Skip to main content
CVE-2025-55848 HIGH POC This Week

An issue was discovered in DIR-823 firmware 20250416. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection D-Link Dir 823x Firmware
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-55847 HIGH POC This Week

Wavlink M86X3A_V240730 contains a buffer overflow vulnerability in the /cgi-bin/ExportAllSettings.cgi file. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Buffer Overflow RCE Wl Wn586X3A Firmware
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-45994 HIGH POC This Week

An issue in Aranda PassRecovery v1.0 allows attackers to enumerate valid user accounts in Active Directory via sending a crafted POST request to /user/existdirectory/1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Passrecovery
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-57692 MEDIUM POC This Month

PiranhaCMS 12.0 allows stored XSS in the Text content block of Standard and Standard Archive Pages via /manager/pages, enabling execution of arbitrary JavaScript in another user s browser. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Piranha Cms
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-56463 MEDIUM POC This Month

Mercusys MW305R 3.30 and below is has a Transport Layer Security (TLS) certificate private key disclosure. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Mw305R Firmware
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-58384 CRITICAL Act Now

In DOXENSE WATCHDOC before 6.1.1.5332, Deserialization of Untrusted Data can lead to remote code execution through the .NET Remoting library in the Watchdoc administration interface. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization
NVD
CVSS 3.1
10.0
EPSS
1.3%
CVE-2025-60219 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in HaruTheme WooCommerce Designer Pro allows Upload a Web Shell to a Web Server.9.24. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress File Upload
NVD
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-9985 MEDIUM POC This Month

The Featured Image from URL (FIFU) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.2.7 through publicly exposed log files. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Information Disclosure PHP
NVD
CVSS 3.1
5.3
EPSS
2.6%
CVE-2025-60156 CRITICAL Act Now

Cross-Site Request Forgery (CSRF) vulnerability in webandprint AR For WordPress allows Upload a Web Shell to a Web Server.98. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF
NVD
CVSS 3.1
9.6
EPSS
0.0%
CVE-2025-11046 MEDIUM POC This Month

A security flaw has been discovered in Tencent WeKnora 0.1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-11028 MEDIUM POC This Month

A security flaw has been discovered in givanz Vvveb up to 1.0.7.2. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Vvveb
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-11033 MEDIUM POC This Month

A vulnerability has been found in kidaze CourseSelectionSystem up to 42cd892b40a18d50bd4ed1905fa89f939173a464. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-11037 MEDIUM POC This Month

A security flaw has been discovered in code-projects E-Commerce Website 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-11036 MEDIUM POC This Month

A vulnerability was identified in code-projects E-Commerce Website 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-11039 MEDIUM POC This Month

A security vulnerability has been detected in Campcodes Computer Sales and Inventory System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-11040 MEDIUM POC This Month

A vulnerability was detected in code-projects Hostel Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-11032 MEDIUM POC This Month

A flaw has been found in kidaze CourseSelectionSystem up to 42cd892b40a18d50bd4ed1905fa89f939173a464.php. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-60126 HIGH This Week

Local File Inclusion in Testimonial Slider WordPress plugin allows authenticated attackers with low-level privileges to include and execute arbitrary PHP files on the server, potentially leading to remote code execution, information disclosure, or complete site compromise. All versions through 3.5.8.6 are affected. The vulnerability requires only low-privilege authentication (PR:L) and has network attack vector (AV:N) with low complexity (AC:L), making it readily exploitable by registered users. EPSS score of 0.14% indicates low predicted exploitation probability in the wild, and no active exploitation or public POC has been identified at time of analysis.

LFI PHP Information Disclosure
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-60111 HIGH This Week

CSRF vulnerability in Javo Core WordPress plugin (versions up to 3.0.0.266) enables attackers to bypass authentication controls and execute high-impact unauthorized actions. Despite an 8.8 CVSS score indicating critical severity across confidentiality, integrity, and availability, the 2% EPSS score (6th percentile) suggests minimal real-world exploitation activity. No active exploitation confirmed (not listed in CISA KEV). The vulnerability requires user interaction - attackers must trick authenticated administrators into visiting a malicious site or clicking a crafted link while logged into WordPress.

Authentication Bypass CSRF
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-60118 HIGH This Week

SQL injection in PGS Core WordPress plugin through version 5.9.0 allows authenticated attackers with low privileges to extract sensitive database contents and potentially degrade system availability. The vulnerability features low attack complexity and crosses scope boundaries (CVSS S:C), enabling lateral movement beyond the plugin's intended access boundaries. EPSS exploitation probability is minimal (0.03%, 10th percentile) and no active exploitation or public exploit code has been identified, suggesting this remains a disclosure-phase vulnerability requiring authenticated access.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-60110 HIGH This Week

SQL injection in AllInOne - Banner Rotator WordPress plugin (versions through 3.8) allows authenticated low-privilege users to execute arbitrary SQL queries with scope-changing impact on confidentiality and availability. The vulnerability requires only low-privilege authentication (PR:L) with network access and low attack complexity, enabling unauthorized database access and potential information disclosure from the WordPress installation. EPSS score of 0.03% (10th percentile) suggests low probability of mass exploitation, though the scope change (S:C) indicates impact beyond the vulnerable component. No public exploit identified at time of analysis.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-60109 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup LambertGroup - AllInOne - Content Slider allows Blind SQL Injection.8. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-60108 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup LambertGroup - AllInOne - Banner with Thumbnails allows Blind SQL Injection.8. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-60107 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup LambertGroup - AllInOne - Banner with Playlist allows Blind SQL Injection.8. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-59002 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in SeaTheme BM Content Builder allows Path Traversal. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2025-9958 HIGH This Week

An issue has been discovered in GitLab CE/EE affecting all versions from 14.10 before 18.2.7, 18.3 before 18.3.3, and 18.4 before 18.4.1, that could have allowed Guest users to access sensitive. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Gitlab Information Disclosure
NVD
CVSS 3.1
7.7
EPSS
0.0%
CVE-2025-60153 HIGH This Week

Local file inclusion in Subscribe To Unlock WordPress plugin versions up to 1.1.5 allows authenticated attackers with low privileges to include and execute arbitrary PHP files on the server, potentially leading to remote code execution, sensitive data disclosure, or full site compromise. EPSS score of 0.11% (29th percentile) indicates low probability of mass exploitation. No public exploit code or active exploitation confirmed at time of analysis.

LFI PHP Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-60150 HIGH This Week

Local file inclusion in Subscribe to Download WordPress plugin versions up to 2.0.9 allows authenticated attackers with low privileges to read arbitrary files on the server via manipulated PHP include paths. EPSS exploitation probability is low at 0.11% (29th percentile), and no active exploitation is confirmed in CISA KEV. The vulnerability requires authentication (PR:L) and high attack complexity (AC:H), limiting widespread exploitation risk despite the 7.5 CVSS score. Patchstack has documented this vulnerability, suggesting detection signatures exist for web application firewalls.

LFI PHP Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-11021 HIGH PATCH This Week

A flaw was found in the cookie date handling logic of the libsoup HTTP library, widely used by GNOME and other applications for web communication. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-59011 HIGH This Week

Missing Authorization vulnerability in shinetheme Traveler allows Exploiting Incorrectly Configured Access Control Security Levels. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-36274 HIGH PATCH This Week

IBM Aspera HTTP Gateway 2.0.0 through 2.3.1 stores sensitive information in clear text in easily obtainable files which can be read by an unauthenticated user. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM Information Disclosure Aspera Http Gateway
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-59010 HIGH This Week

Insertion of Sensitive Information Into Sent Data vulnerability in Maciej Bis Permalink Manager Lite allows Retrieve Embedded Sensitive Data.5.1.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-59012 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shinetheme Traveler allows Reflected XSS. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-4957 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metagauss ProfileGrid allows Reflected XSS.9.5.7. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-48107 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in undsgn Uncode allows Reflected XSS. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-60173 HIGH This Week

Cross-Site Request Forgery in GST for WooCommerce WordPress plugin versions ≤2.0 enables attackers to execute stored XSS attacks by tricking authenticated administrators into performing malicious actions. The vulnerability allows remote attackers to bypass authorization controls and inject persistent malicious scripts without authentication, though successful exploitation requires user interaction. EPSS score of 0.01% (3rd percentile) indicates very low observed exploitation probability in the wild, with no CISA KEV listing or confirmed active exploitation at time of analysis.

WordPress CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-60172 HIGH This Week

CSRF vulnerability in Flytedesk Digital WordPress plugin through version 20181101 enables stored cross-site scripting (XSS) attacks. Remote attackers can trick authenticated administrators into executing malicious requests that inject persistent JavaScript into the application, affecting site visitors. EPSS score of 0.01% indicates minimal observed exploitation activity, and no public exploit code or active exploitation has been identified at time of analysis.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-60171 HIGH This Week

Stored XSS in Conditional Cart Messages for WooCommerce (YourPlugins) through version 1.2.10 is exploitable via CSRF, allowing remote attackers to inject malicious scripts that execute in administrator contexts when victims are tricked into visiting crafted pages. The vulnerability chain requires user interaction but no authentication, enabling scope change (C) impacts across confidentiality, integrity, and availability. EPSS score of 0.01% (3rd percentile) indicates minimal observed exploitation activity, and no public exploit code or CISA KEV listing exists at time of analysis.

WordPress CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-60170 HIGH This Week

CSRF vulnerability in HTACCESS IP Blocker WordPress plugin enables stored XSS attacks against site administrators. Attackers can trick authenticated WordPress administrators into executing malicious actions that inject persistent JavaScript payloads through unprotected plugin endpoints. Affects all versions through 1.0. EPSS score of 0.01% (3rd percentile) suggests minimal observed exploitation attempts, though the attack requires only user interaction (UI:R) with no authentication barrier for the attacker. No active exploitation confirmed via CISA KEV at time of analysis.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-60169 HIGH This Week

Stored cross-site scripting can be injected into W3SCloud Contact Form 7 to Zoho CRM plugin for WordPress (versions through 3.0) via CSRF attack, allowing unauthenticated remote attackers to execute malicious JavaScript in administrator sessions when admins are tricked into visiting attacker-controlled pages. The vulnerability chains CSRF (CWE-352) with stored XSS, enabling privilege escalation from no access to stored administrative malicious code. EPSS score of 0.01% (3rd percentile) indicates minimal observed exploitation activity. No CISA KEV listing or public exploit code identified at time of analysis.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-60164 HIGH This Week

Cross-Site Request Forgery (CSRF) in NewsmanApp WordPress plugin versions up to 2.7.7 enables stored Cross-Site Scripting (XSS) attacks through unauthorized administrative actions. Attackers can trick authenticated administrators into executing malicious requests that inject persistent JavaScript payloads, leading to session hijacking, privilege escalation, or further compromise of WordPress sites. EPSS score of 0.01% (3rd percentile) indicates very low observed exploitation probability. No active exploitation confirmed in CISA KEV. Patchstack vulnerability database is the primary authoritative source for this disclosure.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-9267 HIGH This Week

In Seagate Toolkit on Windows a vulnerability exists in the Toolkit Installer prior to versions 2.35.0.6 where it attempts to load DLLs from the current working directory without validating their. Rated high severity (CVSS 7.0), this vulnerability is low attack complexity. No vendor patch available.

RCE Microsoft Windows
NVD GitHub
CVSS 4.0
7.0
EPSS
0.0%
CVE-2025-60114 MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in YayCommerce YayCurrency allows Code Injection.2. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
CVSS 3.1
6.6
EPSS
0.0%
CVE-2025-60098 MEDIUM This Month

Missing Authorization vulnerability in Jeff Farthing Theme My Login allows Exploiting Incorrectly Configured Access Control Security Levels.1.12. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-48326 MEDIUM This Month

Missing Authorization vulnerability in Acclectic Media Acclectic Media Organizer allows Exploiting Incorrectly Configured Access Control Security Levels.4. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-60163 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Robin W bbp topic count allows DOM-Based XSS.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-60162 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Job Board Manager allows DOM-Based XSS.1.61. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-60157 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in emarket-design WP Ticket Customer Service Software & Support Ticket System allows Stored XSS.0.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-60147 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Feed allows Stored XSS.3.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-60142 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DaganLev Simple Meta Tags allows DOM-Based XSS.5. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
Page 1 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy