Skip to main content
CVE-2025-34029 HIGH POC This Week

CVE-2025-34029 is an OS command injection vulnerability in Edimax EW-7438RPn Mini wireless router firmware version 1.13 and prior that allows authenticated remote attackers to execute arbitrary shell commands as root through the /goform/formSysCmd endpoint. The vulnerability has a CVSS score of 8.8 (High) and was observed being exploited in the wild by the Shadowserver Foundation on 2024-09-14 UTC, indicating active real-world attack activity against this widely-deployed consumer networking device.

Command Injection Ew 7438rpn Mini Firmware
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
2.1%
CVE-2025-34024 HIGH POC This Week

CVE-2025-34024 is an OS command injection vulnerability in Edimax EW-7438RPn wireless range extender firmware versions 1.13 and prior, allowing authenticated attackers to execute arbitrary commands as root via the /goform/mp endpoint. The vulnerability results from improper input validation on the 'command' parameter in the mp.asp form handler, enabling shell metacharacter injection. Active exploitation was observed by the Shadowserver Foundation on 2024-09-14 UTC, indicating real-world threat activity against this device.

Command Injection Ew 7438rpn Mini Firmware
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
0.8%
CVE-2025-6337 HIGH POC This Week

CVE-2025-6337 is a critical buffer overflow vulnerability in TOTOLINK A3002R and A3002RU routers affecting versions 3.0.0-B20230809.1615 and 4.0.0-B20230531.1404. An authenticated attacker can exploit the 'submit-url' parameter in the /boafrm/formTmultiAP HTTP POST handler to achieve remote code execution with complete system compromise (confidentiality, integrity, and availability). Public exploit code exists and the vulnerability is exploitable over the network with low complexity.

Buffer Overflow TP-Link A3002ru Firmware A3002r Firmware TOTOLINK
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2025-6336 HIGH POC This Week

CVE-2025-6336 is a critical buffer overflow vulnerability in TOTOLINK EX1200T wireless router (version 4.1.2cu.5232_B20210713) affecting the HTTP POST request handler. An authenticated attacker can exploit improper input validation on the 'submit-url' parameter in the /boafrm/formTmultiAP endpoint to achieve remote code execution with full system compromise (confidentiality, integrity, and availability). Public exploit code is available and the vulnerability has been disclosed; exploitation requires valid credentials but no user interaction.

Buffer Overflow TP-Link RCE Ex1200t Firmware TOTOLINK
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.6%
CVE-2025-34023 HIGH POC This Week

CVE-2025-34023 is a path traversal vulnerability in Karel IP1211 IP Phone's web management panel that allows remote authenticated attackers to read arbitrary files from the underlying system via unsanitized input to the /cgi-bin/cgiServer.exx endpoint's page parameter. This vulnerability affects IP phone administrators with network access to the management interface and carries a CVSS 8.5 score reflecting high confidentiality impact. Active exploitation evidence was documented by Shadowserver Foundation on 2025-02-02 UTC, indicating real-world attack activity.

Path Traversal Information Disclosure IoT
NVD Exploit-DB
CVSS 4.0
8.5
EPSS
1.8%
CVE-2025-6302 HIGH POC This Week

CVE-2025-6302 is a critical stack-based buffer overflow vulnerability in TOTOLINK EX1200T router firmware version 4.1.2cu.5232_B20210713, specifically in the setStaticDhcpConfig function of /cgi-bin/cstecgi.cgi. An authenticated attacker can exploit this by sending a malicious Comment parameter to achieve remote code execution with full system compromise (confidentiality, integrity, and availability impact). Public exploit code has been disclosed, making this actively exploitable.

Buffer Overflow TP-Link Ex1200t Firmware TOTOLINK
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-6292 HIGH POC This Week

CVE-2025-6292 is a critical stack-based buffer overflow vulnerability in D-Link DIR-825 routers (version 2.03 and potentially others) that allows authenticated attackers to execute arbitrary code remotely via malformed HTTP POST requests to the vulnerable HTTP POST Request Handler function. The vulnerability affects end-of-life products no longer receiving security updates from D-Link, and public exploit code has been disclosed, increasing real-world exploitation risk despite requiring valid credentials.

Buffer Overflow D-Link RCE Denial Of Service Dir 825 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-6291 HIGH POC This Week

CVE-2025-6291 is a critical stack-based buffer overflow vulnerability in D-Link DIR-825 firmware version 2.03, exploitable via HTTP POST requests to the do_file function. An authenticated attacker can achieve complete system compromise (confidentiality, integrity, and availability violations) remotely without user interaction. Public exploit code exists and the affected product is end-of-life with no vendor support, elevating real-world risk despite authentication requirement.

Buffer Overflow D-Link RCE Dir 825 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-6328 HIGH POC This Week

A critical stack-based buffer overflow vulnerability exists in D-Link DIR-815 firmware version 1.01 within the hedwig.cgi module (function sub_403794), allowing remote attackers with low privilege access to execute arbitrary code with high impact on confidentiality, integrity, and availability. Public exploit code is available and the vulnerability may be actively exploited in the wild, making this a high-priority remediation target.

Buffer Overflow D-Link RCE Dir 815 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-6370 HIGH POC This Week

A buffer overflow vulnerability in A vulnerability classified as critical (CVSS 8.8). Risk factors: public PoC available.

Buffer Overflow D-Link RCE Dir 619l Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-6369 HIGH POC This Week

CVE-2025-6369 is a critical stack-based buffer overflow vulnerability in D-Link DIR-619L v2.06B01 affecting the /goform/formdumpeasysetup endpoint. An authenticated remote attacker can exploit improper input validation of the curTime or config.save_network_enabled parameters to achieve remote code execution with high impact on confidentiality, integrity, and availability. Public exploit code exists for this vulnerability, and the affected product is end-of-life with no vendor support available.

Buffer Overflow D-Link RCE Dir 619l Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-6368 HIGH POC This Week

A critical stack-based buffer overflow vulnerability exists in D-Link DIR-619L firmware version 2.06B01, affecting the formSetEmail function via the curTime and config.smtp_email_subject parameters. An authenticated remote attacker can exploit this vulnerability to achieve arbitrary code execution with full system compromise (confidentiality, integrity, and availability). Public exploit code has been disclosed, and the affected product is end-of-life with no vendor support available.

Buffer Overflow D-Link RCE Dir 619l Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-6367 HIGH POC This Week

CVE-2025-6367 is a critical stack-based buffer overflow vulnerability in D-Link DIR-619L firmware version 2.06B01, affecting the /goform/formSetDomainFilter endpoint. An authenticated remote attacker can exploit improper input validation on the curTime, sched_name_%d, and url_%d parameters to achieve arbitrary code execution with full system compromise (confidentiality, integrity, and availability). The vulnerability has public exploit disclosure and affects end-of-life hardware no longer receiving vendor support.

Buffer Overflow D-Link RCE Dir 619l Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-6371 HIGH POC This Week

CVE-2025-6371 is a critical stack-based buffer overflow vulnerability in D-Link DIR-619L firmware version 2.06B01 affecting the formSetEnableWizard function. An authenticated remote attacker can exploit this vulnerability by manipulating the 'curTime' parameter to achieve remote code execution with high confidentiality, integrity, and availability impact (CVSS 8.8). Exploitation has been publicly disclosed with proof-of-concept available, and this vulnerability only affects end-of-life products no longer receiving vendor support.

Buffer Overflow D-Link Stack Overflow RCE Dir 619l Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-6372 HIGH POC This Week

A buffer overflow vulnerability (CVSS 8.8). Risk factors: public PoC available.

Buffer Overflow D-Link RCE Dir 619l Firmware
NVD VulDB GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-32879 HIGH POC This Week

CVE-2025-32879 is a security vulnerability (CVSS 8.8) that allows an attacker. Risk factors: public PoC available.

Authentication Bypass Bluetooth Information Disclosure Coros Pace 3 Firmware
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2024-4994 HIGH POC PATCH This Week

CVE-2024-4994 is a Cross-Site Request Forgery (CSRF) vulnerability in GitLab's GraphQL API that allows unauthenticated attackers to execute arbitrary GraphQL mutations through a malicious website visited by authenticated GitLab users. This affects GitLab CE/EE versions 16.1.0-16.11.4, 17.0.0-17.0.2, and 17.1.0, with a CVSS score of 8.1 indicating high severity. The vulnerability requires user interaction (clicking a malicious link) but can result in unauthorized data manipulation or system compromise depending on the mutations executed.

CSRF Gitlab RCE
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-34021 HIGH POC This Week

CVE-2025-34021 is a critical Server-Side Request Forgery (SSRF) vulnerability affecting multiple Selea Targa IP OCR-ANPR camera models that allows remote unauthenticated attackers to induce arbitrary HTTP requests through unvalidated JSON POST parameters (ipnotify_address and url). An attacker can bypass firewall policies, enumerate internal services, or redirect image fetch and DNS lookup operations to internal or external systems of their choosing. Active exploitation was confirmed by the Shadowserver Foundation on 2025-01-25, indicating real-world attack activity and operational risk.

SSRF
NVD Exploit-DB
CVSS 4.0
7.8
EPSS
0.1%
CVE-2025-45331 HIGH POC PATCH This Week

CVE-2025-45331 is a Null Pointer Dereference (NPD) vulnerability in brplot v420.69.1's br_dagens_handle_once function that causes denial of service through segmentation faults and program crashes. The vulnerability is remotely exploitable without authentication or user interaction (CVSS 7.5), making it a high-availability risk for any system processing brplot data. While KEV status and active exploitation data are not provided, the network-accessible attack vector and high availability impact suggest this warrants prioritization for patched deployments.

Denial Of Service Brplot
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-48705 HIGH POC This Week

CVE-2025-48705 is a NULL pointer dereference vulnerability in COROS PACE 3 smartwatch (versions 3.0 through 3.0808.0) that allows unauthenticated remote attackers to trigger a device reboot by sending a specially crafted Bluetooth Low Energy (BLE) message. The vulnerability results in denial of service with no additional privileges required, affecting the availability of the device. Given the CVSS 7.5 score and remote/network attack vector over BLE, this poses a significant nuisance risk to users, though impact is limited to device unavailability rather than data compromise.

Denial Of Service Coros Pace 3 Firmware
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-6364 HIGH POC This Week

A SQL injection vulnerability in A vulnerability (CVSS 7.3). Risk factors: public PoC available.

PHP SQLi Simple Pizza Ordering System
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-6363 HIGH POC This Week

CVE-2025-6363 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System version 1.0, specifically in the /adding-exec.php file where the 'ingname' parameter is improperly sanitized. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of database records. With a CVSS score of 7.3 and network-based attack vector requiring no user interaction, this vulnerability poses significant risk to affected deployments, though real-world exploitation likelihood depends on whether POC code and active exploitation attempts are documented.

PHP SQLi Simple Pizza Ordering System RCE
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-6362 HIGH POC This Week

CVE-2025-6362 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System version 1.0, specifically in the /editpro.php file where the ID parameter is improperly validated. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or system compromise. The vulnerability has a CVSS score of 7.3 (High) and requires no user interaction or authentication, making it a significant risk for deployments of this application.

PHP SQLi Simple Pizza Ordering System
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-6361 HIGH POC This Week

CVE-2025-6361 is a critical SQL injection vulnerability in code-projects Simple Pizza Ordering System version 1.0, affecting the /adds.php file's userid parameter. An unauthenticated remote attacker can exploit this vulnerability without user interaction to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of the application database. The vulnerability has a CVSS score of 7.3 (High) and represents an immediate risk to any organization running this unpatched system in production.

PHP SQLi Simple Pizza Ordering System
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-6334 HIGH This Week

CVE-2025-6334 is a critical stack-based buffer overflow vulnerability in D-Link DIR-867 1.0 routers, affecting the Query String Handler's strncpy function implementation. Remote attackers with low privileges can exploit this vulnerability to achieve complete system compromise including confidentiality, integrity, and availability breaches. The vulnerability has documented public exploits available, affects end-of-life hardware no longer receiving vendor support, and carries a high CVSS 3.1 score of 8.8.

Buffer Overflow D-Link RCE Dir 867 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-52825 HIGH This Week

A privilege escalation vulnerability in Rameez Iqbal Real Estate Manager allows Privilege Escalation (CVSS 8.8). High severity vulnerability requiring prompt remediation.

CSRF Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-2443 HIGH PATCH This Week

A security vulnerability in all (CVSS 8.7) that allows for cross-site-scripting attack and content security policy bypass. High severity vulnerability requiring prompt remediation.

Gitlab Authentication Bypass
NVD
CVSS 3.1
8.7
EPSS
0.1%
CVE-2025-52822 HIGH This Week

CVE-2025-52822 is an SQL injection vulnerability in Iqonic Design's WP Roadmap WordPress plugin (versions up to 2.1.3) that allows authenticated attackers to execute arbitrary SQL commands. An attacker with user-level privileges can exploit this via network access without user interaction to read sensitive database contents and cause denial of service. The vulnerability has not been confirmed as actively exploited in the wild, but the high CVSS score (8.5) and low attack complexity indicate this should be treated as a priority for affected WordPress installations.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2025-52821 HIGH This Week

CVE-2025-52821 is a SQL Injection vulnerability in thanhtungtnt Video List Manager versions up to 1.7 that allows authenticated attackers to execute arbitrary SQL commands. The vulnerability has a CVSS score of 8.5 with high confidentiality impact and cross-site scope implications, meaning successful exploitation could lead to unauthorized data access and potential lateral movement within affected systems. While the attack requires valid credentials (PR:L), the network accessibility and low attack complexity make this a significant risk for organizations using this plugin.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2025-5121 HIGH PATCH CERT-EU This Week

GitLab CE/EE contains a missing authorization check (CWE-862) in its compliance frameworks feature that allows authenticated users with limited privileges to apply compliance frameworks to projects outside the intended scope of the framework's group, potentially affecting confidentiality, integrity, and availability. This vulnerability affects GitLab versions 17.11 before 17.11.4 and 18.0 before 18.0.2. The CVSS 8.5 score reflects high severity due to the scope change and multiple impact categories, though exploitation requires low-level user authentication and higher-than-typical attack complexity.

Gitlab Privilege Escalation
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-48945 HIGH PATCH This Week

pycares versions prior to 4.9.0 contain a use-after-free vulnerability (CWE-416) in the Channel object that crashes the Python interpreter when garbage collection occurs during pending DNS queries. This denial-of-service vulnerability affects any application using pycares for asynchronous DNS resolution; attackers can trigger interpreter crashes by manipulating DNS query timing, though no active exploitation or public POC is documented. The CVSS 8.2 score reflects high availability impact, but real-world exploitability is limited by the requirement for application-level DNS query patterns and Python garbage collection timing.

Use After Free Python Denial Of Service Red Hat Suse
NVD GitHub
CVSS 4.0
8.2
EPSS
0.1%
CVE-2025-47771 HIGH PATCH This Week

PowSyBl versions 6.3.0 through 6.7.1 contain an unsafe deserialization vulnerability in the SparseMatrix.read() method that allows remote attackers to achieve arbitrary code execution and privilege escalation without authentication or user interaction. The vulnerability affects the powsybl-math library, a core component of the Power System Blocks framework used in power grid management software. Exploitation requires only network access to an application exposing the vulnerable deserialization method.

Deserialization
NVD GitHub
CVSS 4.0
8.1
EPSS
0.2%
CVE-2025-3319 HIGH This Week

CVE-2025-3319 is an authentication bypass vulnerability in IBM Spectrum Protect Server versions 8.1 through 8.1.26 caused by improper session authentication mechanisms. This flaw allows unauthenticated network attackers to bypass authentication and gain unauthorized access to protected resources, potentially compromising backup and recovery infrastructure. With a CVSS score of 8.1 (High) and network-based attack vector, this vulnerability poses significant risk to organizations relying on Spectrum Protect for data protection.

IBM Authentication Bypass Spectrum Protect Server
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-49715 HIGH This Week

CVE-2025-49715 is a private personal information disclosure vulnerability in Microsoft Dynamics 365 FastTrack Implementation Assets that allows unauthenticated network-based attackers to access sensitive user data without any user interaction. The vulnerability has a CVSS score of 7.5 (High) with confirmed high confidentiality impact, and affects organizations using Dynamics 365 FastTrack resources. Given the network-accessible nature and lack of authentication requirements, this poses significant risk to enterprise customer data security.

Information Disclosure Microsoft Dynamics 365
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2025-52715 HIGH This Week

CVE-2025-52715 is a PHP Local File Inclusion (LFI) vulnerability in RadiusTheme's Classified Listing plugin that allows authenticated attackers to include and execute arbitrary local files through improper filename validation in PHP include/require statements. The vulnerability affects Classified Listing versions up to 4.2.0, and while the CVSS score of 7.5 indicates high severity, exploitation requires local authentication and non-standard attack complexity, suggesting moderate real-world risk absent evidence of active exploitation or public proof-of-concept.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-52708 HIGH This Week

CVE-2025-52708 is a PHP Local File Inclusion (LFI) vulnerability in RealMag777 HUSKY versions up to 1.3.7, stemming from improper control of filenames in include/require statements. An authenticated attacker with low-to-medium privilege requirements can exploit this remotely to read arbitrary files from the server filesystem, potentially leading to information disclosure, code execution, or system compromise. The CVSS 7.5 score and requirement for authenticated access (PR:L) suggest moderate real-world risk; active exploitation status and POC availability are not confirmed from available data, but the vulnerability class (CWE-98 RFI/LFI) is historically high-value for attackers.

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-52802 HIGH This Week

CVE-2025-52802 is a security vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-44203 HIGH PATCH This Week

CVE-2025-44203 is a critical information disclosure vulnerability in HotelDruid 3.0.7 that allows unauthenticated attackers to extract sensitive database credentials (administrator username, password hash, and salt) through verbose SQL error messages on the creadb.php endpoint. The vulnerability can also cause denial of service conditions that lock administrators out of the system. With a CVSS score of 7.5 and no authentication required, this poses an immediate threat to unpatched HotelDruid installations.

PHP Denial Of Service Hoteldruid Information Disclosure
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-4102 HIGH This Week

The Beaver Builder Plugin (Starter Version) for WordPress contains an arbitrary file upload vulnerability in the 'save_enabled_icons' function due to missing file type validation, affecting all versions up to and including 2.9.1. Authenticated attackers with Administrator-level access can upload arbitrary files to the server, potentially enabling remote code execution. The vulnerability was only partially patched in version 2.9.1, indicating residual risk in the latest release.

WordPress RCE PHP Privilege Escalation Beaver Builder
NVD
CVSS 3.1
7.2
EPSS
0.5%
CVE-2025-52782 HIGH This Week

CVE-2025-52782 is a Reflected Cross-Site Scripting (XSS) vulnerability in King Rayhan Scroll UP WordPress plugin versions through 2.0 that allows unauthenticated attackers to inject malicious scripts into web pages viewed by users. The vulnerability has a CVSS score of 7.1 (High) with network-based attack vector requiring user interaction; attackers can steal session cookies, perform actions on behalf of users, or redirect users to malicious sites. KEV status and active exploitation data were not provided in available intelligence sources, though the reflected XSS nature suggests moderate real-world exploitability.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-49873 HIGH This Week

CVE-2025-49873 is a Reflected Cross-Site Scripting (XSS) vulnerability in NasaTheme's Elessi WordPress theme that allows unauthenticated attackers to inject malicious scripts into web pages viewed by victims. Versions up to and including 6.3.9 are affected. An attacker can steal session cookies, perform actions on behalf of users, or redirect users to malicious sites with minimal complexity (network-accessible input, user interaction required). The vulnerability lacks confirmed EPSS data and KEV listing at this time, but the CVSS 7.1 score and reflected XSS nature indicate moderate-to-high priority.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-52794 HIGH This Week

CVE-2025-52794 is a Cross-Site Request Forgery (CSRF) vulnerability in Creative-Solutions Creative Contact Form (versions up to 1.0.0) that enables Stored XSS attacks. An unauthenticated attacker can craft malicious requests to inject persistent JavaScript payloads through contact form submissions, affecting any user who views the contaminated form data. The vulnerability has a CVSS score of 7.1 (High) with network-based attack vector and low attack complexity, making it readily exploitable in typical web deployments.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-52793 HIGH This Week

CVE-2025-52793 is a Cross-Site Request Forgery (CSRF) vulnerability in Esselink.nu Settings that enables reflected Cross-Site Scripting (XSS) attacks. The vulnerability affects Esselink.nu Settings versions up to and including 2.94, allowing unauthenticated remote attackers to perform actions on behalf of users and inject malicious scripts with minimal user interaction. With a CVSS score of 7.1 and network-based attack vector, this vulnerability poses a moderate-to-significant risk to affected installations, particularly if actively exploited or if public proof-of-concept code becomes available.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-52792 HIGH This Week

CVE-2025-52792 is a Cross-Site Request Forgery (CSRF) vulnerability in the vgstef WP User Stylesheet Switcher WordPress plugin (versions up to v2.2.0) that enables Stored XSS attacks. An unauthenticated attacker can exploit this via a simple network request with user interaction to inject malicious scripts that execute in victims' browsers, potentially compromising user sessions and data. The vulnerability has not been confirmed as actively exploited in the wild, though the high CVSS score (7.1) and network-accessible attack vector indicate practical exploitability.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-52791 HIGH This Week

CVE-2025-52791 is a CSRF vulnerability in devfelixmoira Knowledge Base Maker (versions up to 1.1.8) that enables Stored XSS attacks, allowing unauthenticated remote attackers to inject malicious scripts that persist and execute in users' browsers. The vulnerability requires user interaction (clicking a malicious link) but can affect multiple users through stored payloads, with a CVSS score of 7.1 indicating medium-high severity. No KEV listing or confirmed EPSS data is available in public sources, and patch availability status requires verification with the vendor.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-52790 HIGH This Week

CVE-2025-52790 is a CSRF vulnerability in the r-win WP-DownloadCounter WordPress plugin (versions through 1.01) that enables Stored XSS attacks. An attacker can craft malicious requests that, when clicked by an administrator, inject persistent JavaScript into the plugin's data storage, affecting all site visitors. The CVSS 7.1 score reflects moderate severity with network-based attack delivery and user interaction requirements, though the actual exploitability and active exploitation status require verification against KEV and EPSS data.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-52789 HIGH This Week

A cross-site scripting vulnerability in George Lewe Lewe ChordPress allows Stored XSS (CVSS 7.1). High severity vulnerability requiring prompt remediation.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-52784 HIGH This Week

CVE-2025-52784 is a Cross-Site Request Forgery (CSRF) vulnerability in hideoguchi Bluff Post that enables Stored XSS attacks, affecting versions through 1.1.1. An unauthenticated attacker can craft malicious requests to inject persistent JavaScript payloads that execute in victims' browsers when they view affected content, potentially leading to session hijacking, credential theft, or defacement. The vulnerability has a CVSS score of 7.1 (High) with network-based attack vector and low complexity, indicating moderate real-world risk.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-52783 HIGH This Week

A remote code execution vulnerability in themelocation Change Cart button Colors WooCommerce allows Stored XSS (CVSS 7.1). High severity vulnerability requiring prompt remediation.

WordPress CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-52781 HIGH This Week

CVE-2025-52781 is a Cross-Site Request Forgery (CSRF) vulnerability in Beee TinyNav versions up to 1.4 that enables Stored XSS attacks. An unauthenticated attacker can craft malicious requests to inject persistent JavaScript payloads into the application, which are then executed in the browsers of other users who interact with the compromised content. With a CVSS score of 7.1 and network-based attack vector requiring only user interaction, this vulnerability poses a moderate-to-significant risk to affected deployments, particularly if actively exploited in the wild or publicly disclosed with proof-of-concept code.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy