Skip to main content
CVE-2025-14877 MEDIUM POC This Month

A vulnerability was identified in Campcodes Supplier Management System 1.0. This affects an unknown function of the file /admin/add_retailer.php. The manipulation of the argument cmbAreaCode leads to sql injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used.

PHP SQLi Supplier Management System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-14739 MEDIUM This Month

Access of Uninitialized Pointer vulnerability in TP-Link WR940N and WR941ND allows local unauthenticated attackers the ability to execute DoS attack and potentially arbitrary code execution under the context of the ‘root’ user.This issue affects WR940N and WR941ND: ≤ WR940N v5 3.20.1 Build 200316, ≤ WR941ND v6 3.16.9 Build 151203.

Memory Corruption TP-Link RCE
NVD
CVSS 4.0
6.8
EPSS
0.0%
CVE-2025-54741 MEDIUM This Month

Missing Authorization vulnerability in Tyler Moore Super Blank super-blank allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Super Blank: from n/a through <= 1.2.0.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-64235 MEDIUM This Month

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AmentoTech Tuturn tuturn allows Path Traversal.This issue affects Tuturn: from n/a through < 3.6.

Path Traversal
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-60070 MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in The4 Molla molla allows Code Injection.This issue affects Molla: from n/a through <= 1.5.13.

RCE Code Injection
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-60068 MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in javothemes Javo Core javo-core allows Code Injection.This issue affects Javo Core: from n/a through <= 3.0.0.266.

RCE Code Injection
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-64225 MEDIUM This Month

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in colabrio Stockie Extra stockie-extra allows Code Injection.This issue affects Stockie Extra: from n/a through <= 1.2.11.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-66068 MEDIUM This Month

Missing Authorization vulnerability in InstaWP InstaWP Connect instawp-connect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InstaWP Connect: from n/a through <= 0.1.1.9.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-64273 MEDIUM This Month

Missing Authorization vulnerability in GetResponse Email marketing for WordPress by GetResponse Official getresponse-official allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Email marketing for WordPress by GetResponse Official: from n/a through <= 1.5.3.

WordPress Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-49902 MEDIUM This Month

Missing Authorization vulnerability in A WP Life Login Page Customizer &#8211; Customizer Login Page, Admin Page, Custom Design customizer-login-page allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Login Page Customizer &#8211; Customizer Login Page, Admin Page, Custom Design: from n/a through <= 2.1.1.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-49041 MEDIUM This Month

Missing Authorization vulnerability in The African Boss Get Cash get-cash allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Get Cash: from n/a through <= 3.2.3.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-64375 MEDIUM This Month

Missing Authorization vulnerability in Mahmudul Hasan Arif WP Social Ninja wp-social-reviews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Social Ninja: from n/a through <= 3.20.1.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-10019 MEDIUM This Month

Authorization Bypass Through User-Controlled Key vulnerability in codepeople Contact Form Email contact-form-to-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form Email: from n/a through <= 1.3.60.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-66104 MEDIUM This Month

Missing Authorization vulnerability in Anton Vanyukov Offload, AI &amp; Optimize with Cloudflare Images cf-images allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Offload, AI &amp; Optimize with Cloudflare Images: from n/a through <= 1.9.5.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-66100 MEDIUM This Month

Missing Authorization vulnerability in Magnigenie RestroPress restropress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RestroPress: from n/a through <= 3.2.3.5.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-63039 MEDIUM This Month

Missing Authorization vulnerability in CridioStudio ListingPro listingpro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ListingPro: from n/a through <= 2.9.9.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-64355 MEDIUM This Month

DOM-based cross-site scripting (XSS) in Crocoblock JetElements For Elementor plugin versions up to 2.7.12 allows attackers to inject malicious scripts into web pages through improper input neutralization during page generation. The vulnerability affects WordPress sites using this Elementor page builder extension and can enable session hijacking, credential theft, or malware distribution against site visitors. EPSS exploitation probability is low at 0.04%, but the attack vector is likely network-based requiring no authentication.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-66058 MEDIUM This Month

Missing authorization in PickPlugins Post Grid and Gutenberg Blocks WordPress plugin (versions through 2.3.17) allows attackers to bypass access control restrictions and exploit incorrectly configured security levels, potentially enabling unauthorized access to protected content or administrative functions. The vulnerability stems from broken access control (CWE-862) with no public exploit code confirmed at time of analysis, though EPSS scoring of 0.04% suggests minimal real-world exploitation probability despite the authorization flaw.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-14744 MEDIUM This Month

Unicode right-to-left override (RTLO) characters in malicious websites can spoof filenames displayed in Firefox for iOS downloads UI, potentially tricking users into saving files with misleading extensions and types. Affects Firefox for iOS versions prior to 144.0; requires user interaction to download a file. The vulnerability has low real-world exploitation probability (EPSS 0.04%) despite the moderate CVSS score, as it relies on social engineering and user inattention rather than automatic code execution.

Mozilla Information Disclosure Apple
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49918 MEDIUM This Month

Insertion of Sensitive Information Into Sent Data vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows Retrieve Embedded Sensitive Data.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through <= 1.8.2.

Information Disclosure
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2025-49919 MEDIUM This Month

DigitalME eRoom eroom-zoom-meetings-webinar plugin through version 1.5.6 exposes sensitive data in sent communications due to improper data handling, allowing unauthenticated remote attackers with user interaction to retrieve embedded sensitive information across site boundaries. EPSS exploitation probability is low at 0.04%, but the vulnerability affects confidentiality, integrity, and availability through information disclosure mechanisms that may be chained with other flaws.

Information Disclosure
NVD
CVSS 3.1
5.8
EPSS
0.0%
CVE-2025-54743 MEDIUM This Month

Missing Authorization vulnerability in mkscripts Download After Email download-after-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download After Email: from n/a through 2.1.5-2.1.6.

Authentication Bypass
NVD
CVSS 3.1
5.8
EPSS
0.1%
CVE-2025-62961 MEDIUM This Month

Missing authorization controls in Sparkle FSE WordPress theme versions 1.0.9 and earlier allow unauthenticated attackers to bypass access control restrictions and perform unauthorized actions through exploitable endpoint misconfigurations. This authentication bypass vulnerability, reported by Patchstack security researchers, affects all instances of the Sparkle FSE theme up to version 1.0.9 with low exploit probability (EPSS 0.05%) but represents a direct authorization failure (CWE-862) that could enable unauthorized data access or modification depending on endpoint exposure.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-62960 MEDIUM This Month

Missing authorization controls in sparklewpthemes Construction Light WordPress theme versions 1.6.7 and earlier allow unauthenticated attackers to bypass access restrictions and access resources that should be protected by role-based access control. The vulnerability stems from incorrectly configured access control security levels, potentially exposing sensitive functionality or data to unauthorized users.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-63043 MEDIUM This Month

Authorization bypass in PickPlugins Post Grid and Gutenberg Blocks WordPress plugin through version 2.3.23 allows attackers to exploit incorrectly configured access control via user-controlled keys, potentially enabling unauthorized access to post content or plugin functionality. The vulnerability is classified as CWE-639 (Authorization Through User-Controlled Key) and presents a low exploitation probability (EPSS 0.04%, 13th percentile) with no public exploit code or active exploitation confirmed at time of analysis.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-63002 MEDIUM This Month

Sermon Manager for WordPress plugin through version 2.30.0 allows unauthenticated attackers to exploit missing authorization checks to access or modify sermon data due to incorrectly configured access control security levels. The vulnerability stems from CWE-862 (Missing Authorization) and affects all installations running the vulnerable version range. With an EPSS score of 0.04% (13th percentile), real-world exploitation probability is minimal despite the permission-based nature of the flaw.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-40893 MEDIUM This Month

Stored HTML injection in Nozomi Networks CMC and Guardian Asset List functionality allows unauthenticated remote attackers to inject malicious HTML tags into asset attributes via crafted network packets, enabling phishing and open redirect attacks when victims view affected assets. CVSS 5.3 (medium severity) with user interaction required; exploitation is bounded by existing Content Security Policy and input validation that prevent full XSS and direct information disclosure.

Information Disclosure XSS Open Redirect Cmc Guardian
NVD
CVSS 4.0
5.3
EPSS
0.1%
CVE-2025-62998 MEDIUM This Month

WP AI CoPilot plugin for WordPress versions through 1.2.7 exposes sensitive information embedded within sent data, allowing attackers to retrieve confidential details without proper access controls. The vulnerability stems from inadequate handling of sensitive data in communications, classified as information disclosure with an EPSS score of 0.04% indicating low real-world exploitation probability. No public exploit code has been identified at time of analysis.

Information Disclosure
NVD
CVSS 3.1
5.0
EPSS
0.0%
CVE-2025-68463 MEDIUM PATCH This Month

Biopython's Bio.Entrez module through version 1.86 is vulnerable to XML external entity (XXE) injection in doctype parsing, allowing authenticated remote attackers to read arbitrary files or cause denial of service. The vulnerability requires authenticated access and high attack complexity, resulting in a CVSS score of 4.9 with low confidentiality and availability impact across trust boundaries. Exploitation is not currently tracked in CISA KEV and has extremely low EPSS probability (0.07%, 20th percentile), indicating limited real-world risk despite the XXE vector.

XXE
NVD GitHub
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-64282 MEDIUM This Month

Authorization bypass in RadiusTheme Radius Blocks WordPress plugin through version 2.2.1 allows attackers to exploit incorrectly configured access control security levels via user-controlled keys, enabling unauthorized access to restricted functionality. The vulnerability is classified as an insecure direct object reference (IDOR) issue affecting the plugin's access control implementation. While no CVSS score is available and EPSS indicates low exploitation probability (0.04%), the vulnerability demonstrates a fundamental authentication design flaw that could permit escalation of privileges within WordPress installations using this plugin.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-7047 MEDIUM This Month

Missing authorization controls in the SoliClub Android application (all versions before 5.3.7) allow authenticated low-privilege users to abuse their access and read data beyond their authorization level. The vulnerability, classified as CWE-862, exposes the application to privilege abuse where role or resource-level access checks are absent on one or more network-accessible functions. No public exploit code exists and EPSS stands at 0.03% (10th percentile), indicating no meaningful observed exploitation activity; this is not listed in CISA KEV.

Authentication Bypass Soliclub
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy