Skip to main content
CVE-2025-15053 MEDIUM POC This Month

A flaw has been found in code-projects Student Information System 1.0. This issue affects some unknown processing of the file /searchresults.php. Executing manipulation of the argument searchbox can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used.

PHP SQLi Student Information System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-15073 MEDIUM POC This Month

A vulnerability was determined in itsourcecode Online Frozen Foods Ordering System 1.0. This affects an unknown part of the file /contact_us.php. This manipulation of the argument Name causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.

PHP SQLi Online Frozen Foods Ordering System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-68602 MEDIUM POC This Month

Open redirect vulnerability in Scott Paterson Accept Donations with PayPal & Stripe WordPress plugin (versions <= 1.5.2) enables attackers to craft malicious URLs that redirect users to untrusted sites, facilitating phishing attacks. The vulnerability requires user interaction (UI:R) but affects the plugin's core donation handling, allowing an unauthenticated attacker to chain this with social engineering to compromise user credentials or distribute malware through redirects to fraudulent payment pages.

Open Redirect
NVD
CVSS 3.1
4.7
EPSS
1.4%
CVE-2025-2155 HIGH This Week

Remote code execution in Specto CM versions before 17032025 allows authenticated attackers to upload files with dangerous types, leading to arbitrary code inclusion on the server. The flaw, tracked as CVE-2025-2155 and reported by Turkey's USOM CERT, carries a high CVSS score of 8.8 and stems from missing validation on uploaded file types. No public exploit identified at time of analysis, and the EPSS exploitation probability remains low at 0.07%.

File Upload
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-68509 MEDIUM POC This Month

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Jeff Starr User Submitted Posts user-submitted-posts allows Phishing.This issue affects User Submitted Posts: from n/a through <= 20251121.

Open Redirect
NVD
CVSS 3.1
4.7
EPSS
0.5%
CVE-2025-68519 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BeRocket Brands for WooCommerce brands-for-woocommerce allows Blind SQL Injection.This issue affects Brands for WooCommerce: from n/a through <= 3.8.6.3.

WordPress SQLi
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-68506 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Nawawi Jamili Docket Cache docket-cache allows PHP Local File Inclusion.This issue affects Docket Cache: from n/a through <= 24.07.03.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-68590 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CRM Perks Integration for Contact Form 7 HubSpot cf7-hubspot allows Blind SQL Injection.This issue affects Integration for Contact Form 7 HubSpot: from n/a through <= 1.4.2.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-68570 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in captivateaudio Captivate Sync captivatesync-trade allows Blind SQL Injection.This issue affects Captivate Sync: from n/a through <= 3.2.2.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-68496 HIGH This Week

Blind SQL injection in User Feedback WordPress plugin (versions ≤1.10.0) allows unauthenticated remote attackers to extract database contents, modify data, or execute administrative commands. The vulnerability carries a critical CVSS score of 9.8 due to network-based exploitation requiring no privileges or user interaction. While EPSS probability is low (0.05%, 14th percentile) and no active exploitation is confirmed at time of analysis, the severity and unauthenticated attack vector make this a priority for WordPress administrators using this plugin. Patchstack security audit identified this flaw as CWE-89 SQL injection stemming from improper input sanitization.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-68563 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Shuffle Subscribe to Unlock Lite subscribe-to-unlock-lite allows PHP Local File Inclusion.This issue affects Subscribe to Unlock Lite: from n/a through <= 1.3.0.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-68540 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Fana fana allows PHP Local File Inclusion.This issue affects Fana: from n/a through <= 1.1.35.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-68537 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Zota zota allows PHP Local File Inclusion.This issue affects Zota: from n/a through <= 1.3.14.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-68530 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in pavothemes Bookory bookory allows PHP Local File Inclusion.This issue affects Bookory: from n/a through <= 2.2.7.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-68608 HIGH This Week

Missing Authorization vulnerability in DeluxeThemes Userpro userpro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Userpro: from n/a through <= 5.1.9.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-67909 HIGH This Week

Authorization Bypass Through User-Controlled Key vulnerability in WP Swings Membership For WooCommerce membership-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Membership For WooCommerce: from n/a through <= 3.0.3.

WordPress Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-2515 HIGH This Week

Privilege escalation in Eclipse BlueChi, the multi-node systemd service controller used in Red Hat In-Vehicle Operating System (RHIVOS), allows a user holding root on a managed quality-managed (qm) node to write or override systemd service unit files that execute on the controlling host node. Because BlueChi did not deny cross-node proxy/dependency requests by default, a compromised lower-trust node could pivot to the host, leading to unauthorized service execution and full host compromise (CWE-863, Incorrect Authorization). Red Hat scored it 7.2 (High); there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Privilege Escalation
NVD GitHub
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-68038 HIGH This Week

PHP object injection in Icegram Express Pro (WordPress email marketing plugin) through version 5.9.13 enables unauthenticated remote attackers to execute arbitrary code via unsafe deserialization of user-controlled data. With CVSS 9.8 (critical severity) and network-accessible attack vector requiring no authentication or user interaction, this represents a severe pre-authentication RCE risk. EPSS score of 0.06% (19th percentile) suggests low immediate exploitation probability, and no public exploit or CISA KEV listing identified at time of analysis, though Patchstack disclosure increases attacker awareness.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-67622 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in titopandub Evergreen Post Tweeter evergreen-post-tweeter allows Stored XSS.This issue affects Evergreen Post Tweeter: from n/a through <= 1.8.9.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68569 MEDIUM This Month

Broken access control in WP Time Slots Booking Form plugin (≤1.2.39) allows authenticated attackers with low-level privileges to escalate permissions and execute unauthorized administrative actions. The vulnerability stems from missing authorization checks (CWE-862), enabling privilege escalation to access, modify, or delete sensitive booking data and configuration settings. While CVSS scores 8.8 (High), real-world risk appears moderate with EPSS at 0.06% (18th percentile) and no public exploit identified at time of analysis.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68511 MEDIUM This Month

Missing Authorization vulnerability in Jegstudio Gutenverse Form gutenverse-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gutenverse Form: from n/a through <= 2.3.1.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68605 MEDIUM This Month

Stored XSS in PickPlugins Post Grid and Gutenberg Blocks WordPress plugin (versions <= 2.3.23) allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of site visitors, potentially compromising site integrity and user data. The vulnerability requires user interaction (viewing a page with the injected content) and affects the site's security context (SameSite:Changed per CVSS:3.1/S:C). EPSS score of 0.04% indicates low real-world exploitation probability despite CVE publication.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68599 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Embeds For YouTube Plugin Support YouTube Embed youtube-embed allows Stored XSS.This issue affects YouTube Embed: from n/a through <= 5.4.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68598 MEDIUM This Month

Stored cross-site scripting (XSS) in Live Composer page builder plugin for WordPress (versions through 2.1.11) allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other users viewing affected pages. An attacker with contributor or editor access can store XSS payloads that persist in the database and execute when administrators or other site visitors interact with the affected content, potentially leading to session hijacking, credential theft, or malware distribution.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68597 MEDIUM This Month

Stored cross-site scripting (XSS) in BlueGlass Interactive AG Jobs for WordPress plugin versions 2.8.1 and earlier allows authenticated users with low privileges to inject malicious scripts into job postings that execute in the browsers of other site visitors. The vulnerability requires user interaction (clicking a crafted link) and affects website visitors with cross-site request forgery capabilities, resulting in limited confidentiality and integrity impact but no availability impact. The issue has a low exploitation probability (EPSS 0.04%) despite publicly disclosed details.

WordPress XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68533 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HasThemes WC Builder wc-builder allows Stored XSS.This issue affects WC Builder: from n/a through <= 1.2.0.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68532 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in modeltheme ModelTheme Addons for WPBakery and Elementor modeltheme-addons-for-wpbakery allows Stored XSS.This issue affects ModelTheme Addons for WPBakery and Elementor: from n/a through < 1.5.6.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68528 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Free Shipping Bar: Amount Left for Free Shipping for WooCommerce amount-left-free-shipping-woocommerce allows Stored XSS.This issue affects Free Shipping Bar: Amount Left for Free Shipping for WooCommerce: from n/a through <= 2.4.9.

WordPress XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68527 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kodezen LLC Academy LMS academy allows Stored XSS.This issue affects Academy LMS: from n/a through <= 3.4.0.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68513 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in boldthemes Bold Timeline Lite bold-timeline-lite allows Stored XSS.This issue affects Bold Timeline Lite: from n/a through <= 1.2.7.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68512 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in creativeinteractivemedia Real 3D FlipBook real3d-flipbook-lite allows Stored XSS.This issue affects Real 3D FlipBook: from n/a through <= 4.11.4.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-15050 LOW POC Monitor

Unauthenticated file upload vulnerability in code-projects Student File Management System 1.0 allows authenticated remote attackers to bypass file upload restrictions via manipulation of the File parameter in /save_file.php, despite the CVSS v4.0 score of 2.1 reflecting only low confidentiality, integrity, and availability impact with no scope change. The exploit is publicly available and the low EPSS score (0.09%, 25th percentile) suggests limited real-world exploitation attempts despite public disclosure.

PHP Authentication Bypass File Upload Student File Management System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-15052 LOW POC Monitor

Cross-site scripting (XSS) via unsanitized firstname and lastname parameters in /profile.php of code-projects Student Information System 1.0 allows authenticated remote attackers with user interaction to inject malicious scripts affecting confidentiality. The vulnerability carries a low CVSS score (2.0) due to authentication and user interaction requirements, but publicly available exploit code exists and EPSS analysis assigns 0.06% exploitation probability, reflecting limited real-world attack likelihood despite public POC availability.

PHP XSS Student Information System
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-68574 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in voidcoders WPBakery Visual Composer WHMCS Elements void-visual-whmcs-element allows DOM-Based XSS.This issue affects WPBakery Visual Composer WHMCS Elements: from n/a through <= 1.0.4.3.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-68566 MEDIUM This Month

Stored cross-site scripting (XSS) in WordPress plugin My auctions allegro (versions up to 3.6.35) allows authenticated users to inject malicious scripts that execute in other users' browsers when viewing auction content. The vulnerability requires user interaction (UI:R) and affects the confidentiality and integrity of affected WordPress installations, though with limited scope within the plugin context. No public exploit code or active exploitation has been identified; real-world risk is moderate given the requirement for authenticated access and user interaction.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-68525 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pixelgrade Category Icon category-icon allows Stored XSS.This issue affects Category Icon: from n/a through <= 1.0.2.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-68497 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force Astra Widgets astra-widgets allows Stored XSS.This issue affects Astra Widgets: from n/a through <= 1.2.16.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-67633 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brownbagmarketing Greenhouse Job Board greenhouse-job-board allows DOM-Based XSS.This issue affects Greenhouse Job Board: from n/a through <= 2.7.3.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-67632 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in The Plugin Factory Google AdSense for Responsive Design &#8211; GARD google-adsense-for-responsive-design-gard allows DOM-Based XSS.This issue affects Google AdSense for Responsive Design &#8211; GARD: from n/a through <= 2.23.

Google XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-67631 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ecommerce Platforms Gift Hunt gift-hunt allows Stored XSS.This issue affects Gift Hunt: from n/a through <= 2.0.2.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-67630 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webheadcoder WH Tweaks wh-tweaks allows Stored XSS.This issue affects WH Tweaks: from n/a through <= 1.0.2.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-67629 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basticom Basticom Framework basticom-framework allows Stored XSS.This issue affects Basticom Framework: from n/a through <= 1.5.2.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-67628 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AMP-MODE Review Disclaimer review-disclaimer allows Stored XSS.This issue affects Review Disclaimer: from n/a through <= 2.0.3.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-67627 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TouchOfTech Draft Notify draft-notify allows Stored XSS.This issue affects Draft Notify: from n/a through <= 1.5.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-68725 MEDIUM PATCH This Month

BPF test infrastructure in the Linux kernel allows a local user with BPF program execution privileges to emit packets with malformed GSO (Generic Segmentation Offload) metadata to the network stack via bpf_clone_redirect(), triggering skb_warn_bad_offload() and disabling GSO-related offload features - a denial-of-service condition. The root cause is convert___skb_to_skb() populating gso_segs and gso_size without a corresponding gso_type, producing an internally inconsistent socket buffer that fails GSO validation in netif_skb_features(). No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified; the issue was originally surfaced through fuzzing by Yinhao et al. Patches across six stable kernel branches have been released.

Linux Information Disclosure
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2025-68593 MEDIUM This Month

Missing Authorization vulnerability in Liton Arefin WP Adminify adminify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Adminify: from n/a through <= 4.0.6.1.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-67623 MEDIUM This Month

Server-Side Request Forgery (SSRF) in 6Storage Rentals WordPress plugin versions ≤2.20.2 allows unauthenticated remote attackers to send crafted requests from the vulnerable server to arbitrary internal or external systems. With CVSS 9.1 (critical) due to network-accessible attack vector requiring no authentication or user interaction, attackers can achieve high confidentiality and integrity impact by potentially accessing internal services, cloud metadata endpoints, or exfiltrating sensitive data. EPSS score of 0.04% (14th percentile) indicates relatively low observed exploitation probability despite the critical severity rating. No confirmed active exploitation (not in CISA KEV) and no public exploit code identified at time of analysis.

SSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-68603 MEDIUM This Month

Missing Authorization vulnerability in Marketing Fire Editorial Calendar editorial-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Editorial Calendar: from n/a through <= 3.8.8.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-68591 MEDIUM This Month

Missing authorization in Simple File List WordPress plugin 6.1.18 and earlier allows authenticated low-privilege users to bypass access controls and gain unauthorized read/write access to file list data. Tagged as an authentication bypass vulnerability with EPSS score of 0.04% (13th percentile), indicating low observed exploitation probability. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-68581 MEDIUM This Month

Missing Authorization vulnerability in YITHEMES YITH Slider for page builders yith-slider-for-page-builders allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YITH Slider for page builders: from n/a through <= 1.0.11.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy