Skip to main content
CVE-2025-5778 MEDIUM POC This Month

Critical SQL injection vulnerability in 1000 Projects ABC Courier Management System version 1.0, affecting the /admin endpoint's Username parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with proof-of-concept availability, significantly increasing real-world exploitation risk.

SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-5756 MEDIUM POC This Month

Critical SQL injection vulnerability in code-projects Real Estate Property Management System version 1.0, specifically in the /Admin/EditCity.php endpoint. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The exploit has been publicly disclosed with proof-of-concept code available, and the vulnerability is likely being actively exploited in the wild.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-5759 MEDIUM POC This Month

Critical SQL injection vulnerability in PHPGurukul Local Services Search Engine Management System version 2.1, specifically in the /admin/edit-person-detail.php file where the 'editid' parameter is not properly sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has public exploit code available and may be actively exploited in the wild.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-5711 MEDIUM POC This Month

Critical SQL injection vulnerability in code-projects Real Estate Property Management System 1.0, specifically in the /Admin/InsertCity.php file's cmbState parameter. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, making active exploitation likely.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-5710 MEDIUM POC This Month

A SQL injection vulnerability (CVSS 7.3). Risk factors: public PoC available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-5709 MEDIUM POC This Month

Critical SQL injection vulnerability in code-projects Real Estate Property Management System version 1.0 affecting the /Admin/InsertCategory.php endpoint. An unauthenticated remote attacker can manipulate the txtCategoryName parameter to execute arbitrary SQL commands, potentially compromising database confidentiality, integrity, and availability. The vulnerability has been publicly disclosed with exploit code available, making active exploitation a significant risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-5708 MEDIUM POC This Month

Critical SQL injection vulnerability in code-projects Real Estate Property Management System version 1.0, specifically in the /Admin/NewsReport.php file where the 'txtFrom' parameter is improperly sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or denial of service. The vulnerability has been publicly disclosed with exploit code available, increasing real-world exploitation risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-5707 MEDIUM POC This Month

Critical SQL injection vulnerability in PHPGurukul Human Metapneumovirus Testing Management System 1.0, affecting the /registered-user-testing.php file via the 'testtype' parameter. An unauthenticated remote attacker can exploit this vulnerability to read, modify, or delete sensitive database records without user interaction. The exploit has been publicly disclosed and is likely actively exploited in the wild, making this a high-priority security issue despite the moderate CVSS 7.3 score.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-5706 MEDIUM POC This Month

Critical SQL injection vulnerability in PHPGurukul Human Metapneumovirus Testing Management System version 1.0, affecting the /new-user-testing.php endpoint where the 'state' parameter is improperly sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially compromising data confidentiality, integrity, and availability. The vulnerability has public exploit code available and poses immediate risk to deployed instances.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-5705 MEDIUM POC This Month

Critical SQL injection vulnerability in code-projects Real Estate Property Management System version 1.0, specifically in the /Admin/Property.php file where the 'cmbCat' parameter is inadequately sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of the property management database. The exploit has been publicly disclosed with proof-of-concept code available, significantly elevating real-world exploitation risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-5758 MEDIUM POC This Month

Critical SQL injection vulnerability in SourceCodester Open Source Clinic Management System v1.0, specifically in the /doctor.php file where the 'doctorname' parameter is insufficiently sanitized. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of sensitive healthcare information. The vulnerability has public exploit disclosure and may be actively exploited.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-5716 MEDIUM POC This Month

A remote code execution vulnerability in A vulnerability classified as critical (CVSS 7.3). Risk factors: public PoC available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-5712 MEDIUM POC This Month

Critical SQL injection vulnerability in SourceCodester Open Source Clinic Management System 1.0 affecting the /appointment.php file's patient parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL queries, potentially compromising data confidentiality, integrity, and availability. The exploit has been publicly disclosed with proof-of-concept availability, significantly elevating real-world exploitation risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-5755 MEDIUM POC This Month

SourceCodester Open Source Clinic Management System version 1.0 contains a critical SQL injection vulnerability in the /email_config.php file affecting the 'email' parameter. An unauthenticated remote attacker can exploit this to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or system compromise. Public disclosure and exploit code availability significantly elevate real-world risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-38002 MEDIUM POC PATCH This Month

CVE-2025-38002 is a security vulnerability (CVSS 5.5). Risk factors: public PoC available. Vendor patch is available.

Information Disclosure Linux Ubuntu Debian Linux Kernel +2
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-5751 MEDIUM This Month

WOLFBOX Level 2 EV Charger Management Card Hard-coded Credentials Authentication Bypass Vulnerability. This vulnerability allows physically present attackers to bypass authentication on affected installations of WOLFBOX Level 2 EV Charger. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of management cards. The issue results from the lack of personalization of management cards. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-26292.

Authentication Bypass Level 2 Ev Charger Firmware
NVD
CVSS 3.1
6.8
EPSS
0.0%
CVE-2024-13087 MEDIUM PATCH This Month

A command injection vulnerability has been reported to affect QHora. If an attacker gains local network access who have also gained an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuRouter 2.4.6.028 and later

Command Injection Qurouter
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-48908 MEDIUM This Month

CVE-2025-48908 is a security vulnerability (CVSS 6.7). Remediation should follow standard vulnerability management procedures.

Information Disclosure Harmonyos
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-49329 MEDIUM This Month

Unrestricted Upload of File with Dangerous Type vulnerability in Agile Logix Store Locator WordPress allows Upload a Web Shell to a Web Server. This issue affects Store Locator WordPress: from n/a through 1.5.2.

WordPress File Upload
NVD
CVSS 3.1
6.6
EPSS
0.1%
CVE-2025-48902 MEDIUM This Month

A remote code execution vulnerability (CVSS 6.6). Remediation should follow standard vulnerability management procedures.

Information Disclosure Emui Harmonyos
NVD
CVSS 3.1
6.6
EPSS
0.0%
CVE-2025-33035 MEDIUM PATCH This Month

A path traversal vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4847 and later

Path Traversal File Station
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2023-25997 MEDIUM This Month

Missing Authorization vulnerability in SolaPlugins Sola Support Ticket allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sola Support Ticket: from n/a through 3.17.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-5563 MEDIUM This Month

The WP-Addpub plugin for WordPress is vulnerable to SQL Injection via the 'wp-addpub' shortcode in all versions up to, and including, 1.2.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

WordPress SQLi PHP
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49450 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mhallmann SEPA Girocode allows Stored XSS. This issue affects SEPA Girocode: from n/a through 0.5.1.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49443 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chris McCoy Bacon Ipsum allows Stored XSS. This issue affects Bacon Ipsum: from n/a through 2.4.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49442 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mostafa Shahiri Simple Nested Menu allows Stored XSS. This issue affects Simple Nested Menu: from n/a through 1.0.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49429 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Burnette Video Embeds allows Stored XSS. This issue affects Video Embeds: from n/a through 0.1.1.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49427 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Burnette Abbie Expander allows Stored XSS. This issue affects Abbie Expander: from n/a through 1.0.1.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49314 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ovatheme BRW allows Stored XSS. This issue affects BRW: from n/a through 1.8.6.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49311 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CoolHappy The Events Calendar Countdown Addon allows Stored XSS. This issue affects The Events Calendar Countdown Addon: from n/a through 1.4.9.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49310 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in M A Vinoth Kumar Frontend Dashboard allows Stored XSS. This issue affects Frontend Dashboard: from n/a through 2.2.8.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49309 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Team Member allows Stored XSS. This issue affects HT Team Member: from n/a through 1.1.7.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49305 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in impleCode Product Catalog Simple allows Stored XSS. This issue affects Product Catalog Simple: from n/a through 1.8.1.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49304 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeManas Search with Typesense allows Stored XSS. This issue affects Search with Typesense: from n/a through 2.0.10.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49301 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpsoul Greenshift allows DOM-Based XSS. This issue affects Greenshift: from n/a through 11.5.5.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49299 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPlugged.com WebHotelier allows Stored XSS. This issue affects WebHotelier: from n/a through 1.9.2.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49298 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bastien Ho Event post allows Stored XSS. This issue affects Event post: from n/a through 5.10.1.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49244 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vova Shortcodes Ultimate allows Stored XSS. This issue affects Shortcodes Ultimate: from n/a through 7.3.5.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49243 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sevenspark ShiftNav - Responsive Mobile Menu allows Stored XSS. This issue affects ShiftNav - Responsive Mobile Menu: from n/a through 1.8.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49242 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sevenspark Bellows Accordion Menu allows Stored XSS. This issue affects Bellows Accordion Menu: from n/a through 1.4.3.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49235 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rometheme RTMKit Addons for Elementor allows Stored XSS. This issue affects RTMKit Addons for Elementor: from n/a through 1.6.0.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-31025 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Blocksera Image Hover Effects Block allows Stored XSS. This issue affects Image Hover Effects Block: from n/a through 1.4.5.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-30991 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shahjada Premium Packages allows Stored XSS. This issue affects Premium Packages: from n/a through 6.0.2.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-30952 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdive Nexa Blocks allows Stored XSS. This issue affects Nexa Blocks: from n/a through 1.1.0.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-30951 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Stiofan BlockStrap Page Builder - Bootstrap Blocks allows Stored XSS. This issue affects BlockStrap Page Builder - Bootstrap Blocks: from n/a through 0.1.36.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-30950 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Wham All Currencies for WooCommerce woocommerce-all-currencies allows Stored XSS.This issue affects All Currencies for WooCommerce: from n/a through 2.4.3.

WordPress XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-30935 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NickDuncan Contact Form allows DOM-Based XSS. This issue affects Contact Form: from n/a through 2.0.12.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-29011 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CHR Designer YouTube Simple Gallery allows Stored XSS. This issue affects YouTube Simple Gallery: from n/a through 2.2.0.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-29003 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mva7 The Holiday Calendar allows Stored XSS. This issue affects The Holiday Calendar: from n/a through 1.18.2.1.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-27334 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ángel C. Simple Google Static Map allows DOM-Based XSS. This issue affects Simple Google Static Map: from n/a through 1.0.1.

XSS Google
NVD
CVSS 3.1
6.5
EPSS
0.0%
Page 1 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy