Skip to main content
CVE-2023-26005 HIGH This Week

PHP Local File Inclusion (LFI) vulnerability in BZOTheme Fitrush versions up to 1.3.4 that allows unauthenticated remote attackers to include and execute arbitrary local files on the server. The vulnerability stems from improper control of filenames in PHP include/require statements (CWE-98), enabling attackers to read sensitive files or achieve remote code execution depending on server configuration. While the CVSS score is 8.1 (high severity), the CVSS vector indicates high attack complexity (AC:H), suggesting exploitation may require specific environmental conditions or knowledge of the target system's file structure.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2023-25999 HIGH This Week

A remote code execution vulnerability in snstheme BodyCenter - Gym (CVSS 8.1). High severity vulnerability requiring prompt remediation.

WordPress PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-49651 HIGH This Week

A security vulnerability in the session. This vulnerability exists in all current (CVSS 8.1) that allows attackers. High severity vulnerability requiring prompt remediation.

Information Disclosure
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-23974 HIGH This Week

CVE-2025-23974 is an Incorrect Privilege Assignment vulnerability in ifkooo One-Login that enables unauthenticated remote privilege escalation. Versions 1.4 and earlier are affected, allowing attackers to gain high-impact unauthorized access to sensitive functions without user interaction. The CVSS 8.1 score reflects significant risk, though the high attack complexity (AC:H) suggests exploitation requires specific conditions; KEV/POC status and active exploitation data are not available in provided intelligence.

Privilege Escalation
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-49297 HIGH This Week

Path traversal vulnerability in Mikado-Themes Grill and Chow WordPress themes (versions through 1.6) that enables PHP Local File Inclusion (LFI) attacks. An unauthenticated remote attacker can exploit this vulnerability to read arbitrary files on the affected server, potentially exposing sensitive configuration files, database credentials, and other confidential data. The high CVSS score of 8.1 reflects significant impact on confidentiality and integrity, though exploitation requires higher attack complexity.

PHP Path Traversal
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-49296 HIGH This Week

A Path Traversal vulnerability in Mikado-Themes GrandPrix WordPress theme (versions through 1.6) allows unauthenticated remote attackers to perform PHP Local File Inclusion (LFI) attacks, potentially leading to arbitrary file reading, information disclosure, and remote code execution. The vulnerability has a CVSS score of 8.1 (High) with high impact on confidentiality, integrity, and availability; exploitation requires medium attack complexity but no user interaction or privileges. KEV status and active exploitation data were not provided, but the high CVSS and LFI nature suggest significant real-world risk if POC is publicly available.

PHP Path Traversal
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-49295 HIGH This Week

A Path Traversal vulnerability in Mikado-Themes MediClinic through version 2.1 enables unauthenticated remote attackers to conduct PHP Local File Inclusion (LFI) attacks, potentially allowing arbitrary file reading and code execution. The CVSS 8.1 score reflects high impact across confidentiality, integrity, and availability, though attack complexity is listed as HIGH. No public confirmation of active KEV exploitation or PoC availability is documented in standard feeds, but the high CVSS and LFI vector suggest this should be treated as a credible priority vulnerability.

PHP Path Traversal
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-39475 HIGH This Week

Path Traversal vulnerability enabling PHP Local File Inclusion (LFI) in Frenify Arlo through version 6.0.3. The vulnerability allows unauthenticated remote attackers to read arbitrary files from the server filesystem by manipulating path parameters, potentially exposing sensitive configuration files, source code, and credentials. With a CVSS score of 8.1 and network-accessible attack vector, this vulnerability poses significant risk to confidentiality and integrity; exploitation likelihood and active weaponization status cannot be confirmed from available data, but the straightforward nature of path traversal attacks suggests moderate-to-high real-world exploitation probability.

PHP Path Traversal
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-39473 HIGH This Week

Path traversal vulnerability in WebGeniusLab Seofy Core (versions up to 1.4.5) that allows unauthenticated remote attackers to achieve PHP Local File Inclusion (LFI) with high complexity. The vulnerability enables attackers to read arbitrary files and potentially execute code on affected systems. No public indicators confirm active exploitation or KEV listing at this time, but the high CVSS score (8.1) and remote attack vector indicate significant risk requiring urgent patching.

PHP Path Traversal
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-49653 HIGH This Week

Sensitive data exposure vulnerability in Lablup's BackendAI that allows authenticated attackers with high privileges to retrieve user credentials from active sessions on the management platform. The vulnerability affects the session management mechanism and has a CVSS score of 8.0 with a complex attack vector requiring high privilege access, indicating a serious but not trivially exploitable issue in production environments.

Information Disclosure
NVD GitHub
CVSS 3.1
8.0
EPSS
0.1%
CVE-2025-32308 HIGH This Week

Missing Authorization vulnerability (CWE-862) in looks_awesome Team Builder versions up to 1.5.7 that allows authenticated attackers to exploit misconfigured access control security levels to gain unauthorized access to sensitive functionality. An attacker with valid credentials can bypass intended authorization checks to read, modify, or delete data they should not have access to. The CVSS 7.6 score reflects the combination of low attack complexity, authenticated access requirement, and moderate-to-high impact on confidentiality and integrity.

Authentication Bypass
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-49004 HIGH PATCH This Week

DNS rebinding vulnerability in Caido (web security auditing toolkit) versions prior to 0.48.0 that allows attackers to hijack the authentication flow and achieve remote code execution. An attacker can load Caido on an attacker-controlled domain through DNS rebinding attacks, either during initial setup or by re-initiating the authentication flow on an already-configured instance. The vulnerability requires user interaction (UI:R) but poses high impact (C:H, I:H, A:H) with a CVSS score of 7.5, and the patch is available in version 0.48.0.

RCE
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2025-48053 HIGH PATCH This Week

Denial-of-service vulnerability in Discourse that allows unauthenticated remote attackers to reduce the availability of a Discourse instance by sending malicious URLs in private messages to bot users. The vulnerability affects Discourse versions prior to 3.4.4 (stable), 3.5.0.beta5 (beta), and 3.5.0.beta6-dev (tests-passed), with a CVSS 7.5 rating indicating high severity. No known public exploits or workarounds are currently available, but patches have been released.

Information Disclosure Discourse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-39476 HIGH This Week

PHP Local File Inclusion (LFI) vulnerability in magentech Revo versions up to 4.0.26 that allows unauthenticated remote attackers to include and execute arbitrary local files through improper control of filename parameters in PHP include/require statements. An attacker can exploit this to read sensitive files, execute code, or compromise the affected system; the vulnerability requires user interaction (UI:R) but carries high impact across confidentiality, integrity, and availability. While no public exploit code or KEV status is currently confirmed in available intelligence, the combination of network accessibility, high CVSS score (7.5), and file inclusion primitives makes this a notable risk for unpatched Revo installations.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-49140 HIGH PATCH This Week

Pion Interceptor versions v0.1.36 through v0.1.38 contain a denial-of-service vulnerability in the RTP packet factory that allows unauthenticated remote attackers to trigger application panics via crafted RTP packets with malformed padding fields. This affects all applications using the Pion interceptor library for RTP/RTCP communication, with no authentication required and low attack complexity. The vulnerability has a CVSS score of 7.5 (High) with availability impact only; no evidence of active exploitation or public POC availability is documented.

Denial Of Service Golang Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-48130 HIGH This Week

Path traversal vulnerability in Spice Blocks (a WordPress plugin by spicethemes) affecting versions through 2.0.7.2 that allows unauthenticated remote attackers to read arbitrary files from the affected server. The vulnerability has a CVSS score of 7.5 (High) with network-based attack vector, no authentication required, and high confidentiality impact, making it a significant information disclosure risk for WordPress installations using this plugin.

Path Traversal
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-48124 HIGH This Week

A path traversal vulnerability (CWE-22) in Holest Engineering's Spreadsheet Price Changer for WooCommerce and WP E-commerce - Light plugin allows unauthenticated remote attackers to read arbitrary files from the server by manipulating file path parameters. The vulnerability affects all versions through 2.4.37 and has a CVSS score of 7.5, indicating high confidentiality impact with no authentication required. Real-world exploitability depends on confirmation of active exploitation status and proof-of-concept availability; the low attack complexity and network accessibility suggest this is a genuine, easily-exploitable threat to affected WordPress installations.

WordPress Path Traversal
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-31635 HIGH This Week

Path traversal vulnerability in LambertGroup CLEVER versions up to 2.6 that allows unauthenticated remote attackers to read arbitrary files from the affected system with high confidentiality impact. The vulnerability requires no user interaction and can be exploited over the network, making it a critical exposure for organizations running vulnerable CLEVER instances. While CVSS 7.5 indicates significant risk, actual exploitation depends on KEV listing status and public POC availability, which should be verified against current threat intelligence feeds.

Path Traversal
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-31050 HIGH This Week

Path traversal vulnerability in Apptha Slider Gallery versions up to 2.5 that allows unauthenticated remote attackers to read arbitrary files from the affected server by manipulating pathname parameters. The vulnerability has a CVSS score of 7.5 (High) with network-based attack vector requiring no privileges or user interaction, enabling confidentiality compromise of sensitive server files. Current KEV and EPSS status information is not provided in available sources, but the ease of exploitation (AC:L) and absence of authentication requirements significantly elevate real-world risk.

Path Traversal
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-26468 HIGH PATCH This Week

CVE-2025-26468 is an unauthenticated denial-of-service vulnerability in CyberData 011209 Intercom systems that allows remote attackers to disrupt system availability without requiring authentication or user interaction. The vulnerability has a CVSS score of 7.5 (High) with a network attack vector, indicating significant real-world risk from remote exploitation. While active exploitation status and POC availability cannot be confirmed from the provided data, the lack of authentication requirements (PR:N, UI:N) makes this a critical priority for affected organizations.

Information Disclosure 011209 Sip Emergency Intercom
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-30183 HIGH PATCH This Week

CyberData 011209 Intercom devices fail to properly store or protect web server administrator credentials, allowing unauthenticated remote attackers to obtain plaintext or weakly protected credentials with high confidence. This vulnerability (CVSS 7.5) affects web-based administrative interfaces and could lead to complete compromise of device configuration and control. No public exploit code or active KEV listing is confirmed at this time, but the vulnerability requires immediate attention due to the critical nature of credential exposure in networked intercom systems.

Information Disclosure 011209 Sip Emergency Intercom Firmware
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-48261 HIGH This Week

CVE-2025-48261 is an information disclosure vulnerability in MultiVendorX that allows unauthenticated remote attackers to retrieve sensitive data embedded within sent data through a network-accessible interface. The vulnerability affects MultiVendorX versions up to and including 4.2.22, with a CVSS score of 7.5 indicating high confidentiality impact. While no active KEV or public POC details were provided in the available intelligence, the network-accessible attack vector (AV:N) and lack of privilege requirements (PR:N) make this a material risk for exposed instances.

Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-31045 HIGH This Week

CVE-2025-31045 is an information disclosure vulnerability in the Elfsight Contact Form widget (versions through 2.3.1) that allows unauthenticated remote attackers to retrieve embedded sensitive data without any user interaction. The vulnerability exposes system information through an unauthorized control sphere, posing a high confidentiality risk with a CVSS score of 7.5. While the specific KEV status and EPSS probability are not provided in available sources, the network-accessible nature (AV:N) with no authentication required (PR:N) and lack of user interaction (UI:N) suggests this is readily exploitable by threat actors.

Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-49265 HIGH This Week

Missing Authorization (CWE-862) vulnerability in WP Swings Membership For WooCommerce that allows unauthenticated attackers to access functionality not properly constrained by Access Control Lists (ACLs). The vulnerability affects versions up to and including 2.8.1 of this WordPress/WooCommerce plugin, enabling unauthorized users to bypass membership restrictions and potentially access premium features or sensitive membership data without valid credentials. With a CVSS score of 7.5 and a network-accessible attack vector requiring no privileges or user interaction, this represents a significant exposure risk for e-commerce sites relying on this plugin for membership management.

WordPress Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-48062 HIGH PATCH This Week

A remote code execution vulnerability in Discourse (CVSS 7.1). High severity vulnerability requiring prompt remediation.

Code Injection Discourse
NVD GitHub
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-47527 HIGH This Week

Missing Authorization vulnerability (CWE-862) in the Icegram Collect WordPress plugin versions up to 1.3.18 that allows authenticated attackers with low privileges to exploit misconfigured access controls. An attacker with a valid WordPress user account can modify or delete form data and potentially cause service disruption by leveraging inadequate authorization checks on sensitive operations, with no confidentiality impact but significant integrity and availability risks.

Authentication Bypass
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-47463 HIGH This Week

Missing Authorization vulnerability in Fahad Mahmood's Stock Locations for WooCommerce plugin (versions up to 2.8.6) that allows authenticated users with low privileges to perform unauthorized actions including information disclosure and availability disruption. An attacker with basic user credentials can bypass access controls to modify stock locations or trigger denial-of-service conditions due to improper privilege verification. This vulnerability has a CVSS score of 7.1 (High) and affects WooCommerce installations using the vulnerable plugin; KEV status and active exploitation data are not currently confirmed in public advisories.

WordPress Authentication Bypass
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-48279 HIGH This Week

Reflected Cross-Site Scripting (XSS) vulnerability in the WC MyParcel Belgium WordPress plugin (versions 4.5.5 through beta) that allows unauthenticated attackers to inject arbitrary JavaScript into web pages viewed by users. An attacker can craft a malicious URL to execute scripts in a victim's browser within the context of the affected website, potentially stealing session cookies, performing unauthorized actions, or redirecting users to phishing sites. The CVSS 7.1 score reflects moderate severity with network-based attack vector, no privilege requirements, and user interaction dependency; active exploitation status and POC availability are currently unknown from public sources.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-48143 HIGH This Week

Reflected Cross-Site Scripting (XSS) vulnerability in the SalesUp! Contact Form plugin (versions up to 1.0.14) that allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability requires user interaction (clicking a malicious link) but can compromise confidentiality, integrity, and availability across security boundaries (CVSS 7.1). There is no indication of active exploitation in the wild or confirmed proof-of-concept at this time based on available intelligence.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-47487 HIGH This Week

A remote code execution vulnerability in moreconvert MC Woocommerce Wishlist allows Reflected XSS (CVSS 7.1). High severity vulnerability requiring prompt remediation.

WordPress XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-47477 HIGH This Week

A cross-site scripting vulnerability in revmakx Backup and Staging by WP Time Capsule allows Reflected XSS (CVSS 7.1). High severity vulnerability requiring prompt remediation.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-39539 HIGH This Week

Reflected Cross-Site Scripting (XSS) vulnerability in quitenicestuff Soho Hotel versions through 4.2.5 that allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. With a CVSS score of 7.1 and network accessibility requiring only user interaction, this vulnerability enables attackers to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites. The vulnerability affects the hotel management software's input validation during web page generation, creating a reflected XSS attack vector that exploits insufficient output encoding.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-32305 HIGH This Week

A cross-site scripting vulnerability in Sneeit FlatNews allows Reflected XSS (CVSS 7.1). High severity vulnerability requiring prompt remediation.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-31925 HIGH This Week

Reflected Cross-Site Scripting (XSS) vulnerability in LambertGroup SHOUT versions up to 3.5.3 that allows unauthenticated attackers to inject malicious scripts into web pages viewed by victims. An attacker can craft a malicious URL containing JavaScript payloads that execute in the context of the victim's browser session, potentially stealing session tokens, credentials, or performing actions on behalf of the user. The vulnerability has a CVSS score of 7.1 (High), requires user interaction (clicking a malicious link), and affects network-accessible instances of SHOUT without authentication requirements.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-31917 HIGH This Week

Reflected Cross-Site Scripting (XSS) vulnerability in LambertGroup Universal Video Player versions up to 3.8.3 that allows unauthenticated attackers to inject arbitrary JavaScript code into web pages viewed by victims. The vulnerability has a CVSS score of 7.1 (High) and affects the popular video player component across multiple web applications. While no public exploit code or KEV listing is indicated in available intelligence, the low attack complexity and user interaction requirement present moderate real-world risk to deployed instances.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-31638 HIGH This Week

Reflected Cross-Site Scripting (XSS) vulnerability in themeton Spare versions up to 1.7 that allows unauthenticated attackers to inject malicious scripts into web pages viewed by users. The vulnerability exists due to improper neutralization of user input during web page generation (CWE-79), enabling attackers to steal session tokens, perform actions on behalf of users, or redirect users to malicious sites. With a CVSS score of 7.1 and network-based attack vector requiring no special privileges, this vulnerability poses a moderate-to-significant risk to any organization deploying Spare.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-31426 HIGH This Week

Reflected Cross-Site Scripting (XSS) vulnerability in LambertGroup's Sticky Radio Player that allows unauthenticated attackers to inject malicious scripts into web pages through improper input sanitization. Versions 3.4 and earlier are affected, enabling attackers to execute arbitrary JavaScript in victims' browsers with user interaction. While the CVSS score of 7.1 indicates medium-to-high severity with potential for session hijacking and credential theft, real-world exploitability depends on KEV status, proof-of-concept availability, and deployment prevalence of this niche WordPress plugin.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-31061 HIGH This Week

Reflected Cross-Site Scripting (XSS) vulnerability in redqteam's Wishlist plugin affecting versions up to 2.1.0. An unauthenticated attacker can craft malicious URLs containing unfiltered input that executes arbitrary JavaScript in a victim's browser when clicked, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability has a CVSS score of 7.1 (High) with network-based attack vector requiring user interaction; current KEV/EPSS status and active exploitation details are not provided in available intelligence.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-31058 HIGH This Week

Reflected Cross-Site Scripting (XSS) vulnerability in LambertGroup Revolution Video Player versions up to 2.9.2 that allows unauthenticated attackers to inject malicious scripts into web pages viewed by victims. The vulnerability has a CVSS score of 7.1 (High) with network-based attack vector requiring user interaction, enabling attackers to steal session tokens, redirect users, or perform actions on behalf of victims. Without confirmation of active exploitation (KEV status) or public proof-of-concept, this represents a moderate real-world threat dependent on deployment prevalence and user interaction feasibility.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-31057 HIGH This Week

Reflected Cross-Site Scripting (XSS) vulnerability in LambertGroup Universal Video Player versions up to 1.4.0 that allows unauthenticated attackers to inject malicious scripts into web pages viewed by users. The vulnerability has a CVSS score of 7.1 (High) with a network-based attack vector requiring user interaction. While the exact EPSS and KEV status cannot be confirmed from provided data, the reflected XSS classification and accessible attack surface suggest moderate-to-high real-world exploitation likelihood, particularly if POC code becomes available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy