Skip to main content
CVE-2025-14337 MEDIUM POC This Month

A vulnerability was determined in itsourcecode Student Management System 1.0. This affects an unknown part of the file /new_grade.php. This manipulation of the argument grade causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.

PHP SQLi Student Management System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-14336 MEDIUM POC This Month

A vulnerability was found in itsourcecode Student Management System 1.0. Affected by this issue is some unknown functionality of the file /promote.php. The manipulation of the argument sy results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used.

PHP SQLi Student Management System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-14335 MEDIUM POC This Month

A vulnerability has been found in itsourcecode Student Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /new_school_year.php. The manipulation of the argument sy leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi Student Management System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-14334 MEDIUM POC This Month

A flaw has been found in itsourcecode Student Management System 1.0. Affected is an unknown function of the file /new_adviser.php. Executing manipulation of the argument Name can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used.

PHP SQLi Student Management System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-14285 MEDIUM POC This Month

A vulnerability was found in code-projects Employee Profile Management System 1.0. Affected is an unknown function of the file edit_personnel.php. The manipulation of the argument per_id results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used.

PHP SQLi Employee Profile Management System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-67586 MEDIUM POC This Month

Missing Authorization vulnerability in Ronald Huereca Highlight and Share highlight-and-share allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Highlight and Share: from n/a through <= 5.2.0.

Authentication Bypass
NVD Exploit-DB VulDB
CVSS 3.1
4.7
EPSS
1.7%
CVE-2025-67535 MEDIUM This Month

Deserialization of untrusted data in WP Maps WordPress plugin versions up to 4.8.6 allows high-privileged authenticated users to inject and instantiate arbitrary PHP objects, potentially leading to code execution or privilege escalation. While the CVSS score of 6.5 reflects high confidentiality and integrity impact, the requirement for administrator-level privileges (PR:H) and user interaction (UI:R) significantly constrains real-world exploitability. EPSS score of 0.04% indicates minimal observed exploitation likelihood despite the vulnerability's technical severity.

WordPress Deserialization Google
NVD
CVSS 3.1
6.6
EPSS
0.0%
CVE-2025-67541 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Lester Chan WP-ShowHide wp-showhide allows Stored XSS.This issue affects WP-ShowHide: from n/a through <= 1.05.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-67548 MEDIUM This Month

Missing Authorization vulnerability in WP Delicious WP Delicious delicious-recipes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Delicious: from n/a through <= 1.9.1.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-63075 MEDIUM This Month

DOM-based cross-site scripting (XSS) in muffingroup Betheme WordPress theme versions up to 28.2 allows authenticated attackers with low privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability requires user interaction (UI:R) and affects the confidentiality, integrity, and availability of affected installations; EPSS exploitation probability is low at 0.04%, and no public exploit code or active exploitation has been confirmed.

WordPress PHP XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-63073 MEDIUM This Month

DOM-based cross-site scripting in Dream-Theme The7 WordPress theme versions before 12.9.0 allows authenticated users to inject malicious scripts that execute in the context of other users' browsers via improperly sanitized input during web page generation. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting real-world exploitability despite a moderate CVSS score of 6.5. EPSS exploitation probability is low at 0.04th percentile, and no public exploit code or active exploitation has been reported.

WordPress PHP XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-63055 MEDIUM This Month

Stored cross-site scripting (XSS) in Master Addons for Elementor through version 2.0.9.9.4 allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of other site visitors, potentially compromising administrator accounts or stealing sensitive data. The vulnerability requires user interaction (UI:R) and affects the plugin's input sanitization during web page generation. With an EPSS score of 0.04% and no confirmed active exploitation, this represents a lower real-world risk despite the moderate CVSS base score of 6.5.

WordPress PHP XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-63052 MEDIUM This Month

Stored cross-site scripting (XSS) in SimpLy Gallery WordPress plugin (versions up to 3.3.2.1) allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other site visitors, potentially leading to session hijacking, credential theft, or site defacement. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability. No public exploit code or active exploitation has been confirmed; EPSS score of 0.04% indicates low real-world exploitation probability despite the moderate CVSS rating.

WordPress PHP XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-62082 MEDIUM This Month

Stored cross-site scripting (XSS) in Generic Elements for Elementor plugin versions 1.2.9 and earlier allows authenticated users with limited privileges to inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability requires user interaction (clicking a malicious link) and affects WordPress installations using this plugin. EPSS exploitation probability is low at 0.04%, and no public exploit code or active exploitation has been identified.

WordPress PHP XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-14331 MEDIUM PATCH This Month

Same-origin policy bypass in Firefox and Thunderbird request handling allows unauthenticated remote attackers to access sensitive information from cross-origin resources with low attack complexity and no user interaction required. The vulnerability affects Firefox versions below 146, Firefox ESR below 115.31 and 140.6, Thunderbird below 146, and Thunderbird ESR below 140.6. No public exploit code has been identified at time of analysis, and the EPSS score of 0.04% indicates low real-world exploitation probability despite the moderate CVSS rating.

Mozilla Authentication Bypass Thunderbird Red Hat Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-63057 MEDIUM This Month

DOM-based cross-site scripting in WordPress plugin WP Ultimate Review versions ≤2.3.7 allows remote attackers to execute malicious JavaScript in victims' browsers via crafted input that is improperly sanitized during client-side page rendering. The vulnerability requires user interaction (CVSS UI:R) but no authentication (PR:N), enabling attacks via social engineering or malicious links. Exploitation probability is low (EPSS 0.04%, 14th percentile), with no public exploit identified at time of analysis and no confirmed active exploitation (not in CISA KEV).

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-62739 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in SaifuMak Add Custom Codes add-custom-codes allows Cross Site Request Forgery.This issue affects Add Custom Codes: from n/a through <= 4.80.

CSRF
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-63066 MEDIUM This Month

Stored cross-site scripting (XSS) in Porto Theme - Functionality plugin for WordPress allows authenticated users with low privileges to inject malicious scripts into web pages that execute in the browsers of other site visitors. The vulnerability affects Porto Theme - Functionality versions below 3.7.3 and has a low exploitation probability (EPSS 0.01%), but requires user interaction and authenticated access to exploit, limiting immediate risk to well-managed WordPress installations with access controls.

WordPress PHP XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-63061 MEDIUM This Month

DOM-Based Cross-Site Scripting (XSS) in KALLYAS WordPress theme versions below 4.25.0 allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other users, potentially stealing session cookies, credentials, or performing unauthorized actions on their behalf. The vulnerability requires user interaction (clicking a malicious link) and affects the theme's web page generation routines. EPSS probability is 0.01% (very low), suggesting minimal real-world exploitation likelihood despite the moderate CVSS score of 6.5.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-61078 MEDIUM This Month

Stored or reflected cross-site scripting in phpIPAM v1.7.3 enables remote unauthenticated attackers to inject malicious JavaScript into the Request IP form via the `instructions` parameter, which is subsequently rendered in the admin-facing `/app/admin/instructions/edit-result.php` endpoint. When an authenticated administrator views the affected page, the injected script executes in their browser session, potentially enabling session token theft, credential harvesting, or unauthorized administrative actions. No public exploit identified at time of analysis, though a technical disclosure post exists at glitch0ne.com; EPSS of 0.22% at the 13th percentile confirms low opportunistic exploitation pressure.

XSS PHP Phpipam
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-67558 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jacques Malgrange Rencontre rencontre allows Stored XSS.This issue affects Rencontre: from n/a through <= 3.13.7.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2025-67557 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rhys Wynne WP eBay Product Feeds ebay-feeds-for-wordpress allows Stored XSS.This issue affects WP eBay Product Feeds: from n/a through <= 3.4.9.

WordPress XSS
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2025-67555 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in useStrict UseStrict&#039;s Calendly Embedder cal-embedder-lite allows Stored XSS.This issue affects UseStrict&#039;s Calendly Embedder: from n/a through <= 1.1.7.2.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2025-63033 MEDIUM This Month

Stored XSS in Make Section & Column Clickable For Elementor WordPress plugin (versions through 2.4) allows authenticated users with high privileges to inject malicious scripts that execute in other users' browsers. The vulnerability requires user interaction (UI:R) and affects site confidentiality, integrity, and availability with limited scope. EPSS score of 0.04% indicates low exploitation probability despite the presence of a public vulnerability disclosure.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-63011 MEDIUM This Month

DOM-based cross-site scripting (XSS) in ThimPress WP Hotel Booking plugin versions up to 2.2.8 allows authenticated users with high privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability requires user interaction (UI:R) and high administrator privileges (PR:H), limiting its real-world impact despite a moderate CVSS score of 5.9. EPSS exploitation probability is very low at 0.04%, indicating minimal practical attack likelihood.

WordPress PHP XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2023-23729 MEDIUM This Month

Missing Authorization vulnerability in Brainstorm Force Spectra ultimate-addons-for-gutenberg allows Exploiting Incorrectly Configured Access Control Security Levels.3.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-67562 MEDIUM This Month

Missing Authorization vulnerability in WebCodingPlace Image Caption Hover Pro image-caption-hover-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Caption Hover Pro: from n/a through < 20.0.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-67560 MEDIUM This Month

Missing Authorization vulnerability in Webilia Inc. Listdom listdom allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Listdom: from n/a through <= 5.0.1.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-63024 MEDIUM This Month

Missing Authorization vulnerability in tychesoftwares Order Delivery Date for WooCommerce order-delivery-date-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Delivery Date for WooCommerce: from n/a through <= 4.3.1.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-67559 MEDIUM This Month

Missing Authorization vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through <= 4.5.5.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-63034 MEDIUM This Month

Missing Authorization vulnerability in Steve Truman Page View Count page-views-count allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Page View Count: from n/a through <= 2.9.0.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-62999 MEDIUM This Month

Missing authorization in themezaa Litho Addons for WordPress (versions through 3.5) allows authenticated users to bypass access controls and gain unauthorized read/write access to sensitive data. The vulnerability stems from incorrectly configured access control security levels that fail to properly validate user permissions before exposing functionality. With an EPSS score of 0.04% and CVSS 5.4, exploitation requires valid authentication but no advanced attack complexity; this represents a moderate privilege escalation risk for multi-user WordPress installations.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-62086 MEDIUM This Month

Missing authorization in Яндекс Доставка (Boxberry) WordPress plugin version 2.34 and earlier allows authenticated users to access or modify resources they should not be permitted to via incorrectly configured access control. An attacker with valid credentials can exploit broken access control mechanisms to view or modify sensitive data without proper privilege validation, though the CVSS 5.4 score reflects limited direct impact (confidentiality and integrity), and the 0.04% EPSS score indicates low real-world exploitation probability.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-67561 MEDIUM This Month

Missing Authorization vulnerability in Oleksandr Lysyi Debug Log Viewer debug-log-viewer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Debug Log Viewer: from n/a through <= 2.0.3.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-6924 MEDIUM This Month

Reflected XSS in Talent Software's e-BAP Automation platform (versions before build 42957) allows unauthenticated remote attackers to inject and execute malicious scripts in a victim's browser by tricking them into clicking a crafted URL. The CVSS vector (PR:N/UI:R) confirms no attacker authentication is needed, but successful exploitation depends on social-engineering a valid application user. No active exploitation has been confirmed (not in CISA KEV) and EPSS sits at 0.02% (7th percentile), indicating low near-term exploitation probability.

XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-6923 MEDIUM This Month

Reflected cross-site scripting in Talent Software UNIS allows unauthenticated remote attackers to inject and execute malicious JavaScript in a victim's browser session. All UNIS versions prior to build 42957 are affected, as disclosed by Turkey's national CERT (USOM). No public exploit code or active exploitation has been identified at time of analysis, and the EPSS score of 0.02% (7th percentile) indicates very low observed exploitation probability.

XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-67467 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in StellarWP GiveWP give allows Cross Site Request Forgery.This issue affects GiveWP: from n/a through <= 4.13.1.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-62153 MEDIUM This Month

Missing Authorization vulnerability in Graham Quick Interest Slider quick-interest-slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Quick Interest Slider: from n/a through <= 3.1.7.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-62151 MEDIUM This Month

Missing Authorization vulnerability in Virtuaria Virtuaria PagBank / PagSeguro para Woocommerce virtuaria-pagseguro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Virtuaria PagBank / PagSeguro para Woocommerce: from n/a through <= 3.6.3.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-63068 MEDIUM This Month

Improper HTML tag neutralization in sevenspark Contact Form 7 - Dynamic Text Extension through version 5.0.5 allows unauthenticated remote attackers to inject malicious scripts via a network-based attack with no user interaction required, resulting in confidentiality compromise through information disclosure. The vulnerability is classified as cross-site scripting (XSS) with low exploitability probability (EPSS 0.06%, percentile 18%), suggesting limited real-world attack incentive despite the network-accessible attack vector.

WordPress PHP XSS Code Injection
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-62152 MEDIUM This Month

Missing access control in ConveyThis WordPress plugin through version 269.2 allows authenticated users with low-level privileges to execute unauthorized actions with high confidentiality, integrity, and availability impact. The vulnerability stems from improper enforcement of authorization checks (CWE-862), enabling privilege escalation by exploiting misconfigured access control security levels. No public exploit identified at time of analysis, with EPSS score of 0.06% indicating low predicted exploitation probability.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-62109 MEDIUM This Month

Insertion of Sensitive Information Into Sent Data vulnerability in INFINITUM FORM Geo Controller cf-geoplugin allows Retrieve Embedded Sensitive Data.This issue affects Geo Controller: from n/a through <= 8.9.4.

Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-67582 MEDIUM This Month

Missing Authorization vulnerability in wbcomdesigns Wbcom Designs lock-my-bp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wbcom Designs: from n/a through <= 2.1.1.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-67581 MEDIUM This Month

Missing Authorization vulnerability in themetechmount TrueBooker truebooker-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TrueBooker: from n/a through <= 1.1.0.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-67580 MEDIUM This Month

Missing Authorization vulnerability in Constant Contact Constant Contact + WooCommerce constant-contact-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Constant Contact + WooCommerce: from n/a through <= 2.4.1.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-67578 MEDIUM This Month

Missing Authorization vulnerability in Rhys Wynne WP Email Capture wp-email-capture allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Email Capture: from n/a through <= 3.12.4.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-67577 MEDIUM This Month

Missing Authorization vulnerability in hassantafreshi Easy Form Builder easy-form-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Form Builder: from n/a through <= 3.8.20.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-67575 MEDIUM This Month

Missing Authorization vulnerability in Andrew Lima Sitewide Notice WP sitewide-notice-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sitewide Notice WP: from n/a through <= 2.4.1.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-67574 MEDIUM This Month

Missing Authorization vulnerability in wpdevart Booking calendar, Appointment Booking System booking-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking calendar, Appointment Booking System: from n/a through <= 3.2.30.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-67566 MEDIUM This Month

Missing Authorization vulnerability in WofficeIO Woffice Core woffice-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Woffice Core: from n/a through <= 5.4.30.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy