CVE-2025-48783 is an external control of file name or path vulnerability (CWE-73) in the delete file function of Soar Cloud HRD Human Resource Management System versions up to 7.3.2025.0408, allowing unauthenticated remote attackers to delete arbitrary files by manipulating file path parameters. The vulnerability has a CVSS score of 7.5 with high integrity impact, enabling attackers to perform unauthorized file deletion without authentication. Exploitation requires only network access and no user interaction, making this a significant threat to organizations using affected HRD system versions.
Missing authorization vulnerability in Soar Cloud HRD Human Resource Management System versions up to 7.3.2025.0408 that allows unauthenticated remote attackers to modify critical system settings without any credentials or user interaction. This is a high-severity integrity violation (CVSS 7.5) affecting HR management infrastructure; attackers can alter configurations that may impact payroll, employee records, access controls, and compliance functions. No exploitation complexity is required (AC:L, PR:N), making this vulnerability immediately exploitable in real-world environments.
A denial of service vulnerability in versions (CVSS 7.5). High severity vulnerability requiring prompt remediation. Vendor patch is available.
Cross-Site Request Forgery (CSRF) vulnerability in POEditor that enables path traversal attacks, affecting versions 0.9.10 and earlier. An attacker can exploit this via a crafted request to perform unauthorized actions on behalf of an authenticated user, potentially leading to high availability impact. While the CVSS score of 7.4 indicates a significant threat, the requirement for user interaction (UI:R) and network-based attack vector limits real-world exploitability; current KEV and EPSS data are needed to determine if active exploitation is occurring.
Cross-Site Request Forgery (CSRF) vulnerability in the wphobby Backwp WordPress plugin (versions through 2.0.2) that enables path traversal attacks. An unauthenticated remote attacker can exploit this via a crafted web request to perform unauthorized actions and potentially access sensitive files outside intended directories. While the CVSS score of 7.4 indicates high severity with availability impact, the vulnerability requires user interaction (UI:R) and affects availability rather than confidentiality or integrity, suggesting moderate real-world exploitability.
Local privilege escalation vulnerability in 2BrightSparks SyncBackFree that allows low-privileged attackers to escalate to SYSTEM-level privileges by abusing the Mirror functionality through malicious junction creation. The vulnerability requires local code execution capability and administrator interaction, enabling arbitrary file deletion and code execution with SYSTEM privileges. This is a moderately severe local privilege escalation with a CVSS score of 7.3.
CVE-2025-22484 is an unthrottled resource allocation vulnerability in Qnap File Station 5 that allows authenticated remote attackers to exhaust system resources and cause denial of service. An attacker with valid user credentials can exploit this CWE-770 weakness to prevent legitimate users and processes from accessing shared resources, affecting availability. The vulnerability has a moderate-to-high CVSS 7.1 score driven by network accessibility and high availability impact, though it requires prior authentication; the fix is available in File Station 5 version 5.5.6.4847 and later.
The Hive Support WordPress plugin (versions ≤1.2.4) contains missing capability checks in the hs_update_ai_chat_settings() and hive_lite_support_get_all_binbox() functions, allowing authenticated Subscriber-level users to read and modify sensitive data including OpenAI API keys, inspection data, and AI chat prompts. With a CVSS score of 7.1 and network-accessible attack vector requiring only user authentication, this vulnerability poses significant risk to WordPress installations using this plugin. The vulnerability may be a duplicate of CVE-2025-32208 or CVE-2025-32242, and patch status and active exploitation metrics are currently unknown.
A reflected cross-site scripting (XSS) vulnerability exists in Daman Jeet's Real Time Validation for Gravity Forms plugin affecting versions through 1.7.0, allowing unauthenticated attackers to inject malicious scripts that execute in users' browsers. The vulnerability requires user interaction (clicking a malicious link) but can compromise user sessions, steal credentials, or deface form content due to its cross-site impact scope. While the CVSS score of 7.1 indicates moderate-to-high severity, real-world exploitation depends on form visibility and user interaction patterns.
CSRF vulnerability in Jatinder Pal Singh BP Profile as Homepage plugin (versions through 1.1) that enables Stored XSS attacks. An unauthenticated attacker can exploit this via a malicious web request to inject persistent JavaScript into the application, affecting all users who view the compromised profile. The vulnerability requires user interaction (CVSS UI:R) but has cross-site scope impact (S:C), resulting in a 7.1 medium-high severity rating; KEV status and active exploitation data are not currently available in public disclosures.
Cross-Site Request Forgery (CSRF) vulnerability in Adrian Hanft's Konami Easter Egg browser extension (versions through v0.4) that can lead to Stored Cross-Site Scripting (XSS) attacks. An attacker can craft a malicious request to inject persistent JavaScript code that executes in the context of affected users' browsers, potentially compromising user sessions, stealing credentials, or performing unauthorized actions. With a CVSS score of 7.1 and network-accessible attack vector requiring only user interaction, this vulnerability poses a moderate-to-significant risk to users of the extension, though real-world exploitation likelihood depends on whether public exploits exist and the extension's actual user base.
Cross-Site Request Forgery (CSRF) vulnerability in OTWthemes Widgetize Pages Light plugin (versions up to 3.0) that enables Stored XSS attacks. An unauthenticated attacker can craft malicious requests to trick authenticated users into performing unintended actions, resulting in persistent XSS payload injection that affects all subsequent visitors. The vulnerability has a CVSS score of 7.1 (High) with network-based attack vector and low complexity, indicating moderate real-world exploitability without requiring elevated privileges.
A cross-site scripting vulnerability in Soli WP Mail Options allows Stored XSS (CVSS 7.1). High severity vulnerability requiring prompt remediation.
CSRF vulnerability in mail250 Free WP Mail SMTP (versions up to 1.0) that enables stored XSS attacks, allowing unauthenticated remote attackers to inject malicious scripts via crafted requests. The vulnerability requires user interaction (UI:R) but has network-based attack vector (AV:N) with low complexity (AC:L), affecting WordPress installations using this email plugin. While CVSS 7.1 indicates medium-high severity with confidentiality, integrity, and availability impact, real-world exploitation depends on KEV status, EPSS probability, and public POC availability-data not provided in the source material.
Cross-Site Request Forgery (CSRF) vulnerability in the dilemma123 Recent Posts Slider Responsive WordPress plugin (versions through 1.0.1) that enables Stored XSS attacks. An unauthenticated attacker can craft malicious requests to inject persistent JavaScript payloads, which execute in the browsers of site administrators and visitors, potentially leading to account compromise, malware distribution, or defacement. The vulnerability requires user interaction (UI:R) but has network-accessible attack surface (AV:N) with moderate CVSS score of 7.1 and should be prioritized for patched WordPress installations running vulnerable plugin versions.
Cross-Site Request Forgery (CSRF) vulnerability in mangup Personal Favicon (versions up to 2.0) that enables Stored XSS attacks. An unauthenticated attacker can craft a malicious request that, when visited by a user, executes arbitrary JavaScript in the victim's browser context with access to sensitive data and session tokens. While no public exploit or KEV status confirmation is available from the provided data, the CVSS 7.1 score and Stored XSS payload persistence indicate moderate-to-high real-world risk, particularly if the plugin has significant user adoption.
Cross-Site Request Forgery (CSRF) vulnerability in Vadim Bogaiskov's Bg Orthodox Calendar plugin that enables Stored Cross-Site Scripting (XSS) attacks. The vulnerability affects all versions from an unspecified baseline through 0.13.10, allowing unauthenticated attackers over the network to inject and store malicious scripts that execute in users' browsers with moderate impact to confidentiality, integrity, and availability. The CVSS 7.1 score reflects the combination of network attack vector with user interaction requirement; real-world exploitation risk depends on whether this vulnerability is actively exploited or has public proof-of-concept code available.
Cross-Site Request Forgery (CSRF) vulnerability in David Shabtai's Post Author WordPress plugin (versions through 1.1.1) that enables Stored Cross-Site Scripting (XSS) attacks. An unauthenticated attacker can craft malicious requests to inject persistent JavaScript payloads that execute in the browsers of all users viewing affected content, potentially leading to account compromise, data theft, or malware distribution. The vulnerability has a CVSS score of 7.1 (High) with network-based attack vector and low complexity, indicating practical exploitability without authentication.
Cross-Site Request Forgery (CSRF) vulnerability in the codedraft Mediabay WordPress plugin (versions up to 1.4) that enables reflected XSS attacks. Attackers can exploit this network-accessible vulnerability without authentication to perform unauthorized actions on behalf of authenticated users and inject malicious scripts, affecting WordPress installations using this media library plugin. The CVSS 7.1 score and absence of KEV/active exploitation data suggest moderate real-world risk with UI interaction required.
Bypass vulnerability in device management channels that allows unauthenticated attackers on adjacent networks to compromise service confidentiality and cause minor availability impact. The vulnerability affects device management implementations across multiple vendors (specific products require vendor advisories to identify). While no active exploitation in the wild has been confirmed in public KEV databases at time of analysis, the 7.1 CVSS score and high confidentiality impact warrant immediate attention for organizations managing devices on trusted networks.
Privilege escalation vulnerability in the Rust 'users' crate that incorrectly includes the root group in access control lists when a user or process has fewer than 1024 groups. An authenticated local attacker with low privileges can exploit this flaw to gain unauthorized access to resources restricted to the root group, achieving privilege escalation. The vulnerability requires local access and existing user privileges but has high impact on confidentiality and integrity.
WOLFBOX Level 2 EV Charger Management Card Hard-coded Credentials Authentication Bypass Vulnerability. This vulnerability allows physically present attackers to bypass authentication on affected installations of WOLFBOX Level 2 EV Charger. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of management cards. The issue results from the lack of personalization of management cards. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-26292.
A command injection vulnerability has been reported to affect QHora. If an attacker gains local network access who have also gained an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuRouter 2.4.6.028 and later
CVE-2025-48908 is a security vulnerability (CVSS 6.7). Remediation should follow standard vulnerability management procedures.
Unrestricted Upload of File with Dangerous Type vulnerability in Agile Logix Store Locator WordPress allows Upload a Web Shell to a Web Server. This issue affects Store Locator WordPress: from n/a through 1.5.2.
A remote code execution vulnerability (CVSS 6.6). Remediation should follow standard vulnerability management procedures.
A path traversal vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4847 and later
Missing Authorization vulnerability in SolaPlugins Sola Support Ticket allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sola Support Ticket: from n/a through 3.17.
The WP-Addpub plugin for WordPress is vulnerable to SQL Injection via the 'wp-addpub' shortcode in all versions up to, and including, 1.2.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mhallmann SEPA Girocode allows Stored XSS. This issue affects SEPA Girocode: from n/a through 0.5.1.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chris McCoy Bacon Ipsum allows Stored XSS. This issue affects Bacon Ipsum: from n/a through 2.4.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mostafa Shahiri Simple Nested Menu allows Stored XSS. This issue affects Simple Nested Menu: from n/a through 1.0.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Burnette Video Embeds allows Stored XSS. This issue affects Video Embeds: from n/a through 0.1.1.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Burnette Abbie Expander allows Stored XSS. This issue affects Abbie Expander: from n/a through 1.0.1.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ovatheme BRW allows Stored XSS. This issue affects BRW: from n/a through 1.8.6.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CoolHappy The Events Calendar Countdown Addon allows Stored XSS. This issue affects The Events Calendar Countdown Addon: from n/a through 1.4.9.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in M A Vinoth Kumar Frontend Dashboard allows Stored XSS. This issue affects Frontend Dashboard: from n/a through 2.2.8.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Team Member allows Stored XSS. This issue affects HT Team Member: from n/a through 1.1.7.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in impleCode Product Catalog Simple allows Stored XSS. This issue affects Product Catalog Simple: from n/a through 1.8.1.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeManas Search with Typesense allows Stored XSS. This issue affects Search with Typesense: from n/a through 2.0.10.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpsoul Greenshift allows DOM-Based XSS. This issue affects Greenshift: from n/a through 11.5.5.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPlugged.com WebHotelier allows Stored XSS. This issue affects WebHotelier: from n/a through 1.9.2.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bastien Ho Event post allows Stored XSS. This issue affects Event post: from n/a through 5.10.1.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vova Shortcodes Ultimate allows Stored XSS. This issue affects Shortcodes Ultimate: from n/a through 7.3.5.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sevenspark ShiftNav - Responsive Mobile Menu allows Stored XSS. This issue affects ShiftNav - Responsive Mobile Menu: from n/a through 1.8.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sevenspark Bellows Accordion Menu allows Stored XSS. This issue affects Bellows Accordion Menu: from n/a through 1.4.3.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rometheme RTMKit Addons for Elementor allows Stored XSS. This issue affects RTMKit Addons for Elementor: from n/a through 1.6.0.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Blocksera Image Hover Effects Block allows Stored XSS. This issue affects Image Hover Effects Block: from n/a through 1.4.5.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shahjada Premium Packages allows Stored XSS. This issue affects Premium Packages: from n/a through 6.0.2.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdive Nexa Blocks allows Stored XSS. This issue affects Nexa Blocks: from n/a through 1.1.0.