Skip to main content
CVE-2025-13138 HIGH POC THREAT Act Now

The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'columns_search' parameter of the select_2_ajax() function in all versions up to, and including, 1.4.3 due to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 17.3% and no vendor patch available.

WordPress SQLi PHP
NVD
CVSS 3.1
7.5
EPSS
17.3%
CVE-2025-66095 HIGH This Week

SQL injection in KiviCare clinic management WordPress plugin (versions ≤3.6.13) allows authenticated users with low privileges to extract sensitive database contents and potentially cause service disruption. The vulnerability exploits inadequate input sanitization in SQL queries, enabling attackers to inject malicious SQL commands. Reported by Patchstack's security audit team with an EPSS score of 0.04% (13th percentile), indicating low probability of mass exploitation but significant risk for targeted attacks against healthcare clinic deployments.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-66073 HIGH This Week

PHP object injection in WP Webhooks plugin versions through 3.3.8 allows authenticated administrators to execute arbitrary code through unsafe deserialization of untrusted data. Exploitation requires high-privilege WordPress admin access but achieves complete system compromise once triggered. EPSS score of 0.09% indicates low observed exploitation despite network-reachable attack vector, likely due to the elevated privilege requirement limiting real-world opportunities.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-65947 HIGH PATCH This Month

thread-amount is a tool that gets the amount of threads in the current process. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Apple Microsoft Windows
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-65946 HIGH PATCH This Month

Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Roo Code
NVD GitHub
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-65109 HIGH PATCH This Month

Minder is an open source software supply chain security platform. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure
NVD GitHub
CVSS 4.0
8.5
EPSS
0.1%
CVE-2025-65106 HIGH PATCH This Month

LangChain is a framework for building agents and LLM-powered applications. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Python Ssti Langchain AI / ML +1
NVD GitHub
CVSS 4.0
8.3
EPSS
0.1%
CVE-2025-65102 HIGH This Month

PJSIP is a free and open source multimedia communication library. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-11087 HIGH This Month

The Zegen Core plugin for WordPress is vulnerable to Cross-Site Request Forgery to Arbitrary File Upload in versions up to, and including, 2.0.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF WordPress File Upload RCE PHP
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-62626 HIGH PATCH This Month

Improper handling of insufficient entropy in the AMD CPUs could allow a local attacker to influence the values returned by the RDSEED instruction, potentially resulting in the consumption of. Rated high severity (CVSS 7.2), this vulnerability is low attack complexity.

Information Disclosure Amd Suse
NVD
CVSS 4.0
7.2
EPSS
0.0%
CVE-2025-30201 HIGH POC PATCH This Month

Wazuh is a free and open source platform used for threat prevention, detection, and response. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable. Public exploit code available.

RCE Privilege Escalation Wazuh
NVD GitHub
CVSS 3.1
7.7
EPSS
0.3%
CVE-2025-13132 HIGH This Month

This vulnerability allowed a site to enter fullscreen, after a user click, without a full-screen notification (toast) appearing. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.4
EPSS
0.0%
CVE-2025-13470 HIGH PATCH This Month

In RNP version 0.18.0 a refactoring regression causes the symmetric session key used for Public-Key Encrypted Session Key (PKESK) packets to be left uninitialized except for zeroing, resulting in it. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Red Hat Suse
NVD GitHub
CVSS 4.0
7.7
EPSS
0.0%
CVE-2025-12973 HIGH This Month

The S2B AI Assistant - ChatBot, ChatGPT, OpenAI, Content & Image Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the storeFile() function. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload RCE WordPress PHP
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-13357 HIGH PATCH This Month

Vault’s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Hashicorp Terraform Provider Suse
NVD
CVSS 3.1
7.4
EPSS
0.1%
CVE-2025-66055 HIGH This Month

Deserialization of Untrusted Data vulnerability in Icegram Email Subscribers & Newsletters email-subscribers allows Object Injection.9.10. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-12160 HIGH This Month

The Simple User Registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpr_admin_msg' parameter in all versions up to, and including, 6.6 due to insufficient input. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS PHP
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-13156 HIGH This Month

The Vitepos - Point of Sale (POS) for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the insert_media_attachment() function in all. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload RCE WordPress PHP
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2025-13322 HIGH This Month

The WP AUDIO GALLERY plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 2.0. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress PHP RCE
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2025-13159 HIGH This Month

The Flo Forms - Easy Drag & Drop Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.0.43. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-12138 HIGH This Month

The URL Image Importer plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in all versions up to, and including, 1.0.6. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload PHP RCE WordPress
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-12135 HIGH This Month

The WPBookit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'css_code' parameter in all versions up to, and including, 1.0.6 due to a missing capability check on the. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS PHP
NVD GitHub
CVSS 3.1
7.2
EPSS
0.3%
CVE-2025-11985 HIGH This Month

The Realty Portal plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'rp_save_property_settings'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Privilege Escalation PHP
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-64695 HIGH This Month

Uncontrolled search path element issue exists in the installer of LogStare Collector (for Windows). Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Microsoft Logstare Collector Windows
NVD
CVSS 4.0
8.4
EPSS
0.0%
CVE-2025-13499 HIGH PATCH This Month

Kafka dissector crash in Wireshark 4.6.0 and 4.4.0 to 4.4.10 allows denial of service. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Denial Of Service Wireshark Red Hat Suse
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-64762 HIGH PATCH This Month

The AuthKit library for Next.js provides convenient helpers for authentication and session management using WorkOS & AuthKit with Next.js. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Authkit Nextjs
NVD GitHub
CVSS 4.0
8.0
EPSS
0.1%
CVE-2025-64755 HIGH PATCH This Month

Claude Code is an agentic coding tool. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Claude Code
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-62372 HIGH PATCH This Month

vLLM is an inference and serving engine for large language models (LLMs). Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Vllm Red Hat
NVD GitHub
CVSS 4.0
8.3
EPSS
0.1%
CVE-2025-62164 HIGH PATCH This Month

vLLM is an inference and serving engine for large language models (LLMs). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Buffer Overflow RCE Vllm Pytorch AI / ML +1
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy