Skip to main content
CVE-2024-8425 CRITICAL POC THREAT Emergency

The WooCommerce Ultimate Gift Card plugin through version 2.6.0 contains unauthenticated arbitrary file uploads in the mail preview and cart functions. Insufficient file type validation allows attackers to upload PHP webshells through the gift card functionality, achieving remote code execution on e-commerce sites.

WordPress RCE File Upload
NVD
CVSS 3.1
9.8
EPSS
63.0%
Threat
5.4
CVE-2024-9193 CRITICAL POC THREAT Emergency

The WHMpress - WHMCS WordPress Integration Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6.3-revision-0 via the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 29.2% and no vendor patch available.

Information Disclosure PHP RCE LFI WordPress +1
NVD
CVSS 3.1
9.8
EPSS
29.2%
Threat
4.3
CVE-2025-27410 MEDIUM POC PATCH THREAT This Month

PwnDoc is a penetration test reporting application. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 21.6%.

RCE Path Traversal Pwndoc
NVD GitHub
CVSS 3.1
6.5
EPSS
21.6%
CVE-2025-26466 MEDIUM PATCH This Month

A flaw was found in the OpenSSH package. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Epss exploitation probability 42.5% and no vendor patch available.

Microsoft SSH Denial Of Service Openssh Ubuntu Linux +1
NVD
CVSS 3.1
5.9
EPSS
42.5%
CVE-2025-25723 HIGH POC PATCH This Week

Buffer Overflow vulnerability in GPAC version 2.5 allows a local attacker to execute arbitrary code. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Buffer Overflow RCE Gpac
NVD GitHub
CVSS 3.1
8.4
EPSS
0.0%
CVE-2025-25477 HIGH POC This Week

A host header injection vulnerability in SysPass 3.2x allows an attacker to load malicious JS files from an arbitrary domain which would be executed in the victim's browser. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Syspass
NVD GitHub
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-25635 HIGH POC This Week

TOTOlink A3002R V1.1.1-B20200824.0128 contains a buffer overflow vulnerability. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow A3002r Firmware TOTOLINK
NVD GitHub
CVSS 3.1
8.0
EPSS
0.1%
CVE-2025-25428 HIGH POC This Week

TRENDnet TEW-929DRU 1.0.0.10 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Tew 929Dru Firmware
NVD
CVSS 3.1
8.0
EPSS
0.1%
CVE-2025-27413 MEDIUM POC PATCH This Month

PwnDoc is a penetration test reporting application. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Path Traversal Pwndoc
NVD GitHub
CVSS 3.1
6.5
EPSS
0.8%
CVE-2025-25478 MEDIUM POC This Month

The account file upload functionality in Syspass 3.2.x fails to properly handle special characters in filenames. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Syspass
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-1744 CRITICAL PATCH Act Now

Out-of-bounds Write vulnerability in radareorg radare2 allows heap-based buffer over-read or buffer overflow.9.9. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Memory Corruption Buffer Overflow Radare2 Suse
NVD GitHub
CVSS 4.0
10.0
EPSS
0.3%
CVE-2024-8420 CRITICAL Act Now

The DHVC Form plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Privilege Escalation Dhvc Form
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2025-25379 CRITICAL Act Now

Cross Site Request Forgery vulnerability in 07FLYCMS v.1.3.9 allows a remote attacker to execute arbitrary code via the id parameter of the del.html component. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE CSRF 07flycms
NVD GitHub
CVSS 3.1
9.6
EPSS
0.1%
CVE-2025-26326 HIGH This Week

A vulnerability was identified in the NVDA Remote (version 2.6.4) and Tele NVDA Remote (version 2025.3.3) remote connection add-ons, which allows an attacker to obtain total control of the remote. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD GitHub
CVSS 3.1
8.8
EPSS
3.4%
CVE-2025-25461 MEDIUM POC This Month

A Stored Cross-Site Scripting (XSS) vulnerability exists in SeedDMS 6.0.29. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Seeddms
NVD GitHub
CVSS 3.1
5.4
EPSS
0.2%
CVE-2025-25476 MEDIUM POC This Month

A stored cross-site scripting (XSS) vulnerability in SysPass 3.2.x allows a malicious user with elevated privileges to execute arbitrary Javascript code by specifying a malicious XSS payload as a. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Syspass
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-25916 MEDIUM POC This Month

wuzhicms v4.1.0 has a Cross Site Scripting (XSS) vulnerability in del function in \coreframe\app\member\admin\group.php. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Wuzhicms
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-22273 CRITICAL Act Now

Application does not limit the number or frequency of user interactions, such as the number of incoming requests. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service
NVD
CVSS 4.0
9.3
EPSS
0.2%
CVE-2025-26263 MEDIUM POC This Month

GeoVision ASManager Windows desktop application with the version 6.1.2.0 or less (fixed in 6.2.0), is vulnerable to credentials disclosure due to improper memory handling in the ASManagerService.exe. Rated medium severity (CVSS 5.1), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Microsoft Information Disclosure Windows
NVD GitHub Exploit-DB
CVSS 3.1
5.1
EPSS
0.4%
CVE-2025-0159 CRITICAL Act Now

IBM FlashSystem (IBM Storage Virtualize (8.5.0.0 through 8.5.0.13, 8.5.1.0, 8.5.2.0 through 8.5.2.3, 8.5.3.0 through 8.5.3.1, 8.5.4.0, 8.6.0.0 through 8.6.0.5, 8.6.1.0, 8.6.2.0 through 8.6.2.1,. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM Authentication Bypass Storage Virtualize
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-26047 MEDIUM POC This Month

Loggrove v1.0 is vulnerable to SQL Injection in the read.py file. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Loggrove
NVD
CVSS 3.1
5.1
EPSS
0.0%
CVE-2025-0975 HIGH This Week

IBM MQ 9.3 LTS, 9.3 CD, 9.4 LTS, and 9.4 CD console could allow an authenticated user to execute code due to improper neutralization of escape characters. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure IBM Mq Appliance
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2024-12811 HIGH This Week

The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.8 via the 'hotel_alone_slider' shortcode 'style' attribute. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure PHP RCE LFI WordPress
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-1682 HIGH This Week

The Cardealer theme for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.4 due to missing capability check on the 'save_settings' function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Privilege Escalation PHP
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2024-9195 HIGH This Week

The WHMPress - WHMCS Client Area plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the update_settings. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress PHP Authentication Bypass Privilege Escalation Whmcs Client Area
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-1687 HIGH This Week

The Cardealer theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF PHP
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-25429 MEDIUM POC This Month

Trendnet TEW-929DRU 1.0.0.10 contains a Stored Cross-site Scripting (XSS) vulnerability via the r_name variable inside the have_same_name function on the /addschedule.htm page. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

XSS Tew 929Dru Firmware
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-25431 MEDIUM POC This Month

Trendnet TEW-929DRU 1.0.0.10 contains a Stored Cross-site Scripting (XSS) vulnerability via the The ssid key of wifi_data parameter on the /captive_portal.htm page. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

XSS Tew 929Dru Firmware
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-25430 MEDIUM POC This Month

Trendnet TEW-929DRU 1.0.0.10 contains a Stored Cross-site Scripting (XSS) vulnerability via the configname parameter on the /cbi_addcert.htm page. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

XSS Tew 929Dru Firmware
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2025-20060 HIGH This Week

An attacker could expose cross-user personal identifiable information (PII) and personal health information transmitted to the Android device via the Dario Health application database. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Information Disclosure Android
NVD
CVSS 4.0
8.7
EPSS
0.2%
CVE-2025-1413 HIGH This Week

DaVinci Resolve on MacOS was found to be installed with incorrect file permissions (rwxrwxrwx). Rated high severity (CVSS 8.4), this vulnerability is low attack complexity. No vendor patch available.

Apple Privilege Escalation macOS
NVD
CVSS 4.0
8.4
EPSS
0.0%
CVE-2025-1570 HIGH This Week

The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

WordPress Privilege Escalation Directorist PHP
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2025-0160 HIGH This Week

IBM FlashSystem (IBM Storage Virtualize (8.5.0.0 through 8.5.0.13, 8.5.1.0, 8.5.2.0 through 8.5.2.3, 8.5.3.0 through 8.5.3.1, 8.5.4.0, 8.6.0.0 through 8.6.0.5, 8.6.1.0, 8.6.2.0 through 8.6.2.1,. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

IBM RCE Java Storage Virtualize
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-25610 HIGH This Week

TOTOlink A3002R V1.1.1-B20200824.0128 contains a buffer overflow vulnerability. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow A3002r Firmware TOTOLINK
NVD GitHub
CVSS 3.1
8.0
EPSS
0.0%
CVE-2025-25609 HIGH This Week

TOTOlink A3002R V1.1.1-B20200824.0128 contains a buffer overflow vulnerability. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow A3002r Firmware TOTOLINK
NVD GitHub
CVSS 3.1
8.0
EPSS
0.0%
CVE-2024-1509 HIGH This Week

Brocade ASCG before 3.2.0 Web Interface is not enforcing HSTS, as defined by RFC 6797. Rated high severity (CVSS 7.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 4.0
7.6
EPSS
0.1%
CVE-2025-25729 HIGH This Week

An information disclosure vulnerability in Bosscomm IF740 Firmware versions:11001.7078 & v11001.0000 and System versions: 6.25 & 6.00 allows attackers to obtain hardcoded cleartext credentials via. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-24849 HIGH This Week

Lack of encryption in transit for cloud infrastructure facilitating potential for sensitive data manipulation or exposure. Rated high severity (CVSS 7.5), this vulnerability is no authentication required. No vendor patch available.

Information Disclosure
NVD
CVSS 4.0
7.5
EPSS
0.0%
CVE-2025-22270 HIGH This Week

An attacker with access to the Administration panel, specifically the "Role Management" tab, can inject code by adding a new role in the "name" field. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE XSS
NVD
CVSS 4.0
7.3
EPSS
0.5%
CVE-2024-13831 HIGH This Week

The Tabs for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.0 via deserialization of untrusted input in the 'product_has_custom_tabs'. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure WordPress PHP Deserialization Tabs For Woocommerce
NVD
CVSS 3.1
7.2
EPSS
1.0%
CVE-2025-1513 HIGH PATCH This Week

The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery - Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons plugin for WordPress is vulnerable to Stored. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Contest Gallery PHP
NVD
CVSS 3.1
7.2
EPSS
0.5%
CVE-2025-1319 HIGH PATCH This Week

The Site Mailer - SMTP Replacement, Email API Deliverability & Email Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.2.3 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Elementor
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-20049 HIGH This Week

The Dario Health portal service application is vulnerable to XSS, which could allow an attacker to obtain sensitive information. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

XSS
NVD
CVSS 4.0
7.1
EPSS
0.1%
CVE-2025-22271 MEDIUM This Month

The application or its infrastructure allows for IP address spoofing by providing its own value in the "X-Forwarded-For" header. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 4.0
6.9
EPSS
0.2%
CVE-2025-23405 MEDIUM This Month

Unauthenticated log effects metrics gathering incident response efforts and potentially exposes risk of injection attacks (ex log injection). Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection
NVD
CVSS 4.0
6.9
EPSS
0.1%
CVE-2025-24316 MEDIUM This Month

The Dario Health Internet-based server infrastructure is vulnerable due to exposure of development environment details, which could lead to unsafe functionality. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 4.0
6.9
EPSS
0.1%
CVE-2024-56340 MEDIUM PATCH This Month

IBM Cognos Analytics 11.2.0 through 11.2.4 FP5 is vulnerable to local file inclusion vulnerability, allowing an attacker to access sensitive files by inserting path traversal payloads inside the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

IBM Path Traversal Cognos Analytics
NVD GitHub
CVSS 3.1
6.5
EPSS
1.8%
CVE-2024-44754 MEDIUM This Month

Cryptographic key extraction from internal flash in Minut M2 with firmware version #15142 allows physically proximate attackers to inject modified firmware into any other Minut M2 product via USB. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Code Injection
NVD
CVSS 3.1
6.8
EPSS
0.1%
CVE-2025-22491 MEDIUM This Month

The user input was not sanitized on Reporting Hierarchy Management page of Foreseer Reporting Software (FRS) application which could lead into execution of arbitrary JavaScript in a browser context. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-1572 MEDIUM PATCH This Month

The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the ‘u_id’ parameter in all versions up to, and including, 3.6.7 due to insufficient. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

WordPress SQLi Kivicare PHP
NVD
CVSS 3.1
6.5
EPSS
0.2%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy