Skip to main content
CVE-2025-2749 HIGH POC KEV PATCH THREAT Act Now

Remote code execution in Kentico Xperience CMS versions through 13.0.178 allows authenticated administrators to upload arbitrary files to controlled server paths via path traversal in the Staging Sync Server component. Confirmed actively exploited in the wild (CISA KEV). Public exploit available with detailed bypass techniques. EPSS score of 1.23% (79th percentile) suggests targeted exploitation rather than widespread scanning. While CVSS 7.2 requires high-privilege (administrator) authentication, active exploitation status makes this a priority for organizations running Kentico CMS.

RCE Path Traversal File Upload
NVD VulDB
CVSS 3.1
7.2
EPSS
1.2%
Threat
4.5
CVE-2025-30569 HIGH This Week

SQL injection in WP Featured Entries WordPress plugin versions up to 1.0 enables authenticated attackers with low-level privileges to extract sensitive database contents and potentially cause database denial of service through scope change. Reported by Patchstack audit team, this vulnerability has low exploitation probability (EPSS 0.09%, 25th percentile) and no confirmed active exploitation or public POC. The scope-changing nature (S:C) allows attackers to impact resources beyond the vulnerable component, escalating the attack's reach despite requiring initial authentication.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2025-30590 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Dourou Flickr set slideshows allows SQL Injection.9. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2024-8773 HIGH This Week

SIMPLE.ERP client is vulnerable to MS SQL protocol downgrade request from a server side, what could lead to an unencrypted communication vulnerable to data interception and modification. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 4.0
8.3
EPSS
0.1%
CVE-2025-29314 HIGH This Week

Insecure Shiro cookie configurations in OpenDaylight Service Function Chaining (SFC) Subproject SFC Sodium-SR4 and below allow attackers to access sensitive information via a man-in-the-middle attack. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-2231 HIGH This Week

PDF-XChange Editor RTF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Buffer Overflow RCE Pdf Tools Pdf Xchange Editor
NVD
CVSS 3.0
7.8
EPSS
0.3%
CVE-2025-0835 HIGH This Week

Software installed and run as a non-privileged user may conduct improper GPU system calls to corrupt kernel heap memory. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Use After Free Memory Corruption Information Disclosure
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-0478 HIGH This Week

Software installed and run as a non-privileged user may conduct improper GPU system calls to issue reads and writes to arbitrary physical memory pages. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-8774 HIGH This Week

The SIMPLE.ERP client stores superuser password in a recoverable format, allowing any authenticated SIMPLE.ERP user to escalate privileges to a database administrator. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable. No vendor patch available.

Privilege Escalation
NVD
CVSS 4.0
7.7
EPSS
0.1%
CVE-2025-30205 HIGH This Week

kanidim-provision is a helper utility that uses kanidm's API to provision users, groups and oauth2 systems. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure
NVD GitHub
CVSS 3.1
7.6
EPSS
0.2%
CVE-2025-30525 HIGH This Week

SQL injection in WP Profitshare plugin for WordPress allows authenticated administrators to extract sensitive database contents or disrupt availability. Affects versions up to 1.4.9. The CVSS 7.6 score reflects high confidentiality impact with scope change, indicating potential database-wide access beyond the plugin's normal privileges. EPSS score of 0.21% (44th percentile) suggests low current exploitation probability, and no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.2%
CVE-2025-30523 HIGH This Week

SQL injection in Super Simple Subscriptions WordPress plugin through version 1.1.0 allows high-privileged administrators to extract database contents and potentially cause service disruption. The vulnerability requires authenticated admin access (PR:H) but enables cross-scope impact (S:C), allowing compromise beyond the plugin's normal boundaries to potentially access WordPress database tables containing user credentials, payment data, or other sensitive information. With EPSS at 0.21% (44th percentile) and no confirmed active exploitation, this represents a moderate insider threat or account compromise scenario rather than an immediate mass-exploitation risk.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.2%
CVE-2025-30604 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in jiangqie JiangQie Official Website Mini Program allows Blind SQL Injection.8.2. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-30571 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in STEdb Corp. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-30570 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AliRezaMohammadi دکمه، شبکه اجتماعی خرید allows SQL Injection.0.6. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-29311 HIGH This Week

Limited secret space in LLDP packets used in onos v2.7.0 allows attackers to obtain the private key via a bruteforce attack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Onos
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2021-26091 HIGH This Week

A use of a cryptographically weak pseudo-random number generator vulnerability in the authenticator of the Identity Based Encryption service of FortiMail 6.4.0 through 6.4.4, and 6.2.0 through 6.2.7. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Fortimail
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-29313 HIGH This Week

Use of incorrectly resolved name or reference in OpenDaylight Service Function Chaining (SFC) Subproject SFC Sodium-SR4 and below allows attackers to cause a Denial of Service (DoS). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-0255 HIGH This Week

HCL DevOps Deploy / HCL Launch could allow a remote privileged authenticated attacker to execute arbitrary commands on the system by sending specially crafted input containing special elements. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Hcl Devops Deploy Hcl Launch
NVD
CVSS 3.1
7.2
EPSS
0.6%
CVE-2025-30112 HIGH This Week

On 70mai Dash Cam 1S devices, by connecting directly to the dashcam's network and accessing the API on port 80 and RTSP on port 554, an attacker can bypass the device authorization mechanism from the. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-30588 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in ryan_xantoo Map Contact allows Stored XSS.0.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-30587 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in shawfactor LH OGP Meta allows Stored XSS.73. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-30586 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in bbodine1 cTabs allows Stored XSS.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-30584 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in alphaomegaplugins AlphaOmega Captcha & Anti-Spam Filter allows Stored XSS.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-30583 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in ProRankTracker Pro Rank Tracker allows Stored XSS.0.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-30578 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in hotvanrod AdSense Privacy Policy allows Stored XSS.1.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-30552 HIGH This Week

Cross-Site Request Forgery (CSRF) enables stored cross-site scripting (XSS) in WordPress Admin Bar Improved plugin versions up to 3.3.5, allowing attackers to trick authenticated administrators into executing malicious code that persists in the WordPress admin interface. The vulnerability chains CSRF with stored XSS, enabling attackers to inject scripts that execute whenever any user accesses affected admin pages. EPSS exploitation probability is low (0.08%, 24th percentile), no active exploitation confirmed via CISA KEV, and Patchstack has documented this vulnerability with attack chain details.

WordPress CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-30550 HIGH This Week

CSRF vulnerability in CallPhone'r WordPress plugin through version 1.1.1 enables attackers to trick authenticated administrators into executing malicious requests that inject persistent XSS payloads into the application. This chained attack bypasses CSRF protections, allowing stored cross-site scripting that executes in victim browsers. The vulnerability requires user interaction (tricking an admin to click a malicious link) but needs no authentication from the attacker's perspective. EPSS probability of 0.08% (24th percentile) indicates low observed exploitation in the wild, with no CISA KEV listing or public POC identified at time of analysis.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-30522 HIGH This Week

Cross-Site Request Forgery in Contact Form 7 Material Design plugin versions up to 1.0.0 allows attackers to trick authenticated administrators into executing malicious requests that inject persistent JavaScript, achieving Stored XSS. CVSS 7.1 reflects the changed scope (S:C) and multi-stage attack requiring user interaction. EPSS score of 0.08% (24th percentile) indicates low probability of mass exploitation, with no evidence of active exploitation (not in CISA KEV) or public POC at time of analysis. This CSRF-to-XSS chain targets WordPress site administrators.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-30602 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in alphasis Related Posts via Categories allows Stored XSS.1.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-30577 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in mendibass Browser Address Bar Color allows Stored XSS.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-30572 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Igor Yavych Simple Rating allows Stored XSS.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-30565 HIGH This Week

Stored cross-site scripting in Banner Manager WordPress plugin through version 16.04.19 is achievable via CSRF attack vector, allowing attackers to inject malicious scripts that execute in victim administrators' browsers. The vulnerability chains a CSRF weakness (CWE-352) with XSS payload injection, enabling attackers to compromise admin sessions by tricking authenticated users into visiting attacker-controlled pages. No public exploit identified at time of analysis, with EPSS indicating 0.04% exploitation probability (12th percentile), suggesting low observed threat actor interest despite the cross-scope impact and network attack vector.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-30564 HIGH This Week

Stored Cross-Site Scripting can be injected into Custom Script Integration for WordPress via Cross-Site Request Forgery attack affecting versions up to and including 2.1. Attackers can trick authenticated administrators into submitting malicious script payloads that persist in the site database and execute in victims' browsers. EPSS score of 0.04% (12th percentile) indicates low automated exploitation likelihood, and no active exploitation or public exploit code has been identified at time of analysis, though the vulnerability has been publicly documented by Patchstack.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-30561 HIGH This Week

Cross-site request forgery (CSRF) in CAS Maestro WordPress plugin versions up to 1.1.3 enables attackers to chain CSRF with stored XSS, allowing malicious scripts to be persistently injected into the application. Attackers trick authenticated administrators into executing forged requests that store malicious payloads, which then execute in victims' browsers with administrator privileges. EPSS score of 0.04% (12th percentile) indicates low observed exploitation probability, and no active exploitation is confirmed in CISA KEV. This WordPress plugin vulnerability requires social engineering to exploit but achieves scope change (S:C) allowing cross-context attacks once the stored XSS payload is injected.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-30560 HIGH This Week

Stored cross-site scripting (XSS) in jQuery Dropdown Menu WordPress plugin (versions up to 3.0) can be triggered via CSRF, allowing remote unauthenticated attackers to inject malicious scripts into the application when an authenticated administrator is tricked into submitting a crafted request. The vulnerability chains CSRF (CWE-352) with stored XSS, enabling persistent code execution in victim browsers with changed origin scope (S:C in CVSS vector). EPSS probability is low (0.04%, 12th percentile) indicating limited observed exploitation activity. No CISA KEV listing or public exploit code identified at time of analysis.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-30558 HIGH This Week

Cross-site request forgery in ANAC XML Render WordPress plugin versions through 1.5.7 enables stored cross-site scripting attacks. Remote unauthenticated attackers can trick authenticated administrators into executing malicious requests that inject persistent JavaScript payloads into the site. EPSS score of 0.04% (12th percentile) indicates low observed exploitation probability, and no public exploit code or active exploitation has been identified at time of analysis.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-30555 HIGH This Week

CSRF vulnerability in WordPres 同步微博 WordPress plugin enables stored XSS attacks against site administrators. Unauthenticated remote attackers can craft malicious pages that trick authenticated administrators into executing attacker-controlled JavaScript stored in the WordPress database, leading to account compromise, content manipulation, or site takeover. EPSS score of 0.04% (12th percentile) indicates low observed exploitation probability, and no active exploitation or public POC has been identified at time of analysis.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-30621 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in kornelly Translator allows Stored XSS.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-30620 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in coderscom WP Odoo Form Integrator allows Stored XSS.1.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-30612 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in mandegarweb Replace Default Words allows Stored XSS.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-30608 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Anthony WordPress SQL Backup allows Stored XSS.5.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-30603 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in DEJAN CopyLink allows Stored XSS.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy