Skip to main content
CVE-2025-60729 MEDIUM POC This Month

Arbitrary file read in PerfreeBlog v4.0.11 allows unauthenticated remote attackers to read files outside the intended web root by bypassing path validation in the validThemeFilePath function. The vulnerability is network-exploitable with no authentication or user interaction required, and a public proof-of-concept is documented on GitHub. No active exploitation has been confirmed by CISA KEV, and the EPSS score of 0.33% suggests limited observed exploitation activity despite the POC's existence.

Buffer Overflow Perfreeblog
NVD GitHub
CVSS 3.1
5.3
EPSS
0.3%
CVE-2025-56438 MEDIUM This Month

The firmware update mechanism in Nous W3 Smart WiFi Camera v1.33.50.82 fails to verify the authenticity or integrity of update archives, enabling a physically proximate unauthenticated attacker to escalate privileges to root by inserting a crafted update.tar on a FAT32 SD card. Full device compromise (C:H/I:H/A:H) is achievable with no authentication and low attack complexity once physical access is obtained. No public exploit has been confirmed via CISA KEV, and the EPSS score of 0.14% (3rd percentile) reflects the limited exploitation probability imposed by the physical access prerequisite.

Privilege Escalation
NVD GitHub
CVSS 3.1
6.8
EPSS
0.1%
CVE-2025-10748 MEDIUM This Month

SQL injection in RapidResult WordPress plugin versions up to 1.2 allows authenticated attackers with contributor-level permissions to extract sensitive database information via insufficient escaping of the 's' parameter. The vulnerability affects all versions through 1.2 and requires valid WordPress account credentials, limiting exposure to sites where user registration is enabled or internal contributors exist.

WordPress SQLi
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-60419 MEDIUM This Month

Denial of service in the Realtek NDIS Usermode IO driver (RtkIOAC60.sys v6.0.5600.16348) on Windows allows a local authenticated attacker to crash or hang the driver by sending a specially crafted IOCTL request to the device. The root cause is uncontrolled resource consumption (CWE-400), meaning the driver fails to properly validate or bound input from the IOCTL, leading to availability loss. No public exploit code or active exploitation has been identified at time of analysis; EPSS sits at the 4th percentile, reflecting minimal observed scanning or exploitation activity.

Denial Of Service
NVD
CVSS 3.1
6.2
EPSS
0.1%
CVE-2025-10749 MEDIUM This Month

Arbitrary media deletion in Microsoft Azure Storage for WordPress plugin versions up to 4.5.1 allows authenticated subscribers and above to delete any media files from the WordPress Media Library due to missing capability checks on the 'azure-storage-media-replace' AJAX action. The vulnerability requires access to a nonce that is exposed to all authenticated users, enabling low-privilege attackers to perform unauthorized file deletion with no user interaction required. No public exploit code has been identified at the time of analysis.

WordPress Microsoft Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-10902 MEDIUM This Month

Originality.ai AI Checker plugin for WordPress allows authenticated attackers with Subscriber-level access to delete all scan result data from the wp_originalityai_log database table due to missing capability checks on the ai_scan_result_remove function in versions up to 1.0.15. The vulnerability enables unauthorized data loss affecting post titles, scan scores, and credit usage records; exploitation requires only standard WordPress authentication and no user interaction.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-10901 MEDIUM This Month

Originality.ai AI Checker WordPress plugin versions up to 1.0.16 allow authenticated Subscriber-level users to read sensitive data from the wp_originalityai_log database table due to missing capability checks on the 'ai_get_table' AJAX function. An attacker with basic WordPress account privileges can access post titles, scan scores, credit usage, and other logged information without authorization. No public exploit code or active exploitation has been confirmed at time of analysis.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy