privileges in LDAP mapping. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable. No vendor patch available.

Hashicorp Information Disclosure
NVD
CVSS 3.1
4.2
EPSS
0.2%
CVE-2024-57175 MEDIUM POC This Month

A Stored Cross-Site Scripting (XSS) vulnerability was identified in the PHPGURUKUL Online Birth Certificate System v1.0 via the profile name to /user/certificate-form.php. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Online Birth Certificate System
NVD GitHub
CVSS 3.1
5.4
EPSS
1.0%
CVE-2024-54840 MEDIUM Monitor

PVWA (Password Vault Web Access) in CyberArk Privileged Access Manager Self-Hosted before 14.4 does not properly address environment issues that can contribute to Host header injection. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Hashicorp Code Injection Privileged Access Manager
NVD GitHub
CVSS 3.1
4.2
EPSS
0.0%
CVE-2024-53943 MEDIUM This Month

An issue was discovered in NRadio N8-180 NROS-1.9.2.n3.c5 devices. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.2%
CVE-2024-53942 MEDIUM Monitor

An issue was discovered on NRadio N8-180 NROS-1.9.2.n3.c5 devices. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 10.4% and no vendor patch available.

Command Injection
NVD GitHub
CVSS 3.1
4.8
EPSS
10.4%
CVE-2024-36437 MEDIUM This Month

The com.enflick.android.TextNow (aka TextNow: Call + Text Unlimited) application 24.17.0.2 for Android enables any installed application (with no permissions) to place phone calls without user. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Information Disclosure Android
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2024-55456 MEDIUM POC This Week

lunasvg v3.0.1 was discovered to contain a segmentation violation via the component gray_find_cell. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Lunasvg
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2024-38417 MEDIUM PATCH This Month

Information disclosure while processing IO control commands. Rated medium severity (CVSS 6.1), this vulnerability is low attack complexity.

Buffer Overflow Information Disclosure Ar8035 Firmware C V2x 9150 Firmware Fastconnect 6900 Firmware +53
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2024-38416 MEDIUM PATCH This Month

Information disclosure during audio playback. Rated medium severity (CVSS 6.1), this vulnerability is low attack complexity.

Buffer Overflow Information Disclosure Ar8035 Firmware C V2x 9150 Firmware Fastconnect 6800 Firmware +68
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2024-38414 MEDIUM PATCH This Month

Information disclosure while processing information on firmware image during core initialization. Rated medium severity (CVSS 6.1), this vulnerability is low attack complexity.

Buffer Overflow Information Disclosure Fastconnect 6900 Firmware Fastconnect 7800 Firmware Qam8295p Firmware +25
NVD
CVSS 3.1
6.1
EPSS
0.1%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy