Skip to main content
CVE-2025-60730 HIGH POC This Week

Arbitrary file deletion in PerfreeBlog 4.0.11 lets attackers remove files outside the intended theme directory by abusing the unInstallTheme theme-management function. Publicly available exploit code exists, though the flaw is not on CISA KEV and carries a low EPSS score (0.31%, 22nd percentile), indicating limited real-world exploitation to date. The CVSS 3.1 vector (PR:N/UI:R) implies an unauthenticated attacker who tricks an interacting user into triggering the deletion, consistent with a CSRF-style delivery against an administrator.

Information Disclosure Perfreeblog
NVD GitHub
CVSS 3.1
7.6
EPSS
0.3%
CVE-2025-12028 HIGH This Week

Cross-Site Request Forgery in WordPress IndieAuth plugin (all versions ≤4.5.4) enables unauthenticated attackers to force authenticated users to authorize malicious OAuth applications, leading to account takeover with full administrative privileges (create, update, delete scopes). Missing nonce validation on login_form_indieauth() and the /wp-login.php?action=indieauth authorization endpoint allows attackers to steal authorization codes and exchange them for access tokens. CVSS 8.8 (High) with network attack vector and low complexity. EPSS data not available; no confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis. Patch released in version 4.5.5.

WordPress Microsoft CSRF PHP
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-60735 HIGH This Week

Arbitrary file upload in PerfreeBlog 4.0.11 lets an authenticated user abuse the installPlugin function to upload malicious files, likely enabling web shell deployment and remote code execution on the blog server. A public technical write-up with proof-of-concept exists on GitHub, though the flaw is not listed in CISA KEV and carries a low EPSS score (0.28%, 20th percentile), indicating no confirmed widespread exploitation yet.

File Upload Perfreeblog
NVD GitHub
CVSS 3.1
7.6
EPSS
0.3%
CVE-2025-60731 HIGH This Week

Arbitrary file upload in PerfreeBlog v4.0.11 lets an authenticated attacker abuse the installTheme function to upload malicious files (e.g. a web shell), typically resulting in server-side code execution and full compromise of the blog host. The flaw is a classic unrestricted-upload issue (CWE-434) reachable over the network by a low-privileged authenticated user; publicly available exploit code exists in the form of a GitHub write-up, though EPSS exploitation probability remains low (0.28%, 20th percentile) and it is not listed in CISA KEV.

File Upload Perfreeblog
NVD GitHub
CVSS 3.1
7.6
EPSS
0.3%
CVE-2025-11145 HIGH This Week

Information disclosure in CBK Soft enVision before version 250566 allows remote unauthenticated attackers to perform account footprinting by observing response discrepancies, enabling enumeration of valid user accounts and exposure of private personal information. No public exploit identified at time of analysis, and EPSS scoring (0.04%, 14th percentile) indicates very low near-term exploitation probability despite the High CVSS rating of 7.5.

Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-11889 HIGH This Week

Arbitrary file upload in AIO Forms (WordPress plugin) through version 1.3.18 enables authenticated administrators to upload malicious files and execute arbitrary code on the server. The vulnerability stems from insufficient file type validation in the plugin's import functionality (CWE-434). While requiring administrator-level access (CVSS PR:H), this represents a privilege escalation risk in compromised or multi-admin environments and could enable persistent backdoor installation. No public exploit identified at time of analysis, and exploitation requires high-privilege credentials, limiting immediate mass-exploitation risk.

WordPress File Upload RCE
NVD
CVSS 3.1
7.2
EPSS
0.2%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy