Skip to main content
CVE-2025-48783 HIGH This Week

CVE-2025-48783 is an external control of file name or path vulnerability (CWE-73) in the delete file function of Soar Cloud HRD Human Resource Management System versions up to 7.3.2025.0408, allowing unauthenticated remote attackers to delete arbitrary files by manipulating file path parameters. The vulnerability has a CVSS score of 7.5 with high integrity impact, enabling attackers to perform unauthorized file deletion without authentication. Exploitation requires only network access and no user interaction, making this a significant threat to organizations using affected HRD system versions.

Information Disclosure Hr Portal
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-48784 HIGH This Week

Missing authorization vulnerability in Soar Cloud HRD Human Resource Management System versions up to 7.3.2025.0408 that allows unauthenticated remote attackers to modify critical system settings without any credentials or user interaction. This is a high-severity integrity violation (CVSS 7.5) affecting HR management infrastructure; attackers can alter configurations that may impact payroll, employee records, access controls, and compliance functions. No exploitation complexity is required (AC:L, PR:N), making this vulnerability immediately exploitable in real-world environments.

Information Disclosure Hr Portal
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-47950 HIGH PATCH This Week

A denial of service vulnerability in versions (CVSS 7.5). High severity vulnerability requiring prompt remediation. Vendor patch is available.

Denial Of Service Coredns Red Hat Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-49237 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in POEditor that enables path traversal attacks, affecting versions 0.9.10 and earlier. An attacker can exploit this via a crafted request to perform unauthorized actions on behalf of an authenticated user, potentially leading to high availability impact. While the CVSS score of 7.4 indicates a significant threat, the requirement for user interaction (UI:R) and network-based attack vector limits real-world exploitability; current KEV and EPSS data are needed to determine if active exploitation is occurring.

CSRF Path Traversal
NVD
CVSS 3.1
7.4
EPSS
0.0%
CVE-2025-28954 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in the wphobby Backwp WordPress plugin (versions through 2.0.2) that enables path traversal attacks. An unauthenticated remote attacker can exploit this via a crafted web request to perform unauthorized actions and potentially access sensitive files outside intended directories. While the CVSS score of 7.4 indicates high severity with availability impact, the vulnerability requires user interaction (UI:R) and affects availability rather than confidentiality or integrity, suggesting moderate real-world exploitability.

CSRF Path Traversal
NVD
CVSS 3.1
7.4
EPSS
0.0%
CVE-2025-5474 HIGH This Week

Local privilege escalation vulnerability in 2BrightSparks SyncBackFree that allows low-privileged attackers to escalate to SYSTEM-level privileges by abusing the Mirror functionality through malicious junction creation. The vulnerability requires local code execution capability and administrator interaction, enabling arbitrary file deletion and code execution with SYSTEM privileges. This is a moderately severe local privilege escalation with a CVSS score of 7.3.

RCE Privilege Escalation Syncbackfree
NVD
CVSS 3.0
7.3
EPSS
0.0%
CVE-2025-22484 HIGH PATCH This Week

CVE-2025-22484 is an unthrottled resource allocation vulnerability in Qnap File Station 5 that allows authenticated remote attackers to exhaust system resources and cause denial of service. An attacker with valid user credentials can exploit this CWE-770 weakness to prevent legitimate users and processes from accessing shared resources, affecting availability. The vulnerability has a moderate-to-high CVSS 7.1 score driven by network accessibility and high availability impact, though it requires prior authentication; the fix is available in File Station 5 version 5.5.6.4847 and later.

Denial Of Service Qnap
NVD
CVSS 4.0
7.1
EPSS
0.2%
CVE-2025-5018 HIGH This Week

The Hive Support WordPress plugin (versions ≤1.2.4) contains missing capability checks in the hs_update_ai_chat_settings() and hive_lite_support_get_all_binbox() functions, allowing authenticated Subscriber-level users to read and modify sensitive data including OpenAI API keys, inspection data, and AI chat prompts. With a CVSS score of 7.1 and network-accessible attack vector requiring only user authentication, this vulnerability poses significant risk to WordPress installations using this plugin. The vulnerability may be a duplicate of CVE-2025-32208 or CVE-2025-32242, and patch status and active exploitation metrics are currently unknown.

WordPress Authentication Bypass
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-48329 HIGH This Week

A reflected cross-site scripting (XSS) vulnerability exists in Daman Jeet's Real Time Validation for Gravity Forms plugin affecting versions through 1.7.0, allowing unauthenticated attackers to inject malicious scripts that execute in users' browsers. The vulnerability requires user interaction (clicking a malicious link) but can compromise user sessions, steal credentials, or deface form content due to its cross-site impact scope. While the CVSS score of 7.1 indicates moderate-to-high severity, real-world exploitation depends on form visibility and user interaction patterns.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-49453 HIGH This Week

CSRF vulnerability in Jatinder Pal Singh BP Profile as Homepage plugin (versions through 1.1) that enables Stored XSS attacks. An unauthenticated attacker can exploit this via a malicious web request to inject persistent JavaScript into the application, affecting all users who view the compromised profile. The vulnerability requires user interaction (CVSS UI:R) but has cross-site scope impact (S:C), resulting in a 7.1 medium-high severity rating; KEV status and active exploitation data are not currently available in public disclosures.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-49425 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Adrian Hanft's Konami Easter Egg browser extension (versions through v0.4) that can lead to Stored Cross-Site Scripting (XSS) attacks. An attacker can craft a malicious request to inject persistent JavaScript code that executes in the context of affected users' browsers, potentially compromising user sessions, stealing credentials, or performing unauthorized actions. With a CVSS score of 7.1 and network-accessible attack vector requiring only user interaction, this vulnerability poses a moderate-to-significant risk to users of the extension, though real-world exploitation likelihood depends on whether public exploits exist and the extension's actual user base.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-30995 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in OTWthemes Widgetize Pages Light plugin (versions up to 3.0) that enables Stored XSS attacks. An unauthenticated attacker can craft malicious requests to trick authenticated users into performing unintended actions, resulting in persistent XSS payload injection that affects all subsequent visitors. The vulnerability has a CVSS score of 7.1 (High) with network-based attack vector and low complexity, indicating moderate real-world exploitability without requiring elevated privileges.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-28981 HIGH This Week

A cross-site scripting vulnerability in Soli WP Mail Options allows Stored XSS (CVSS 7.1). High severity vulnerability requiring prompt remediation.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-28974 HIGH This Week

CSRF vulnerability in mail250 Free WP Mail SMTP (versions up to 1.0) that enables stored XSS attacks, allowing unauthenticated remote attackers to inject malicious scripts via crafted requests. The vulnerability requires user interaction (UI:R) but has network-based attack vector (AV:N) with low complexity (AC:L), affecting WordPress installations using this email plugin. While CVSS 7.1 indicates medium-high severity with confidentiality, integrity, and availability impact, real-world exploitation depends on KEV status, EPSS probability, and public POC availability-data not provided in the source material.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-28966 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in the dilemma123 Recent Posts Slider Responsive WordPress plugin (versions through 1.0.1) that enables Stored XSS attacks. An unauthenticated attacker can craft malicious requests to inject persistent JavaScript payloads, which execute in the browsers of site administrators and visitors, potentially leading to account compromise, malware distribution, or defacement. The vulnerability requires user interaction (UI:R) but has network-accessible attack surface (AV:N) with moderate CVSS score of 7.1 and should be prioritized for patched WordPress installations running vulnerable plugin versions.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-28964 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in mangup Personal Favicon (versions up to 2.0) that enables Stored XSS attacks. An unauthenticated attacker can craft a malicious request that, when visited by a user, executes arbitrary JavaScript in the victim's browser context with access to sensitive data and session tokens. While no public exploit or KEV status confirmation is available from the provided data, the CVSS 7.1 score and Stored XSS payload persistence indicate moderate-to-high real-world risk, particularly if the plugin has significant user adoption.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-28958 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Vadim Bogaiskov's Bg Orthodox Calendar plugin that enables Stored Cross-Site Scripting (XSS) attacks. The vulnerability affects all versions from an unspecified baseline through 0.13.10, allowing unauthenticated attackers over the network to inject and store malicious scripts that execute in users' browsers with moderate impact to confidentiality, integrity, and availability. The CVSS 7.1 score reflects the combination of network attack vector with user interaction requirement; real-world exploitation risk depends on whether this vulnerability is actively exploited or has public proof-of-concept code available.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-28950 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in David Shabtai's Post Author WordPress plugin (versions through 1.1.1) that enables Stored Cross-Site Scripting (XSS) attacks. An unauthenticated attacker can craft malicious requests to inject persistent JavaScript payloads that execute in the browsers of all users viewing affected content, potentially leading to account compromise, data theft, or malware distribution. The vulnerability has a CVSS score of 7.1 (High) with network-based attack vector and low complexity, indicating practical exploitability without authentication.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-28948 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in the codedraft Mediabay WordPress plugin (versions up to 1.4) that enables reflected XSS attacks. Attackers can exploit this network-accessible vulnerability without authentication to perform unauthorized actions on behalf of authenticated users and inject malicious scripts, affecting WordPress installations using this media library plugin. The CVSS 7.1 score and absence of KEV/active exploitation data suggest moderate real-world risk with UI interaction required.

WordPress CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-48909 HIGH This Week

Bypass vulnerability in device management channels that allows unauthenticated attackers on adjacent networks to compromise service confidentiality and cause minor availability impact. The vulnerability affects device management implementations across multiple vendors (specific products require vendor advisories to identify). While no active exploitation in the wild has been confirmed in public KEV databases at time of analysis, the 7.1 CVSS score and high confidentiality impact warrant immediate attention for organizations managing devices on trusted networks.

Authentication Bypass Information Disclosure Harmonyos
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-5791 HIGH PATCH This Week

Privilege escalation vulnerability in the Rust 'users' crate that incorrectly includes the root group in access control lists when a user or process has fewer than 1024 groups. An authenticated local attacker with low privileges can exploit this flaw to gain unauthorized access to resources restricted to the root group, achieving privilege escalation. The vulnerability requires local access and existing user privileges but has high impact on confidentiality and integrity.

Rust Privilege Escalation Red Hat Suse
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-5751 MEDIUM This Month

WOLFBOX Level 2 EV Charger Management Card Hard-coded Credentials Authentication Bypass Vulnerability. This vulnerability allows physically present attackers to bypass authentication on affected installations of WOLFBOX Level 2 EV Charger. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of management cards. The issue results from the lack of personalization of management cards. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-26292.

Authentication Bypass Level 2 Ev Charger Firmware
NVD
CVSS 3.1
6.8
EPSS
0.0%
CVE-2024-13087 MEDIUM PATCH This Month

A command injection vulnerability has been reported to affect QHora. If an attacker gains local network access who have also gained an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuRouter 2.4.6.028 and later

Command Injection Qurouter
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-48908 MEDIUM This Month

CVE-2025-48908 is a security vulnerability (CVSS 6.7). Remediation should follow standard vulnerability management procedures.

Information Disclosure Harmonyos
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-49329 MEDIUM This Month

Unrestricted Upload of File with Dangerous Type vulnerability in Agile Logix Store Locator WordPress allows Upload a Web Shell to a Web Server. This issue affects Store Locator WordPress: from n/a through 1.5.2.

WordPress File Upload
NVD
CVSS 3.1
6.6
EPSS
0.1%
CVE-2025-48902 MEDIUM This Month

A remote code execution vulnerability (CVSS 6.6). Remediation should follow standard vulnerability management procedures.

Information Disclosure Emui Harmonyos
NVD
CVSS 3.1
6.6
EPSS
0.0%
CVE-2025-33035 MEDIUM PATCH This Month

A path traversal vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4847 and later

Path Traversal File Station
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2023-25997 MEDIUM This Month

Missing Authorization vulnerability in SolaPlugins Sola Support Ticket allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sola Support Ticket: from n/a through 3.17.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-5563 MEDIUM This Month

The WP-Addpub plugin for WordPress is vulnerable to SQL Injection via the 'wp-addpub' shortcode in all versions up to, and including, 1.2.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

WordPress SQLi PHP
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49450 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mhallmann SEPA Girocode allows Stored XSS. This issue affects SEPA Girocode: from n/a through 0.5.1.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49443 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chris McCoy Bacon Ipsum allows Stored XSS. This issue affects Bacon Ipsum: from n/a through 2.4.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49442 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mostafa Shahiri Simple Nested Menu allows Stored XSS. This issue affects Simple Nested Menu: from n/a through 1.0.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49429 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Burnette Video Embeds allows Stored XSS. This issue affects Video Embeds: from n/a through 0.1.1.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49427 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Burnette Abbie Expander allows Stored XSS. This issue affects Abbie Expander: from n/a through 1.0.1.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49314 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ovatheme BRW allows Stored XSS. This issue affects BRW: from n/a through 1.8.6.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49311 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CoolHappy The Events Calendar Countdown Addon allows Stored XSS. This issue affects The Events Calendar Countdown Addon: from n/a through 1.4.9.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49310 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in M A Vinoth Kumar Frontend Dashboard allows Stored XSS. This issue affects Frontend Dashboard: from n/a through 2.2.8.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49309 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Team Member allows Stored XSS. This issue affects HT Team Member: from n/a through 1.1.7.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49305 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in impleCode Product Catalog Simple allows Stored XSS. This issue affects Product Catalog Simple: from n/a through 1.8.1.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49304 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeManas Search with Typesense allows Stored XSS. This issue affects Search with Typesense: from n/a through 2.0.10.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49301 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpsoul Greenshift allows DOM-Based XSS. This issue affects Greenshift: from n/a through 11.5.5.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49299 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPlugged.com WebHotelier allows Stored XSS. This issue affects WebHotelier: from n/a through 1.9.2.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49298 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bastien Ho Event post allows Stored XSS. This issue affects Event post: from n/a through 5.10.1.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49244 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vova Shortcodes Ultimate allows Stored XSS. This issue affects Shortcodes Ultimate: from n/a through 7.3.5.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49243 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sevenspark ShiftNav - Responsive Mobile Menu allows Stored XSS. This issue affects ShiftNav - Responsive Mobile Menu: from n/a through 1.8.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49242 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sevenspark Bellows Accordion Menu allows Stored XSS. This issue affects Bellows Accordion Menu: from n/a through 1.4.3.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49235 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rometheme RTMKit Addons for Elementor allows Stored XSS. This issue affects RTMKit Addons for Elementor: from n/a through 1.6.0.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-31025 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Blocksera Image Hover Effects Block allows Stored XSS. This issue affects Image Hover Effects Block: from n/a through 1.4.5.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-30991 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shahjada Premium Packages allows Stored XSS. This issue affects Premium Packages: from n/a through 6.0.2.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-30952 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdive Nexa Blocks allows Stored XSS. This issue affects Nexa Blocks: from n/a through 1.1.0.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
Prev Page 3 of 7 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy