Skip to main content
CVE-2025-60203 HIGH This Week

Local file inclusion in Store Exporter (WooCommerce plugin) through version 2.7.6 allows remote attackers with user interaction to read arbitrary files and potentially execute code via PHP file inclusion. Despite the 7.5 CVSS score, exploitation requires high attack complexity and user interaction, with an EPSS probability of only 0.08% (23rd percentile), indicating limited real-world exploitation likelihood. No active exploitation or public POC identified at time of analysis.

WordPress LFI PHP Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-60202 HIGH This Week

Local File Inclusion in WordPress Favorites plugin versions through 2.3.6 enables network-based attackers to read arbitrary files from the server's filesystem through crafted PHP include statements. Despite the CWE-98 classification suggesting remote file inclusion, the vulnerability title and tags confirm this is actually an LFI attack requiring user interaction (UI:R) and high attack complexity (AC:H). EPSS score of 0.08% (23rd percentile) indicates low probability of mass exploitation, and no active exploitation or public POC has been identified at time of analysis.

LFI PHP Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-60201 HIGH This Week

Local File Inclusion in WP Customer Area plugin version 8.2.7 and earlier allows remote attackers to read arbitrary files on the server through improper validation of file paths in PHP include/require statements. The attack requires high complexity and user interaction (CVSS AC:H/UI:R), limiting widespread exploitation. EPSS score of 0.08% indicates low observed exploitation probability. No active exploitation confirmed in CISA KEV, though Patchstack has cataloged this vulnerability in their WordPress security database.

LFI PHP Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-60200 HIGH This Week

Local file inclusion (LFI) in LearnPress Export Import plugin ≤4.0.9 allows remote attackers to read arbitrary files on the server through manipulated PHP include/require statements. Despite CVSS 7.5 severity, real-world risk appears moderate: attack complexity is HIGH (AC:H), requires user interaction (UI:R), and EPSS probability is low (0.08%, 23rd percentile). No active exploitation confirmed and no CISA KEV listing. Patchstack database documents this as an information disclosure vector via LFI, suggesting attackers can access sensitive configuration files, credentials, or application source code.

LFI PHP Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-60194 HIGH This Week

Local file inclusion in Premmerce Product Search for WooCommerce plugin versions ≤2.2.4 enables remote attackers to read arbitrary files on the server through improper filename control in PHP include/require statements. Exploitation requires high attack complexity and user interaction (AV:N/AC:H/UI:R), suggesting social engineering or specific application state needed to trigger the vulnerability. No active exploitation confirmed (EPSS 0.07%, not in CISA KEV), but represents significant risk for WordPress/WooCommerce sites running this plugin given potential exposure of sensitive configuration files, database credentials, and user data.

WordPress LFI PHP Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-60193 HIGH This Week

Local file inclusion in Premmerce User Roles WordPress plugin ≤1.0.13 allows remote attackers to read arbitrary files and potentially execute code via improper validation of include/require file paths. Attack requires high complexity and user interaction (CVSS AC:H/UI:R), limiting practical exploitation. EPSS score of 0.07% (22nd percentile) indicates very low observed exploitation probability in the wild. No CISA KEV listing or public POC identified. Patchstack security audit disclosed this vulnerability, affecting all versions up to 1.0.13.

LFI PHP Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-60192 HIGH This Week

Local File Inclusion in Premmerce Wholesale Pricing for WooCommerce plugin (versions ≤1.1.10) allows remote attackers to read arbitrary files and potentially execute PHP code through improper filename validation. Despite the CVSS 7.5 score, real-world risk is moderate: attack complexity is high (AC:H) and requires user interaction (UI:R), limiting opportunistic exploitation. EPSS score of 0.07% (22nd percentile) suggests low probability of widespread exploitation. No active exploitation confirmed (not in CISA KEV) and public exploit code has not been identified at time of analysis.

WordPress LFI PHP Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-60191 HIGH This Week

Local file inclusion in Premmerce Wishlist for WooCommerce plugin ≤1.1.10 enables network attackers to read arbitrary PHP files and potentially execute code through crafted include/require statements. The vulnerability requires high attack complexity and user interaction (CVSS AC:H/UI:R), limiting practical exploitability. EPSS score of 0.07% (22nd percentile) indicates low likelihood of mass exploitation, and no active exploitation is documented in CISA KEV. Patchstack has documented this vulnerability, suggesting security researcher disclosure rather than in-the-wild discovery.

WordPress LFI PHP Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-60074 HIGH This Week

Local file inclusion (LFI) in Lazy Load Optimizer WordPress plugin (versions through 1.4.7) allows remote unauthenticated attackers to read arbitrary files from the web server through improper PHP include/require statement handling. Despite the 7.5 CVSS score, exploitation requires high attack complexity and user interaction (AV:N/AC:H/PR:N/UI:R), limiting practical weaponization. EPSS score of 0.07% (22nd percentile) indicates very low probability of widespread exploitation. No active exploitation confirmed via CISA KEV, and no public exploit code identified at time of analysis.

LFI PHP Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-58629 HIGH This Week

Remote unauthenticated attackers can cause high-impact availability disruption in the Miraculous WordPress theme through arbitrary content deletion. The vulnerability allows exploitation of misconfigured access control in versions before 2.0.9, requiring no authentication or user interaction. EPSS score of 0.06% (18th percentile) indicates very low observed exploitation probability, with no public exploit code or CISA KEV listing at time of analysis. Despite CVSS 7.5 severity, the purely availability-focused impact (C:N/I:N/A:H) suggests this is a denial-of-service vector rather than a data breach risk.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-62066 HIGH This Week

Local file inclusion in Revolution theme versions before 2.5.8 allows authenticated attackers with low privileges to include and execute arbitrary PHP files on the server via manipulated file paths. The vulnerability exploits improper validation of file inclusion parameters, enabling remote code execution when combined with file upload or log poisoning. EPSS score of 0.05% suggests low probability of mass exploitation, and no public POC or active exploitation (non-KEV) is confirmed at time of analysis.

LFI PHP Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-62075 HIGH This Week

Local File Inclusion (LFI) in Simple Payment WordPress plugin versions ≤2.4.6 allows remote attackers to include and execute arbitrary local files via PHP file inclusion flaws. Attack requires high complexity (AC:H) and user interaction (UI:R), suggesting exploitation depends on specific conditions like attacker-controllable parameters combined with victim action. EPSS score of 0.04% (13th percentile) indicates low observed exploitation probability in the wild. No CISA KEV listing or public exploit code identified at time of analysis, limiting immediate threat surface despite 7.5 CVSS score.

LFI PHP Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-54722 HIGH This Week

Reflected Cross-Site Scripting (XSS) in WooTour plugin for WordPress versions up to 3.6.3 allows remote unauthenticated attackers to execute malicious JavaScript in victim browsers by tricking users into clicking crafted links. The vulnerability stems from improper neutralization of user input during web page generation. EPSS score of 0.08% indicates low likelihood of mass exploitation, and no active exploitation has been reported by CISA KEV at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-49394 HIGH This Week

Broken access control in WordPress Image Gallery block plugin (bPlugins 3d-image-gallery) versions ≤1.0.7 allows authenticated low-privilege users to bypass authorization checks and access administrative functions, enabling unauthorized modification of gallery settings (low integrity impact) or triggering denial of service conditions (high availability impact). Reported by Patchstack with 0.07% EPSS score, indicating minimal active exploitation probability. No active exploitation confirmed via CISA KEV.

Authentication Bypass
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-53573 HIGH This Week

Reflected cross-site scripting (XSS) in Epic Review WordPress plugin through version 1.0.2 allows remote attackers to execute malicious JavaScript in victim browsers when users click specially crafted links. The vulnerability stems from improper neutralization of user input during HTML generation. EPSS exploitation probability is low (0.07%, 21st percentile) with no public exploit code or active exploitation confirmed at time of analysis. WordPress site administrators should upgrade immediately as the network attack vector (AV:N) and changed scope (S:C) enable attacks across site boundaries.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-53585 HIGH This Week

Reflected cross-site scripting (XSS) in the WeMusic WordPress theme versions up to 1.9.1 allows remote attackers to execute arbitrary JavaScript in victims' browsers when they visit a specially crafted URL. The vulnerability requires user interaction (CVSS UI:R) but no authentication (PR:N), enabling attacks via social engineering such as phishing emails or malicious links. With EPSS exploitation probability of only 0.07% (20th percentile) and no CISA KEV listing, this represents a moderate theoretical risk but limited observed exploitation activity. Patchstack's reporting suggests responsible disclosure, though patch availability has not been independently confirmed.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-60244 HIGH This Week

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in RealMag777 TableOn posts-table-filterable allows Code Injection.0.4.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-53574 HIGH This Week

Reflected cross-site scripting (XSS) in Doliconnect WordPress plugin versions up to 9.3.2 allows remote attackers to execute arbitrary JavaScript in victims' browsers through malicious links. The vulnerability requires user interaction (clicking a crafted link) but needs no authentication, enabling session hijacking, credential theft, or malicious actions in the context of the victim's WordPress session. EPSS score of 0.05% indicates very low observed exploitation probability, and no active exploitation or public proof-of-concept has been identified at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-53349 HIGH This Week

Reflected cross-site scripting (XSS) in Kalium WordPress theme versions through 3.18.3 enables remote attackers to inject malicious scripts into web pages viewed by victims. Exploitation requires user interaction (clicking a crafted link) but no authentication, with changed scope indicating potential session hijacking or actions on behalf of victims across the theme's context. EPSS score of 0.05% (17th percentile) suggests low observed exploitation activity. No active exploitation confirmed via CISA KEV or public exploit code at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-53286 HIGH This Week

Reflected cross-site scripting in Dropify wc-dropi-integration plugin (WordPress) through version 4.6.9 allows remote attackers to execute arbitrary JavaScript in victim browsers via maliciously crafted URLs. Attack requires user interaction (victim must click malicious link) but no authentication, enabling phishing campaigns and session hijacking. EPSS score of 0.05% (17th percentile) indicates low widespread exploitation probability, with no CISA KEV listing or public proof-of-concept identified at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-53239 HIGH This Week

Reflected cross-site scripting in User Registration Aide WordPress plugin versions through 1.5.3.8 allows remote attackers to execute arbitrary JavaScript in victims' browsers via crafted URLs. Users must click a malicious link to trigger the attack. EPSS score of 0.05% (17th percentile) indicates very low probability of exploitation in the wild, and no active exploitation or public exploits are confirmed. Patchstack security team identified this flaw, which carries CVSS 7.1 with changed scope, meaning successful exploitation impacts resources beyond the vulnerable component.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-52764 HIGH This Week

Reflected cross-site scripting in flexoslider WordPress plugin versions through 1.0004 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers when targets click a malicious link. Successful exploitation requires user interaction but no authentication. The vulnerability has a low EPSS score (0.05%, 17th percentile) indicating minimal observed exploitation activity in the wild, though the scope change in CVSS indicates potential for impact beyond the vulnerable component.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-49905 HIGH This Week

Reflected cross-site scripting in Range Slider Addon for Gravity Forms (versions ≤1.1.6) allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but no authentication. EPSS probability is low (0.05%, 17th percentile), and no active exploitation or public POC has been identified. This is a WordPress plugin affecting sites using Gravity Forms with the range slider extension.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-49904 HIGH This Week

Reflected cross-site scripting in Booking and Rental Manager for WooCommerce (versions 2.5.3 and earlier) allows unauthenticated remote attackers to inject malicious scripts into web page responses via user-supplied input. Successful exploitation requires victim interaction with a crafted link. EPSS score of 0.05% (17th percentile) suggests minimal current exploitation activity, and no CISA KEV listing or public exploit code has been identified. Changed scope (S:C) elevates risk beyond typical reflected XSS by enabling potential cross-domain attacks or WooCommerce session hijacking.

WordPress XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-53245 HIGH This Week

Stored cross-site scripting (XSS) in WP Logo Changer WordPress plugin versions 1.2 and earlier allows remote attackers to inject malicious scripts that execute in victim browsers. The vulnerability exploits improper input sanitization during web page generation, enabling attackers to inject persistent malicious code. EPSS indicates 0.05% exploitation probability (16th percentile), suggesting low opportunistic targeting risk. No active exploitation confirmed via CISA KEV at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-49390 HIGH This Week

Stored cross-site scripting in Cookie Notice & Consent plugin (versions ≤1.6.4) allows remote attackers to inject malicious JavaScript that executes in victim browsers. Exploitation requires user interaction to trigger the stored payload. EPSS score of 0.05% (16th percentile) suggests low probability of mass exploitation, though stored XSS often enables account takeover and privilege escalation in WordPress environments. No active exploitation (CISA KEV) or public POC identified at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-54711 HIGH This Week

Broken access control in Info Cards WordPress plugin 1.0.11 and earlier allows authenticated users to access administrative functions without proper authorization checks. Authenticated low-privilege users can exploit missing ACLs to perform unauthorized modifications or cause denial of service conditions. Reported by Patchstack audit team with authentication bypass classification. EPSS score of 0.05% (16th percentile) indicates low observed exploitation probability, with no CISA KEV listing or public exploit code identified at time of analysis.

Authentication Bypass
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-53316 HIGH This Week

Stored cross-site scripting in WP GDPR Cookie Consent plugin versions up to 1.0.0 can be triggered via cross-site request forgery (CSRF) attack, allowing remote attackers to inject malicious JavaScript into the WordPress site without authentication but requiring victim administrator interaction. The chained CSRF-to-XSS vulnerability enables attackers to execute JavaScript in administrator contexts, potentially leading to site takeover. EPSS probability is low (0.03%), no public exploit confirmed, and no known active exploitation at time of analysis.

XSS CSRF
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-53324 HIGH This Week

Stored cross-site scripting (XSS) in Gutenify WordPress plugin versions through 1.5.7 allows remote attackers to inject malicious scripts into site content. Successfully exploited, attackers can execute arbitrary JavaScript in victim browsers when authenticated administrators or editors view the compromised content. EPSS exploitation probability is minimal (0.02%, 6th percentile), and no active exploitation or public POC is confirmed. While CVSS assigns high (7.1) severity due to changed scope, real-world risk is moderate given the requirement for user interaction and the narrow attack surface of a WordPress block editor plugin.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-49909 HIGH This Week

Reflected cross-site scripting in Penci Bookmark & Follow WordPress plugin (versions before 2.4) allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. The vulnerability requires user interaction but no authentication, enabling attackers to steal session tokens, perform actions as the victim, or deliver phishing content. EPSS score of 0.02% (6th percentile) indicates low observed exploitation activity, with no CISA KEV listing or public exploit code identified at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-31029 HIGH This Week

Stored cross-site scripting in the replyMail WordPress plugin (versions ≤1.2.0) enables remote attackers to inject malicious scripts that execute in victims' browsers when viewing compromised pages. The changed scope (S:C) in the CVSS vector indicates the injected payload can affect resources beyond the vulnerable component's security scope, potentially compromising other WordPress users or administrators. EPSS score of 0.02% suggests low probability of mass exploitation, though the no-authentication requirement (PR:N) lowers the barrier for opportunistic attacks. Patchstack has documented this vulnerability but patch availability remains unconfirmed.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-48085 HIGH This Week

Cross-Site Request Forgery in Simple Stripe WordPress plugin versions through 0.9.17 enables attackers to execute stored cross-site scripting attacks. Remote unauthenticated attackers can trick authenticated administrators into submitting malicious requests that inject persistent JavaScript code into the site. EPSS exploitation probability is extremely low at 0.02% (4th percentile), indicating minimal real-world targeting to date. No active exploitation confirmed by CISA KEV, though the CSRF-to-XSS chain represents a realistic threat to WordPress sites using this payment plugin.

XSS CSRF
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-48083 HIGH This Week

Cross-Site Request Forgery in WordPress wpNamedUsers plugin (versions ≤0.5) enables attackers to inject persistent malicious scripts by tricking authenticated administrators into submitting crafted requests. Patchstack identified this vulnerability chain where CSRF bypasses lack of request validation, allowing stored XSS payload injection into the WordPress database. With EPSS probability at 0.02% (4th percentile) and no CISA KEV listing, this represents a lower immediate exploitation risk despite the 7.1 CVSS score, though the changed scope (S:C) indicates potential cross-domain impact if exploited.

XSS CSRF
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-48078 HIGH This Week

Cross-Site Request Forgery in the Slick Google Map WordPress plugin version 0.3 and earlier enables stored XSS attacks. An attacker can trick authenticated WordPress administrators into executing malicious requests that inject persistent JavaScript into the site, achieving cross-site scripting with changed scope impact. EPSS exploitation probability is low (0.02%, 4th percentile), and no public exploit or active exploitation has been identified at time of analysis.

Google XSS CSRF
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-48077 HIGH This Week

Cross-site request forgery (CSRF) in Block Country WordPress plugin versions up to 1.0 enables attackers to trick authenticated administrators into executing malicious requests that inject stored XSS payloads. This chained vulnerability allows unauthenticated remote attackers to achieve persistent code execution in victim browsers by combining CSRF with stored cross-site scripting, requiring only that an admin interact with a crafted link or page. EPSS probability is minimal (0.02%, 4th percentile) with no active exploitation identified, but the attack chain is straightforward given user interaction occurs.

XSS CSRF
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-53246 MEDIUM This Month

Missing Authorization vulnerability in Gaurav Aggarwal Backup and Move backup-and-move allows Exploiting Incorrectly Configured Access Control Security Levels.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-60247 MEDIUM This Month

Missing Authorization vulnerability in Bux Bux Woocommerce bux-woocommerce allows Accessing Functionality Not Properly Constrained by ACLs.2.3. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

WordPress Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-49398 MEDIUM This Month

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Easy Appointments Easy Appointments easy-appointments allows Code Injection.12.14. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-62914 MEDIUM This Month

Missing Authorization vulnerability in anibalwainstein Effect Maker effect-maker allows Exploiting Incorrectly Configured Access Control Security Levels.2.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-62046 MEDIUM This Month

Missing Authorization vulnerability in CodexThemes TheGem Demo Import (for WPBakery) thegem-importer.10.5. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-58986 MEDIUM This Month

Missing Authorization vulnerability in ganddser Jock On Air Now (JOAN) joan allows Exploiting Incorrectly Configured Access Control Security Levels.0.4. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-53214 MEDIUM This Month

Missing Authorization vulnerability in sertifier Sertifier Certificate & Badge Maker sertifier-certificates-open-badges allows Exploiting Incorrectly Configured Access Control Security Levels.21. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-62038 MEDIUM This Month

Insertion of Sensitive Information Into Sent Data vulnerability in Sovlix MeetingHub meetinghub allows Retrieve Embedded Sensitive Data.23.9. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-62049 MEDIUM This Month

Missing Authorization vulnerability in Stylemix Cost Calculator Builder cost-calculator-builder.5.32. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-62037 MEDIUM This Month

Missing Authorization vulnerability in uxper Togo togo.0.4. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-62033 MEDIUM This Month

Missing Authorization vulnerability in uxper Togo togo.0.4. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-10955 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Netcad Software Inc. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD VulDB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-48086 MEDIUM This Month

Deserialization of Untrusted Data vulnerability in wpdreams Ajax Search Lite ajax-search-lite allows Object Injection.13.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2025-62017 MEDIUM This Month

Missing Authorization vulnerability in hogash Kallyas kallyas.22.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-12815 MEDIUM This Month

An ownership verification issue in the Virtual Desktop preview page in the Research and Engineering Studio (RES) on AWS before version 2025.09 may allow an authenticated remote user to view another. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure
NVD GitHub
CVSS 4.0
5.3
EPSS
0.1%
Prev Page 2 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy