Skip to main content
CVE-2025-1031 HIGH This Week

Authorization bypass in Utarit Informatics SoliClub Android application versions 5.2.4 through 5.3.6 allows remote unauthenticated attackers to access or manipulate other users' data by tampering with user-controlled identifiers (IDOR). The flaw enables functionality misuse with high impact on confidentiality (CVSS 7.5), though no public exploit identified at time of analysis and EPSS exploitation probability is very low at 0.04%.

Authentication Bypass Soliclub
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-1029 HIGH This Week

Hard-coded credentials in Utarit Information Services SoliClub Android app (versions 5.2.4 through 5.3.7) allow remote unauthenticated attackers to read sensitive constants embedded within the executable. The flaw was reported by Turkey's national CERT (USOM) and carries a CVSS 7.5 with high confidentiality impact but no integrity or availability effect; no public exploit identified at time of analysis and EPSS is very low at 0.04%.

Authentication Bypass Soliclub
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-1030 HIGH This Week

Information disclosure in Utarit Informatics SoliClub Android app versions 5.2.4 through 5.3.6 allows remote unauthenticated attackers to query the system and retrieve private personal information belonging to other users. The flaw stems from inadequate access controls on a query interface, and while CVSS rates it 7.5 (High), the EPSS probability of exploitation is very low (0.04%, 13th percentile) and no public exploit identified at time of analysis.

Authentication Bypass Soliclub
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-40898 HIGH This Week

Path traversal in Nozomi Networks CMC and Guardian allows authenticated users with limited privileges to write arbitrary files to any system location by uploading a malicious Arc data archive. This enables device configuration tampering and denial-of-service attacks. Attack requires low-privilege authentication but has high integrity and availability impact (CVSS 7.2). No public exploit identified at time of analysis, though the attack vector is straightforward for authenticated insiders or compromised accounts.

Path Traversal Cmc Guardian
NVD
CVSS 4.0
7.2
EPSS
0.1%
CVE-2025-64372 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shinetheme Traveler traveler allows Reflected XSS.This issue affects Traveler: from n/a through < 3.2.6.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-64189 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 8theme XStore Core et-core-plugin allows Reflected XSS.This issue affects XStore Core: from n/a through < 5.6.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-64378 HIGH This Week

Missing Authorization vulnerability in CridioStudio ListingPro listingpro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ListingPro: from n/a through < 2.9.10.

Authentication Bypass
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-60079 HIGH This Week

Missing Authorization vulnerability in bPlugins Parallax Section block parallax-section allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Parallax Section block: from n/a through <= 1.0.9.

Authentication Bypass
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-40892 HIGH This Week

Stored cross-site scripting in Nozomi Networks CMC and Guardian allows authenticated users with report privileges to inject malicious JavaScript payloads into report definitions. When victims view or import these weaponized reports, the XSS executes in their browser context, enabling attackers to modify application data, disrupt availability, and access sensitive information. The vulnerability requires low-privilege authentication and user interaction (CVSS:4.0 score 7.1, PR:L/UI:P), with high integrity and availability impacts but limited confidentiality exposure. No public exploit identified at time of analysis, though the attack technique is well-understood and straightforward given the stored XSS nature.

XSS Cmc Guardian
NVD
CVSS 4.0
7.1
EPSS
0.1%
CVE-2025-14739 MEDIUM This Month

Access of Uninitialized Pointer vulnerability in TP-Link WR940N and WR941ND allows local unauthenticated attackers the ability to execute DoS attack and potentially arbitrary code execution under the context of the ‘root’ user.This issue affects WR940N and WR941ND: ≤ WR940N v5 3.20.1 Build 200316, ≤ WR941ND v6 3.16.9 Build 151203.

Memory Corruption TP-Link RCE
NVD
CVSS 4.0
6.8
EPSS
0.0%
CVE-2025-54741 MEDIUM This Month

Missing Authorization vulnerability in Tyler Moore Super Blank super-blank allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Super Blank: from n/a through <= 1.2.0.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-64235 MEDIUM This Month

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AmentoTech Tuturn tuturn allows Path Traversal.This issue affects Tuturn: from n/a through < 3.6.

Path Traversal
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-60070 MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in The4 Molla molla allows Code Injection.This issue affects Molla: from n/a through <= 1.5.13.

RCE Code Injection
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-60068 MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in javothemes Javo Core javo-core allows Code Injection.This issue affects Javo Core: from n/a through <= 3.0.0.266.

RCE Code Injection
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-64225 MEDIUM This Month

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in colabrio Stockie Extra stockie-extra allows Code Injection.This issue affects Stockie Extra: from n/a through <= 1.2.11.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-66068 MEDIUM This Month

Missing Authorization vulnerability in InstaWP InstaWP Connect instawp-connect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InstaWP Connect: from n/a through <= 0.1.1.9.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-64273 MEDIUM This Month

Missing Authorization vulnerability in GetResponse Email marketing for WordPress by GetResponse Official getresponse-official allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Email marketing for WordPress by GetResponse Official: from n/a through <= 1.5.3.

WordPress Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-49902 MEDIUM This Month

Missing Authorization vulnerability in A WP Life Login Page Customizer &#8211; Customizer Login Page, Admin Page, Custom Design customizer-login-page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Login Page Customizer &#8211; Customizer Login Page, Admin Page, Custom Design: from n/a through <= 2.1.1.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-49041 MEDIUM This Month

Missing Authorization vulnerability in The African Boss Get Cash get-cash allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Get Cash: from n/a through <= 3.2.3.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-64375 MEDIUM This Month

Missing Authorization vulnerability in Mahmudul Hasan Arif WP Social Ninja wp-social-reviews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Social Ninja: from n/a through <= 3.20.1.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-10019 MEDIUM This Month

Authorization Bypass Through User-Controlled Key vulnerability in codepeople Contact Form Email contact-form-to-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form Email: from n/a through <= 1.3.60.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-66104 MEDIUM This Month

Missing Authorization vulnerability in Anton Vanyukov Offload, AI &amp; Optimize with Cloudflare Images cf-images allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Offload, AI &amp; Optimize with Cloudflare Images: from n/a through <= 1.9.5.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-66100 MEDIUM This Month

Missing Authorization vulnerability in Magnigenie RestroPress restropress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RestroPress: from n/a through <= 3.2.3.5.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-63039 MEDIUM This Month

Missing Authorization vulnerability in CridioStudio ListingPro listingpro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ListingPro: from n/a through <= 2.9.9.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-64355 MEDIUM This Month

DOM-based cross-site scripting (XSS) in Crocoblock JetElements For Elementor plugin versions up to 2.7.12 allows attackers to inject malicious scripts into web pages through improper input neutralization during page generation. The vulnerability affects WordPress sites using this Elementor page builder extension and can enable session hijacking, credential theft, or malware distribution against site visitors. EPSS exploitation probability is low at 0.04%, but the attack vector is likely network-based requiring no authentication.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-66058 MEDIUM This Month

Missing authorization in PickPlugins Post Grid and Gutenberg Blocks WordPress plugin (versions through 2.3.17) allows attackers to bypass access control restrictions and exploit incorrectly configured security levels, potentially enabling unauthorized access to protected content or administrative functions. The vulnerability stems from broken access control (CWE-862) with no public exploit code confirmed at time of analysis, though EPSS scoring of 0.04% suggests minimal real-world exploitation probability despite the authorization flaw.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-14744 MEDIUM This Month

Unicode right-to-left override (RTLO) characters in malicious websites can spoof filenames displayed in Firefox for iOS downloads UI, potentially tricking users into saving files with misleading extensions and types. Affects Firefox for iOS versions prior to 144.0; requires user interaction to download a file. The vulnerability has low real-world exploitation probability (EPSS 0.04%) despite the moderate CVSS score, as it relies on social engineering and user inattention rather than automatic code execution.

Mozilla Information Disclosure Apple
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-14856 LOW POC Monitor

Code injection in RuoYi up to version 4.8.1 via the /monitor/cache/getnames endpoint allows authenticated remote attackers to inject arbitrary code through the fragment parameter with low impact to confidentiality, integrity, and availability. The vulnerability requires valid user authentication (PR:L per CVSS 4.0 vector) and has publicly available exploit code, though EPSS scoring at 0.08% percentile (22nd percentile) indicates low real-world exploitation probability despite public disclosure.

Information Disclosure Ruoyi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-14885 LOW POC Monitor

Unrestricted file upload in SourceCodester Client Database Management System 1.0 via the /user_leads.php endpoint in the Leads Generation Module allows authenticated remote attackers to upload arbitrary files. The vulnerability requires valid user credentials (PR:L in CVSS v4.0) but carries low confidentiality, integrity, and availability impact per the vector. Public exploit code exists, and EPSS score of 0.06% suggests minimal real-world exploitation despite public availability, likely due to the authenticated requirement limiting attack surface.

PHP Authentication Bypass File Upload Client Database Management System
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-14889 LOW POC Monitor

Improper authorization in Campcodes Advanced Voting Management System 1.0 allows authenticated remote attackers to manipulate the ID parameter in /admin/voters_edit.php, resulting in unauthorized modification of voter passwords. The vulnerability affects the Password Handler component and requires valid user credentials to exploit, limiting real-world risk despite public exploit availability. EPSS exploitation probability is low at 0.06 percentile, suggesting this flaw targets specific administrative scenarios rather than representing widespread attack potential.

PHP Information Disclosure Advanced Voting Management System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-14837 LOW POC Monitor

Code injection in ZZCMS 2025 Backend Website Settings Module allows authenticated remote attackers to inject arbitrary code via the icp parameter in the stripfxg function (/admin/siteconfig.php), with limited confidentiality impact. Public exploit code is available, but exploitation requires high-privilege administrative access, significantly limiting practical attack surface despite network-accessible vector.

PHP Information Disclosure Zzcms
NVD VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-49918 MEDIUM This Month

Insertion of Sensitive Information Into Sent Data vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows Retrieve Embedded Sensitive Data.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through <= 1.8.2.

Information Disclosure
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2025-49919 MEDIUM This Month

DigitalME eRoom eroom-zoom-meetings-webinar plugin through version 1.5.6 exposes sensitive data in sent communications due to improper data handling, allowing unauthenticated remote attackers with user interaction to retrieve embedded sensitive information across site boundaries. EPSS exploitation probability is low at 0.04%, but the vulnerability affects confidentiality, integrity, and availability through information disclosure mechanisms that may be chained with other flaws.

Information Disclosure
NVD
CVSS 3.1
5.8
EPSS
0.0%
CVE-2025-54743 MEDIUM This Month

Missing Authorization vulnerability in mkscripts Download After Email download-after-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download After Email: from n/a through 2.1.5-2.1.6.

Authentication Bypass
NVD
CVSS 3.1
5.8
EPSS
0.1%
CVE-2025-62961 MEDIUM This Month

Missing authorization controls in Sparkle FSE WordPress theme versions 1.0.9 and earlier allow unauthenticated attackers to bypass access control restrictions and perform unauthorized actions through exploitable endpoint misconfigurations. This authentication bypass vulnerability, reported by Patchstack security researchers, affects all instances of the Sparkle FSE theme up to version 1.0.9 with low exploit probability (EPSS 0.05%) but represents a direct authorization failure (CWE-862) that could enable unauthorized data access or modification depending on endpoint exposure.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-62960 MEDIUM This Month

Missing authorization controls in sparklewpthemes Construction Light WordPress theme versions 1.6.7 and earlier allow unauthenticated attackers to bypass access restrictions and access resources that should be protected by role-based access control. The vulnerability stems from incorrectly configured access control security levels, potentially exposing sensitive functionality or data to unauthorized users.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-63043 MEDIUM This Month

Authorization bypass in PickPlugins Post Grid and Gutenberg Blocks WordPress plugin through version 2.3.23 allows attackers to exploit incorrectly configured access control via user-controlled keys, potentially enabling unauthorized access to post content or plugin functionality. The vulnerability is classified as CWE-639 (Authorization Through User-Controlled Key) and presents a low exploitation probability (EPSS 0.04%, 13th percentile) with no public exploit code or active exploitation confirmed at time of analysis.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-63002 MEDIUM This Month

Sermon Manager for WordPress plugin through version 2.30.0 allows unauthenticated attackers to exploit missing authorization checks to access or modify sermon data due to incorrectly configured access control security levels. The vulnerability stems from CWE-862 (Missing Authorization) and affects all installations running the vulnerable version range. With an EPSS score of 0.04% (13th percentile), real-world exploitation probability is minimal despite the permission-based nature of the flaw.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-40893 MEDIUM This Month

Stored HTML injection in Nozomi Networks CMC and Guardian Asset List functionality allows unauthenticated remote attackers to inject malicious HTML tags into asset attributes via crafted network packets, enabling phishing and open redirect attacks when victims view affected assets. CVSS 5.3 (medium severity) with user interaction required; exploitation is bounded by existing Content Security Policy and input validation that prevent full XSS and direct information disclosure.

Information Disclosure XSS Open Redirect Cmc Guardian
NVD
CVSS 4.0
5.3
EPSS
0.1%
CVE-2025-62998 MEDIUM This Month

WP AI CoPilot plugin for WordPress versions through 1.2.7 exposes sensitive information embedded within sent data, allowing attackers to retrieve confidential details without proper access controls. The vulnerability stems from inadequate handling of sensitive data in communications, classified as information disclosure with an EPSS score of 0.04% indicating low real-world exploitation probability. No public exploit code has been identified at time of analysis.

Information Disclosure
NVD
CVSS 3.1
5.0
EPSS
0.0%
CVE-2025-68463 MEDIUM PATCH This Month

Biopython's Bio.Entrez module through version 1.86 is vulnerable to XML external entity (XXE) injection in doctype parsing, allowing authenticated remote attackers to read arbitrary files or cause denial of service. The vulnerability requires authenticated access and high attack complexity, resulting in a CVSS score of 4.9 with low confidentiality and availability impact across trust boundaries. Exploitation is not currently tracked in CISA KEV and has extremely low EPSS probability (0.07%, 20th percentile), indicating limited real-world risk despite the XXE vector.

XXE
NVD GitHub
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-64282 MEDIUM This Month

Authorization bypass in RadiusTheme Radius Blocks WordPress plugin through version 2.2.1 allows attackers to exploit incorrectly configured access control security levels via user-controlled keys, enabling unauthorized access to restricted functionality. The vulnerability is classified as an insecure direct object reference (IDOR) issue affecting the plugin's access control implementation. While no CVSS score is available and EPSS indicates low exploitation probability (0.04%), the vulnerability demonstrates a fundamental authentication design flaw that could permit escalation of privileges within WordPress installations using this plugin.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-7047 MEDIUM This Month

Missing authorization controls in the SoliClub Android application (all versions before 5.3.7) allow authenticated low-privilege users to abuse their access and read data beyond their authorization level. The vulnerability, classified as CWE-862, exposes the application to privilege abuse where role or resource-level access checks are absent on one or more network-accessible functions. No public exploit code exists and EPSS stands at 0.03% (10th percentile), indicating no meaningful observed exploitation activity; this is not listed in CISA KEV.

Authentication Bypass Soliclub
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-40891 LOW Monitor

Stored HTML injection in Nozomi Networks CMC and Guardian Time Machine Snapshot Diff feature allows unauthenticated attackers to inject HTML tags into asset attributes across snapshots via specially crafted network packets. When a victim uses the Snapshot Diff feature and performs specific GUI actions, the injected HTML renders in their browser, enabling phishing and open redirect attacks. Full XSS exploitation is mitigated by input validation and Content Security Policy. This vulnerability has not been confirmed as actively exploited, requires high attack complexity (multiple preconditions), and results in low integrity impact with limited scope.

XSS Open Redirect Cmc Guardian
NVD
CVSS 4.0
2.3
EPSS
0.0%
CVE-2025-14841 LOW Monitor

Null pointer dereference in OFFIS DCMTK up to version 3.6.9 within the DcmQueryRetrieveIndexDatabaseHandle::startFindRequest and DcmQueryRetrieveIndexDatabaseHandle::startMoveRequest functions in dcmqrscp causes denial of service. The vulnerability requires local access with low privilege level and results in availability impact through service crash. No public exploit code is confirmed, and EPSS exploitation probability is extremely low at 0.04%, indicating this is a low-priority reliability issue rather than an active security threat.

Denial Of Service
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
Prev Page 3 of 3

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy