Skip to main content
CVE-2025-67291 MEDIUM POC This Month

Stored cross-site scripting in Piranha CMS v12.1 allows an attacker who can submit content to the Media module to persist malicious JavaScript in the Name field, which then executes in victims' browsers when the Media section is viewed. A publicly available proof-of-concept exploit exists on GitHub, meaningfully lowering the barrier to exploitation. Despite the network-accessible attack vector and cross-context scope change (S:C), EPSS sits at 0.18% (8th percentile) with no CISA KEV listing, indicating limited real-world exploitation of this niche platform at time of analysis.

XSS Piranha Cms
NVD GitHub
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-67290 MEDIUM POC This Month

Stored cross-site scripting in Piranha CMS v12.1 allows script injection via the Excerpt field in the Page Settings module, executing arbitrary JavaScript in the browsers of users who subsequently view the affected page. The vulnerability carries a publicly available proof-of-concept exploit hosted on GitHub, though EPSS remains very low at 0.18% (8th percentile), indicating limited observed exploitation activity. No KEV listing exists, and no patch has been confirmed from available data at time of analysis.

XSS Piranha Cms
NVD GitHub
CVSS 3.1
6.1
EPSS
0.2%
CVE-2025-15008 MEDIUM POC This Month

A vulnerability was detected in Tenda WH450 1.0.0.18. This affects an unknown part of the file /goform/L7Port of the component HTTP Request Handler. Performing a manipulation of the argument page results in stack-based buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used.

Buffer Overflow Tenda Wh450 Firmware
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-15012 MEDIUM POC This Month

A vulnerability was determined in code-projects Refugee Food Management System 1.0. The affected element is an unknown function of the file /home/home.php. This manipulation of the argument a causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.

PHP SQLi Refugee Food Management System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-15011 MEDIUM POC This Month

A vulnerability was found in code-projects Simple Stock System 1.0. Impacted is an unknown function of the file /logout.php. The manipulation of the argument uname results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used.

PHP SQLi Simple Stock System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-62094 MEDIUM This Month

Stored cross-site scripting (XSS) in Void Elementor WHMCS Elements for Elementor Page Builder through version 2.0.1.2 allows authenticated attackers to inject malicious scripts into web pages generated by the plugin, potentially compromising site visitors and administrators. The vulnerability stems from improper input sanitization in page generation functions. No public exploit code or active exploitation has been identified, but the low EPSS score (0.04%) reflects limited real-world attack probability despite the high-impact nature of XSS vulnerabilities.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-62880 MEDIUM This Month

Cross-site request forgery (CSRF) in Kunal Custom 404 Pro WordPress plugin through version 3.12.0 allows attackers to perform unauthorized actions on behalf of authenticated administrators without their knowledge or consent. The vulnerability affects all versions up to and including 3.12.0, with no CVSS score assigned at the time of analysis. No public exploit code has been identified, and the EPSS score of 0.02% indicates minimal likelihood of active exploitation despite the moderate technical severity of CSRF flaws.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62107 MEDIUM This Month

Cross-site request forgery (CSRF) vulnerability in PluginOps Feather Login Page WordPress plugin versions up to 1.1.7 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users without their knowledge or consent. The vulnerability stems from missing CSRF token validation on plugin functionality, enabling attackers to craft malicious requests that execute when users visit attacker-controlled pages while logged into sites using the vulnerable plugin. No public exploit code or active exploitation has been identified at time of analysis; however, the low EPSS score (0.02%) and lack of CVSS data suggest this may represent a lower-severity implementation gap rather than a critical attack vector in typical WordPress deployments.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy