Skip to main content
CVE-2025-47572 HIGH This Week

A security vulnerability in mojoomla School Management allows PHP Local File Inclusion (CVSS 7.5). High severity vulnerability requiring prompt remediation.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-32549 HIGH This Week

A security vulnerability in mojoomla WPGYM allows PHP Local File Inclusion (CVSS 7.5). High severity vulnerability requiring prompt remediation.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-49451 HIGH This Week

A Path Traversal vulnerability (CWE-35) exists in the Aeroscroll Gallery WordPress plugin (versions through 1.0.12) that allows unauthenticated remote attackers to access arbitrary files on the server, potentially exposing sensitive configuration files, database credentials, and other confidential data. The vulnerability has a CVSS score of 7.5 (High) with network accessibility and no authentication required, making it a significant information disclosure risk for all installations of affected versions.

Path Traversal
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-6166 LOW POC PATCH Monitor

A vulnerability was found in frdel Agent-Zero up to 0.8.4. It has been rated as problematic. This issue affects the function image_get of the file /python/api/image_get.py. The manipulation of the argument path leads to path traversal. Upgrading to version 0.8.4.1 is able to address this issue. The identifier of the patch is 5db74202d632306a883ccce7339c5bdba0d16c5a. It is recommended to upgrade the affected component.

Python Path Traversal
NVD GitHub VulDB
CVSS 3.1
3.5
EPSS
0.1%
CVE-2025-33122 HIGH This Week

A privilege escalation vulnerability (CVSS 7.5) that allows a user. High severity vulnerability requiring prompt remediation.

IBM Privilege Escalation
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-49176 HIGH PATCH This Week

CVE-2025-49176 is an integer overflow vulnerability in the X11 Big Requests extension that allows local attackers with low privileges to bypass request size validation by triggering a multiplication-based integer wrap-around, enabling denial of service or potential code execution through oversized X protocol requests. The vulnerability affects X11 server implementations that use the Big Requests extension; while not currently listed in CISA KEV catalog, the 7.3 CVSS score and local attack vector indicate moderate-to-high real-world risk for multi-user systems. No public POC or active exploitation has been confirmed at time of analysis.

Integer Overflow Buffer Overflow
NVD
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-49179 HIGH PATCH This Week

CVE-2025-49179 is an integer overflow vulnerability in the X Record extension's RecordSanityCheckRegisterClients function that allows authenticated local users to bypass request length validation checks. This flaw enables privilege escalation and potential code execution on affected X11 systems. With a CVSS score of 7.3 and requiring local access with low privileges, this poses a moderate-to-high risk for multi-user systems; exploitation status and POC availability have not been confirmed in public disclosures as of analysis time.

Buffer Overflow Integer Overflow
NVD
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-3774 HIGH This Week

The Wise Chat WordPress plugin versions up to 3.3.4 contains a Stored Cross-Site Scripting (XSS) vulnerability in the X-Forwarded-For header processing that allows unauthenticated attackers to inject malicious scripts without authentication or user interaction. When vulnerable pages are accessed by site visitors, the injected scripts execute in their browsers, potentially enabling credential theft, session hijacking, or malware distribution. This vulnerability has a CVSS score of 7.2 (High) and affects all publicly-facing WordPress installations running the affected plugin versions.

WordPress XSS PHP
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2025-49331 HIGH This Week

Deserialization of untrusted data vulnerability in impleCode eCommerce Product Catalog versions up to 3.4.3 that allows authenticated attackers with high privileges to perform object injection attacks. The vulnerability enables remote code execution or unauthorized data manipulation through malicious serialized objects. While the CVSS score of 7.2 is moderate-to-high, the requirement for high privileges (PR:H) significantly limits real-world exploitability; however, this should not be underestimated in multi-tenant or insider threat scenarios.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-30680 HIGH PATCH This Week

Server-Side Request Forgery (SSRF) vulnerability in Trend Micro Apex Central SaaS that allows authenticated attackers to manipulate parameters and disclose sensitive information from affected installations. The vulnerability affects only the SaaS deployment model of Apex Central; SaaS customers receiving automatic monthly maintenance updates are not impacted. While no public exploit or KEV status is indicated, the CVSS 7.1 score and information disclosure capability present moderate risk for organizations with manual SaaS deployments or on-premises installations.

Information Disclosure SSRF Trend Micro Apex Central
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-49316 HIGH This Week

Reflected Cross-Site Scripting (XSS) vulnerability in the Saleswonder Team Tobias WP2LEADS WordPress plugin (versions up to 3.5.0) that allows unauthenticated attackers to inject malicious scripts into web pages viewed by users. An attacker can craft a malicious URL containing JavaScript payload and trick users into clicking it, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability has a CVSS score of 7.1 (High) with network-based attack vector requiring user interaction, and while KEV/active exploitation status and POC availability are not explicitly confirmed in provided data, the low attack complexity and reflected nature suggest moderate real-world risk.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-49312 HIGH This Week

Reflected Cross-Site Scripting (XSS) vulnerability in the CodeRevolution Echo RSS Feed Post Generator Plugin for WordPress affecting versions through 5.4.8.1. An unauthenticated attacker can inject malicious scripts into web pages viewed by users with no special privileges required, potentially leading to session hijacking, credential theft, or malware distribution. The CVSS 7.1 score reflects the moderate severity with network attack vector and user interaction requirement.

WordPress XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-49266 HIGH This Week

Reflected Cross-Site Scripting (XSS) vulnerability in Rustaurius Ultimate Reviews WordPress plugin versions up to 3.2.14, allowing unauthenticated attackers to inject malicious scripts that execute in users' browsers. The vulnerability requires user interaction (clicking a malicious link) but can compromise session tokens, steal sensitive data, or perform actions on behalf of affected users. While this is a network-accessible, low-complexity attack with moderate CVSS score (7.1), reflected XSS vulnerabilities are commonly exploited and proof-of-concept code is typically straightforward to develop.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-48333 HIGH PATCH This Week

Reflected Cross-Site Scripting (XSS) vulnerability in WPQuark's eForm WordPress Form Builder plugin that allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability affects the eForm plugin across unspecified version ranges and can be exploited with user interaction to compromise confidentiality, integrity, and availability. No active KEV designation or confirmed POC availability is documented, but the network-accessible nature and low attack complexity present moderate real-world exploitation risk.

WordPress XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-48145 HIGH This Week

A cross-site scripting vulnerability in Michal Jaworski Track (CVSS 7.1). High severity vulnerability requiring prompt remediation.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-39508 HIGH This Week

Reflected Cross-Site Scripting (XSS) vulnerability in NasaTheme Nasa Core versions up to 6.3.2 that allows unauthenticated attackers to inject arbitrary JavaScript code into web pages viewed by other users. The vulnerability affects the Nasa Core component through improper input neutralization during web page generation, enabling attackers to steal session cookies, perform actions on behalf of users, or distribute malware. With a CVSS score of 7.1 and low attack complexity, this vulnerability poses a moderate-to-high risk to affected installations, particularly if the affected theme is actively deployed in production environments.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-30988 HIGH This Week

Stored Cross-Site Scripting (XSS) vulnerability in CreativeMedia Elite Video Player versions up to 10.0.5 that allows unauthenticated attackers to inject and persist malicious scripts through the web page generation process. An attacker can craft a malicious input that gets stored in the application and executed in the browsers of other users who view the affected page, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability requires user interaction (UI:R) but has a network attack vector with no authentication required, making it a moderate-to-high priority threat depending on deployment context.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-49156 HIGH PATCH This Week

Privilege escalation vulnerability in Trend Micro Apex One's scan engine that exploits improper link handling to allow local attackers to escalate privileges. The vulnerability affects Trend Micro Apex One installations and requires an attacker to first obtain low-privileged code execution on the target system. While no active exploitation in the wild has been confirmed at this time, the CVSS score of 7.0 indicates a high-severity local privilege escalation risk for organizations running vulnerable versions.

Privilege Escalation Trend Micro Apex One
NVD
CVSS 3.1
7.0
EPSS
0.0%
CVE-2025-49593 MEDIUM PATCH This Month

Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. Prior to STS version 2.31.0 and LTS version 2.27.7, if a Portainer administrator can be convinced to register a malicious container registry, or an existing container registry can be taken over, HTTP Headers (including registry authentication credentials or Portainer session tokens) may be leaked to that registry. This issue has been patched in STS version 2.31.0 and LTS version 2.27.7.

Information Disclosure Kubernetes Docker
NVD GitHub
CVSS 3.1
6.8
EPSS
0.1%
CVE-2025-49487 MEDIUM PATCH This Month

An uncontrolled search path vulnerability in the Trend Micro Worry-Free Business Security Services (WFBSS) agent could have allowed an attacker with physical access to a machine to execute arbitrary code on affected installations. An attacker must have had physical access to the target system in order to exploit this vulnerability due to need to access a certain hardware component. Also note: this vulnerability only affected the SaaS client version of WFBSS only, meaning the on-premise version of Worry-Free Business Security was not affected, and this issue was addressed in a previous WFBSS monthly maintenance update. Therefore no other customer action is required to mitigate if the WFBSS agents are on the regular SaaS maintenance deployment schedule and this disclosure is for informational purposes only.

RCE Worry Free Business Security Services
NVD
CVSS 3.1
6.8
EPSS
0.1%
CVE-2025-48443 MEDIUM PATCH This Month

Trend Micro Password Manager (Consumer) version 5.0.0.1266 and below is vulnerable to a Link Following Local Privilege Escalation Vulnerability that could allow a local attacker to leverage this vulnerability to delete files in the context of an administrator when the administrator installs Trend Micro Password Manager.

Privilege Escalation Password Manager
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-49158 MEDIUM PATCH This Month

An uncontrolled search path vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalation privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

Privilege Escalation Apex One
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-49234 MEDIUM This Month

Missing Authorization vulnerability in Deepak anand WP Dummy Content Generator allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Dummy Content Generator: from n/a through 3.4.6.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-30679 MEDIUM PATCH This Month

A Server-side Request Forgery (SSRF) vulnerability in Trend Micro Apex Central (on-premise) modOSCE component could allow an attacker to manipulate certain parameters leading to information disclosure on affected installations.

Information Disclosure SSRF Apex Central
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-30678 MEDIUM PATCH This Month

A Server-side Request Forgery (SSRF) vulnerability in Trend Micro Apex Central (on-premise) modTMSM component could allow an attacker to manipulate certain parameters leading to information disclosure on affected installations.

Information Disclosure SSRF Apex Central
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-5673 MEDIUM This Month

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to SQL Injection via the ‘prgSortPostType’ parameter in all versions up to, and including, 8.4.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

WordPress SQLi PHP
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-49882 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Emraan Cheema CubeWP Framework allows DOM-Based XSS. This issue affects CubeWP Framework: from n/a through 1.1.23.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49881 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CyberChimps Responsive Blocks allows Stored XSS. This issue affects Responsive Blocks: from n/a through 2.0.5.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49878 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Greg Winiarski WPAdverts allows DOM-Based XSS. This issue affects WPAdverts: from n/a through 2.2.4.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49875 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in IfSo Dynamic Content If-So Dynamic Content Personalization allows Stored XSS. This issue affects If-So Dynamic Content Personalization: from n/a through 1.9.3.1.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49863 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Codeus Advanced Sermons allows Stored XSS. This issue affects Advanced Sermons: from n/a through 3.6.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49861 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Timur Kamaev Kama Click Counter allows Stored XSS. This issue affects Kama Click Counter: from n/a through 4.0.3.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49859 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in etruel WP Views Counter allows Stored XSS. This issue affects WP Views Counter: from n/a through 2.0.3.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49858 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tychesoftwares Arconix Shortcodes allows Stored XSS. This issue affects Arconix Shortcodes: from n/a through 2.1.17.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49855 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Meks Meks Flexible Shortcodes allows DOM-Based XSS. This issue affects Meks Flexible Shortcodes: from n/a through 1.3.7.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-5700 MEDIUM This Month

The Simple Logo Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.9.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
NVD GitHub
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-5291 MEDIUM PATCH This Month

The Master Slider - Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's masterslider_pb and ms_slide shortcodes in all versions up to, and including, 3.10.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS Master Slider PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-4775 MEDIUM This Month

The WordPress Infinite Scroll - Ajax Load More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-button-label HTML attribute in all versions up to, and including, 7.4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-34508 MEDIUM PATCH This Month

A path traversal vulnerability exists in the file dropoff functionality of ZendTo versions 6.15-7 and prior. This could allow a remote, authenticated attacker to retrieve the files of other ZendTo users, retrieve files on the host system, or cause a denial of service.

Denial Of Service Path Traversal
NVD
CVSS 3.1
6.3
EPSS
0.3%
CVE-2025-49175 MEDIUM PATCH This Month

A flaw was found in the X Rendering extension's handling of animated cursors. If a client provides no cursors, the server assumes at least one is present, leading to an out-of-bounds read and potential crash.

Buffer Overflow Information Disclosure
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-6156 LOW POC Monitor

A vulnerability was found in PHPGurukul Nipah Virus Testing Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /bwdates-report-ds.php. The manipulation of the argument testtype leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-45880 MEDIUM This Month

A cross-site scripting (XSS) vulnerability in the data resource management function of Miliaris Amigdala v2.2.6 allows attackers to execute arbitrary HTML in the context of a user's browser via a crafted payload.

XSS Amygdala
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-45878 MEDIUM This Month

A cross-site scripting (XSS) vulnerability in the report manager function of Miliaris Amigdala v2.2.6 allows attackers to execute arbitrary HTML in the context of a user's browser via a crafted payload.

XSS Amygdala
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-45879 MEDIUM This Month

A cross-site scripting (XSS) vulnerability in the e-mail manager function of Miliaris Amigdala v2.2.6 allows attackers to execute arbitrary HTML in the context of a user's browser via a crafted payload.

XSS Amygdala
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-48993 MEDIUM PATCH This Month

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a malicious JavaScript payload can be executed via the Look and Feel formatting fields. Any user can update their Look and Feel Formatting input fields, but the web application does not sanitize their input. This could result in a reflected cross-site scripting (XSS) attack. This issue has been patched in versions 6.8.123 and 25.0.27.

Microsoft XSS Group Office
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-49177 MEDIUM PATCH This Month

A flaw was found in the XFIXES extension. The XFixesSetClientDisconnectMode handler does not validate the request length, allowing a client to read unintended memory from previous requests.

Information Disclosure
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-6173 LOW POC Monitor

A vulnerability classified as critical was found in Webkul QloApps 1.6.1. Affected by this vulnerability is an unknown functionality of the file /admin/ajax_products_list.php. The manipulation of the argument packItself leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor confirms the existence of this flaw but considers it a low-level issue due to admin privilege pre-requisites. Still, a fix is planned for a future release.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-49871 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brian Mutende Noptin allows Stored XSS. This issue affects Noptin: from n/a through 3.8.7.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-49862 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in motov.net Ebook Store allows Stored XSS. This issue affects Ebook Store: from n/a through 5.8008.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-49178 MEDIUM PATCH This Month

A flaw was found in the X server's request handling. Non-zero 'bytes to ignore' in a client's request can cause the server to skip processing another client's request, potentially leading to a denial of service.

Denial Of Service
NVD
CVSS 3.1
5.5
EPSS
0.1%
Prev Page 3 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy