THREAT ALERT

ACT NOW CVE-2025-43529 8.8 WebKit arbitrary code execution via use-after-free memory corruption affects Safari 26.2, iOS/iPadOS 18.7.3 through 26.2, macOS Tahoe 26.2, tvOS 26.2, visionOS 26.2, and watchOS 26.2, allowing remote attackers to execute arbitrary code by convincing users to visit malicious websites. This vulnerability is confirmed actively exploited (CISA KEV) in extremely sophisticated targeted attacks against specific individuals on iOS versions prior to iOS 26, per Apple's security bulletin. EPSS score of 0.12% (32nd percentile) significantly understates real-world risk given confirmed exploitation. Related vulnerability CVE-2025-14174 was issued for the same exploitation campaign, suggesting a complex attack chain targeting Apple ecosystem users. | ACT NOW CVE-2025-43510 7.8 Apple kernel lock state checking flaw allows a malicious application to cause unexpected changes in memory shared between processes, potentially enabling cross-process data manipulation on iOS, macOS, and other Apple platforms. | ACT NOW CVE-2025-48633 5.5 CVE-2025-48633 is a security vulnerability (CVSS 5.5). Risk factors: actively exploited (KEV-listed). Vendor patch is available. | ACT NOW CVE-2025-48572 7.8 Android contains a missing authentication vulnerability (CVE-2025-48572, CVSS 7.8) in multiple locations that allows background activity launches through a permissions bypass, enabling local privilege escalation without user interaction. KEV-listed, this vulnerability enables malicious apps to perform privileged operations silently in the background, bypassing Android's activity launch restrictions. | EMERGENCY CVE-2025-34291 9.4 Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account tak | ACT NOW CVE-2025-66644 7.2 Array Networks ArrayOS AG before 9.4.5.9 contains an OS command injection vulnerability (CVE-2025-66644, CVSS 7.2) that has been actively exploited in the wild from August through December 2025. KEV-listed, this vulnerability in the VPN/SSL-VPN appliance enables authenticated attackers to execute arbitrary commands on the network edge device. | ACT NOW CVE-2025-55182 10.0 React Server Components in React 19.x contain a critical pre-authentication remote code execution vulnerability (CVE-2025-55182, CVSS 10.0) through unsafe deserialization of HTTP request payloads. With EPSS 71.1% and KEV listing, this vulnerability affects any application using React Server Components with react-server-dom-webpack, react-server-dom-turbopack, or react-server-dom-parcel — enabling complete server compromise through a single HTTP request. | EMERGENCY CVE-2025-66301 9.6 Grav is a file-based Web platform. Prior to 1.8.0-beta.27, due to improper authorization checks when modifying critical fields on a POST request to /admin/pages/{page_name}, an editor with only permissions to change basic content on the form is now able to change the functioning of the form through modifying the content of the data[_json][header][form] which is the YAML frontmatter which includes the process section which dictates what happens after a user submits the form which include some important actions that could lead to further vulnerabilities. This vulnerability is fixed in 1.8.0-beta.27. | ACT NOW CVE-2025-66294 8.8 Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection (SSTI) vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited by unauthenticated attackers. This vulnerability stems from weak regex validation in the cleanDangerousTwig method. This vulnerability is fixed in 1.8.0-beta.27. | ACT NOW CVE-2025-58360 8.2 GeoServer contains an XXE vulnerability in the WMS GetMap operation allowing unauthenticated attackers to read server files and perform SSRF attacks. |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Get CVEs that hit your stack — not 200/day

Pick your technologies, get a weekly digest by email. Free, no spam.

React Python Postgres +200 more

React Next.js Python Postgres AWS +200 more

Trending Now See all

Critical Watch See all

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Incoming 20

Pre-NVD – not yet scored

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — December 24, 2025

89 CVEs tracked today. 0 Critical, 13 High, 71 Medium, 3 Low.

CVE-2025-68608 HIGH CVSS 7.5
Missing Authorization vulnerability in DeluxeThemes Userpro userpro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Userpro: from n/a through <= 5.1.9.

Authentication Bypass
CVE-2025-68590 HIGH CVSS 7.6
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CRM Perks Integration for Contact Form 7 HubSpot cf7-hubspot allows Blind SQL Injection.This issue affects Integration for Contact Form 7 HubSpot: from n/a through <= 1.4.2.

SQLi
CVE-2025-68570 HIGH CVSS 7.6
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in captivateaudio Captivate Sync captivatesync-trade allows Blind SQL Injection.This issue affects Captivate Sync: from n/a through <= 3.2.2.

SQLi
CVE-2025-68563 HIGH CVSS 7.5
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Shuffle Subscribe to Unlock Lite subscribe-to-unlock-lite allows PHP Local File Inclusion.This issue affects Subscribe to Unlock Lite: from n/a through <= 1.3.0.

PHP Information Disclosure LFI
CVE-2025-68540 HIGH CVSS 7.5
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Fana fana allows PHP Local File Inclusion.This issue affects Fana: from n/a through <= 1.1.35.

PHP Information Disclosure LFI
CVE-2025-68537 HIGH CVSS 7.5
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Zota zota allows PHP Local File Inclusion.This issue affects Zota: from n/a through <= 1.3.14.

PHP Information Disclosure LFI
CVE-2025-68530 HIGH CVSS 7.5
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in pavothemes Bookory bookory allows PHP Local File Inclusion.This issue affects Bookory: from n/a through <= 2.2.7.

PHP Information Disclosure LFI
CVE-2025-68519 HIGH CVSS 8.5
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BeRocket Brands for WooCommerce brands-for-woocommerce allows Blind SQL Injection.This issue affects Brands for WooCommerce: from n/a through <= 3.8.6.3.

WordPress SQLi
CVE-2025-68506 HIGH CVSS 8.1
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Nawawi Jamili Docket Cache docket-cache allows PHP Local File Inclusion.This issue affects Docket Cache: from n/a through <= 24.07.03.

PHP Information Disclosure LFI
CVE-2025-68496 HIGH CVSS 7.6
Blind SQL injection in User Feedback WordPress plugin (versions ≤1.10.0) allows unauthenticated remote attackers to extract database contents, modify data, or execute administrative commands. The vulnerability carries a critical CVSS score of 9.8 due to network-based exploitation requiring no privileges or user interaction. While EPSS probability is low (0.05%, 14th percentile) and no active exploitation is confirmed at time of analysis, the severity and unauthenticated attack vector make this a priority for WordPress administrators using this plugin. Patchstack security audit identified this flaw as CWE-89 SQL injection stemming from improper input sanitization.

SQLi
CVE-2025-68038 HIGH CVSS 7.2
PHP object injection in Icegram Express Pro (WordPress email marketing plugin) through version 5.9.13 enables unauthenticated remote attackers to execute arbitrary code via unsafe deserialization of user-controlled data. With CVSS 9.8 (critical severity) and network-accessible attack vector requiring no authentication or user interaction, this represents a severe pre-authentication RCE risk. EPSS score of 0.06% (19th percentile) suggests low immediate exploitation probability, and no public exploit or CISA KEV listing identified at time of analysis, though Patchstack disclosure increases attacker awareness.

Deserialization
CVE-2025-67909 HIGH CVSS 7.5
Authorization Bypass Through User-Controlled Key vulnerability in WP Swings Membership For WooCommerce membership-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Membership For WooCommerce: from n/a through <= 3.0.3.

WordPress Authentication Bypass
CVE-2025-67622 HIGH CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in titopandub Evergreen Post Tweeter evergreen-post-tweeter allows Stored XSS.This issue affects Evergreen Post Tweeter: from n/a through <= 1.8.9.

XSS CSRF
CVE-2025-68606 MEDIUM CVSS 5.3
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPXPO PostX ultimate-post allows Retrieve Embedded Sensitive Data.This issue affects PostX: from n/a through <= 5.0.3.

Information Disclosure
CVE-2025-68605 MEDIUM CVSS 6.5
Stored XSS in PickPlugins Post Grid and Gutenberg Blocks WordPress plugin (versions <= 2.3.23) allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of site visitors, potentially compromising site integrity and user data. The vulnerability requires user interaction (viewing a page with the injected content) and affects the site's security context (SameSite:Changed per CVSS:3.1/S:C). EPSS score of 0.04% indicates low real-world exploitation probability despite CVE publication.

XSS
CVE-2025-68603 MEDIUM CVSS 5.4
Missing Authorization vulnerability in Marketing Fire Editorial Calendar editorial-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Editorial Calendar: from n/a through <= 3.8.8.

Authentication Bypass
CVE-2025-68602 MEDIUM CVSS 4.7
Open redirect vulnerability in Scott Paterson Accept Donations with PayPal & Stripe WordPress plugin (versions <= 1.5.2) enables attackers to craft malicious URLs that redirect users to untrusted sites, facilitating phishing attacks. The vulnerability requires user interaction (UI:R) but affects the plugin's core donation handling, allowing an unauthenticated attacker to chain this with social engineering to compromise user credentials or distribute malware through redirects to fraudulent payment pages.

Open Redirect
CVE-2025-68601 MEDIUM CVSS 5.4
Cross-Site Request Forgery (CSRF) in Five Star Restaurant Reservations WordPress plugin versions ≤2.7.8 enables unauthenticated attackers to perform unauthorized administrative actions through social engineering. With CVSS 8.8 (High), the vulnerability requires no privileges and low attack complexity, though user interaction is necessary. EPSS probability is minimal (0.02%, 6th percentile), indicating low observed exploitation likelihood despite the high CVSS score. No confirmed active exploitation (not in CISA KEV) or public exploit code identified at time of analysis.

CSRF
CVE-2025-68600 MEDIUM CVSS 4.9
Server-Side Request Forgery in WordPress Link Library plugin versions up to 7.8.7 allows unauthenticated remote attackers to make arbitrary HTTP requests from the server, potentially accessing internal resources, cloud metadata endpoints, or conducting reconnaissance of internal network infrastructure. CVSS score of 9.1 indicates high severity, though EPSS of 0.04% (14th percentile) suggests limited observed exploitation attempts. No active exploitation confirmed (not in CISA KEV) and no public exploit identified at time of analysis.

SSRF
CVE-2025-68599 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Embeds For YouTube Plugin Support YouTube Embed youtube-embed allows Stored XSS.This issue affects YouTube Embed: from n/a through <= 5.4.

XSS
CVE-2025-68598 MEDIUM CVSS 6.5
Stored cross-site scripting (XSS) in Live Composer page builder plugin for WordPress (versions through 2.1.11) allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other users viewing affected pages. An attacker with contributor or editor access can store XSS payloads that persist in the database and execute when administrators or other site visitors interact with the affected content, potentially leading to session hijacking, credential theft, or malware distribution.

XSS
CVE-2025-68597 MEDIUM CVSS 6.5
Stored cross-site scripting (XSS) in BlueGlass Interactive AG Jobs for WordPress plugin versions 2.8.1 and earlier allows authenticated users with low privileges to inject malicious scripts into job postings that execute in the browsers of other site visitors. The vulnerability requires user interaction (clicking a crafted link) and affects website visitors with cross-site request forgery capabilities, resulting in limited confidentiality and integrity impact but no availability impact. The issue has a low exploitation probability (EPSS 0.04%) despite publicly disclosed details.

WordPress XSS
CVE-2025-68596 MEDIUM CVSS 5.3
Missing Authorization vulnerability in Bit Apps Bit Assist bit-assist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bit Assist: from n/a through <= 1.5.11.

Authentication Bypass
CVE-2025-68595 MEDIUM CVSS 5.3
Broken access control in Trustindex Widgets for Social Photo Feed (WordPress plugin) through version 1.8 allows authenticated attackers with low privileges to bypass authorization controls and execute high-impact actions. The vulnerability has low attack complexity (CVSS:3.1 AV:N/AC:L/PR:L) enabling compromise of confidentiality, integrity, and availability. EPSS score of 0.06% (18th percentile) indicates relatively low observed exploitation probability, and no public exploit or CISA KEV listing exists at time of analysis, suggesting this remains a patch-priority issue rather than an active threat.

Authentication Bypass
CVE-2025-68594 MEDIUM CVSS 5.3
Broken access control in Opinion Stage Poll, Survey & Quiz Maker Plugin for WordPress versions through 19.12.0 allows authenticated attackers with low-level privileges to bypass authorization checks and access or modify high-sensitivity data. The vulnerability (CWE-862: Missing Authorization) enables privilege escalation through improperly configured access control mechanisms. EPSS probability is low at 0.04% (13th percentile), and no public exploit identified at time of analysis, though authentication bypass tags indicate established attack patterns exist for this vulnerability class.

Authentication Bypass
CVE-2025-68593 MEDIUM CVSS 5.4
Missing Authorization vulnerability in Liton Arefin WP Adminify adminify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Adminify: from n/a through <= 4.0.6.1.

Authentication Bypass
CVE-2025-68592 MEDIUM CVSS 4.3
Missing Authorization vulnerability in Liton Arefin WP Adminify adminify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Adminify: from n/a through <= 4.0.6.1.

Authentication Bypass
CVE-2025-68591 MEDIUM CVSS 5.4
Missing authorization in Simple File List WordPress plugin 6.1.18 and earlier allows authenticated low-privilege users to bypass access controls and gain unauthorized read/write access to file list data. Tagged as an authentication bypass vulnerability with EPSS score of 0.04% (13th percentile), indicating low observed exploitation probability. No active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis.

Authentication Bypass
CVE-2025-68589 MEDIUM CVSS 5.3
Broken access control in WP Telegram Widget and Join Link plugin versions up to 2.2.12 allows authenticated users with low privileges to bypass authorization checks and access high-sensitivity configuration or data. The vulnerability enables unauthorized read and write operations (CVSS C:H/I:H) without requiring user interaction. EPSS score of 0.04% suggests low observed exploitation probability, and no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass
CVE-2025-68588 MEDIUM CVSS 4.3
Access control bypass in TS Poll WordPress plugin (versions ≤2.5.5) allows low-privileged authenticated users to escalate privileges and gain unauthorized read/write access to poll data. Attackers with basic subscriber accounts can exploit misconfigured authorization checks to access or modify content beyond their intended permission level. EPSS exploitation probability is low (0.04%, 13th percentile), with no public exploit identified at time of analysis, suggesting limited immediate risk despite the 8.1 CVSS score.

Authentication Bypass
CVE-2025-68587 MEDIUM CVSS 4.3
Missing Authorization vulnerability in Bob Watu Quiz watu allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Watu Quiz: from n/a through <= 3.4.5.

Authentication Bypass
CVE-2025-68586 MEDIUM CVSS 5.3
Broken access control in Cooked WordPress plugin versions ≤1.11.3 allows authenticated attackers with low-level privileges to bypass authorization checks and gain unauthorized access to high-privilege functions. The vulnerability stems from missing authorization validation (CWE-862), enabling privilege escalation and unauthorized data manipulation. With CVSS 8.8 and EPSS probability of 0.06% (18th percentile), real-world exploitation risk is moderate; no public exploit identified at time of analysis.

Authentication Bypass
CVE-2025-68584 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in Constantin Boiangiu Vimeotheque codeflavors-vimeo-video-post-lite allows Cross Site Request Forgery.This issue affects Vimeotheque: from n/a through <= 2.3.5.2.

CSRF
CVE-2025-68583 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in Tikweb Management Fast User Switching fast-user-switching allows Cross Site Request Forgery.This issue affects Fast User Switching: from n/a through <= 1.4.10.

CSRF
CVE-2025-68582 MEDIUM CVSS 5.3
Missing Authorization vulnerability in Funnelforms Funnelforms Free funnelforms-free allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Funnelforms Free: from n/a through <= 3.8.

Authentication Bypass
CVE-2025-68581 MEDIUM CVSS 5.4
Missing Authorization vulnerability in YITHEMES YITH Slider for page builders yith-slider-for-page-builders allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YITH Slider for page builders: from n/a through <= 1.0.11.

Authentication Bypass
CVE-2025-68580 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in pluginsware Advanced Classifieds & Directory Pro advanced-classifieds-and-directory-pro allows Cross Site Request Forgery.This issue affects Advanced Classifieds & Directory Pro: from n/a through <= 3.2.9.

CSRF
CVE-2025-68579 MEDIUM CVSS 5.3
Missing Authorization vulnerability in FolioVision FV Simpler SEO fv-all-in-one-seo-pack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FV Simpler SEO: from n/a through <= 1.9.6.

Authentication Bypass
CVE-2025-68578 MEDIUM CVSS 5.3
Missing Authorization vulnerability in Addonify Addonify addonify-quick-view allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify: from n/a through <= 2.0.4.

Authentication Bypass
CVE-2025-68577 MEDIUM CVSS 4.3
Missing Authorization vulnerability in Virusdie Virusdie virusdie allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Virusdie: from n/a through <= 1.1.6.

Authentication Bypass
CVE-2025-68576 MEDIUM CVSS 4.3
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Virusdie Virusdie virusdie allows Retrieve Embedded Sensitive Data.This issue affects Virusdie: from n/a through <= 1.1.6.

Information Disclosure
CVE-2025-68575 MEDIUM CVSS 5.3
Authorization bypass in Wappointment WordPress plugin versions ≤2.7.6 enables low-privileged authenticated attackers to perform unauthorized actions with high impact to confidentiality, integrity, and availability. The vulnerability stems from missing authorization checks (CWE-862), allowing authenticated users to access or modify data beyond their intended permission level. EPSS score of 0.06% (18th percentile) indicates low observed exploitation probability, and no confirmed active exploitation (CISA KEV) or public exploit code is identified at time of analysis.

Authentication Bypass
CVE-2025-68574 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in voidcoders WPBakery Visual Composer WHMCS Elements void-visual-whmcs-element allows DOM-Based XSS.This issue affects WPBakery Visual Composer WHMCS Elements: from n/a through <= 1.0.4.3.

XSS
CVE-2025-68573 MEDIUM CVSS 5.4
Cross-Site Request Forgery (CSRF) vulnerability in Alessandro Piconi Simple Keyword to Link simple-keyword-to-link allows Cross Site Request Forgery.This issue affects Simple Keyword to Link: from n/a through <= 1.5.

CSRF
CVE-2025-68572 MEDIUM CVSS 5.3
Missing Authorization vulnerability in Spider Themes BBP Core bbp-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BBP Core: from n/a through <= 1.4.1.

Authentication Bypass
CVE-2025-68571 MEDIUM CVSS 5.3
Broken access control in SALESmanago WordPress plugin allows authenticated attackers with low-level privileges to bypass authorization checks and gain unauthorized access to high-privilege functions. Affects versions up to 3.9.0. The vulnerability enables complete compromise of confidentiality, integrity, and availability within the plugin's scope. EPSS score of 0.06% (18th percentile) suggests low observed exploitation probability, and no public exploit identified at time of analysis.

Authentication Bypass
CVE-2025-68569 MEDIUM CVSS 6.5
Broken access control in WP Time Slots Booking Form plugin (≤1.2.39) allows authenticated attackers with low-level privileges to escalate permissions and execute unauthorized administrative actions. The vulnerability stems from missing authorization checks (CWE-862), enabling privilege escalation to access, modify, or delete sensitive booking data and configuration settings. While CVSS scores 8.8 (High), real-world risk appears moderate with EPSS at 0.06% (18th percentile) and no public exploit identified at time of analysis.

Authentication Bypass
CVE-2025-68568 MEDIUM CVSS 5.3
Missing authorization in Claspo WordPress plugin through version 1.0.7 allows unauthenticated remote attackers to modify data via incorrectly configured access controls. With CVSS 7.5 (High integrity impact) but only 0.04% EPSS probability, this represents elevated exposure in vulnerable installations despite low observed exploitation likelihood. No public exploit identified at time of analysis, though the authentication bypass tag indicates potential for unauthorized actions without credentials.

Authentication Bypass
CVE-2025-68567 MEDIUM CVSS 5.4
Cross-Site Request Forgery in WordPress plugin My Auctions Allegro (versions ≤3.6.33) allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users through social engineering. CVSS 8.8 severity stems from potential high confidentiality, integrity, and availability impact if victims are tricked into clicking malicious links while authenticated. EPSS score of 0.02% (6th percentile) indicates very low probability of exploitation in the wild. No active exploitation confirmed (not in CISA KEV), and no public exploit identified at time of analysis, suggesting this remains a theoretical high-severity issue requiring user interaction.

CSRF
CVE-2025-68566 MEDIUM CVSS 5.9
Stored cross-site scripting (XSS) in WordPress plugin My auctions allegro (versions up to 3.6.35) allows authenticated users to inject malicious scripts that execute in other users' browsers when viewing auction content. The vulnerability requires user interaction (UI:R) and affects the confidentiality and integrity of affected WordPress installations, though with limited scope within the plugin context. No public exploit code or active exploitation has been identified; real-world risk is moderate given the requirement for authenticated access and user interaction.

XSS
CVE-2025-68565 MEDIUM CVSS 5.3
Missing Authorization vulnerability in JayBee Twitch Player ttv-easy-embed-player allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Twitch Player: from n/a through <= 2.1.3.

Authentication Bypass
CVE-2025-68535 MEDIUM CVSS 4.3
Missing Authorization vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sunshine Photo Cart: from n/a through <= 3.5.7.1.

Authentication Bypass
CVE-2025-68533 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HasThemes WC Builder wc-builder allows Stored XSS.This issue affects WC Builder: from n/a through <= 1.2.0.

XSS
CVE-2025-68532 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in modeltheme ModelTheme Addons for WPBakery and Elementor modeltheme-addons-for-wpbakery allows Stored XSS.This issue affects ModelTheme Addons for WPBakery and Elementor: from n/a through < 1.5.6.

XSS
CVE-2025-68529 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in Rhys Wynne WP Email Capture wp-email-capture allows Cross Site Request Forgery.This issue affects WP Email Capture: from n/a through <= 3.12.5.

CSRF
CVE-2025-68528 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Free Shipping Bar: Amount Left for Free Shipping for WooCommerce amount-left-free-shipping-woocommerce allows Stored XSS.This issue affects Free Shipping Bar: Amount Left for Free Shipping...

WordPress XSS
CVE-2025-68527 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kodezen LLC Academy LMS academy allows Stored XSS.This issue affects Academy LMS: from n/a through <= 3.4.0.

XSS
CVE-2025-68525 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pixelgrade Category Icon category-icon allows Stored XSS.This issue affects Category Icon: from n/a through <= 1.0.2.

XSS
CVE-2025-68523 MEDIUM CVSS 4.3
Missing Authorization vulnerability in Spiffy Plugins Spiffy Calendar spiffy-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spiffy Calendar: from n/a through <= 5.0.7.

Authentication Bypass
CVE-2025-68522 MEDIUM CVSS 4.3
Missing Authorization vulnerability in wpstream WpStream wpstream allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpStream: from n/a through <= 4.9.5.

Authentication Bypass
CVE-2025-68521 MEDIUM CVSS 5.3
Missing Authorization vulnerability in wpstream WpStream wpstream allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpStream: from n/a through <= 4.9.5.

Authentication Bypass
CVE-2025-68517 MEDIUM CVSS 5.4
Missing Authorization vulnerability in Essekia Tablesome tablesome allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tablesome: from n/a through <= 1.1.35.1.

Authentication Bypass
CVE-2025-68516 MEDIUM CVSS 5.0
Insertion of Sensitive Information Into Sent Data vulnerability in Essekia Tablesome tablesome allows Retrieve Embedded Sensitive Data.This issue affects Tablesome: from n/a through <= 1.1.35.1.

Information Disclosure
CVE-2025-68513 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in boldthemes Bold Timeline Lite bold-timeline-lite allows Stored XSS.This issue affects Bold Timeline Lite: from n/a through <= 1.2.7.

XSS
CVE-2025-68512 MEDIUM CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in creativeinteractivemedia Real 3D FlipBook real3d-flipbook-lite allows Stored XSS.This issue affects Real 3D FlipBook: from n/a through <= 4.11.4.

XSS
CVE-2025-68511 MEDIUM CVSS 6.5
Missing Authorization vulnerability in Jegstudio Gutenverse Form gutenverse-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gutenverse Form: from n/a through <= 2.3.1.

Authentication Bypass
CVE-2025-68509 MEDIUM CVSS 4.7
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Jeff Starr User Submitted Posts user-submitted-posts allows Phishing.This issue affects User Submitted Posts: from n/a through <= 20251121.

Open Redirect
CVE-2025-68508 MEDIUM CVSS 5.3
Missing Authorization vulnerability in Brave Brave brave-popup-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Brave: from n/a through <= 0.8.3.

Authentication Bypass
CVE-2025-68505 MEDIUM CVSS 5.3
Missing Authorization vulnerability in icc0rz H5P h5p allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects H5P: from n/a through <= 1.16.1.

Authentication Bypass
CVE-2025-68500 MEDIUM CVSS 4.9
Server-Side Request Forgery (SSRF) vulnerability in bdthemes Prime Slider - Addons For Elementor bdthemes-prime-slider-lite allows Server Side Request Forgery.This issue affects Prime Slider - Addons For Elementor: from n/a through <= 4.0.10.

SSRF
CVE-2025-68497 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force Astra Widgets astra-widgets allows Stored XSS.This issue affects Astra Widgets: from n/a through <= 1.2.16.

XSS
CVE-2025-68494 MEDIUM CVSS 5.3
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Leap13 Premium Addons for Elementor premium-addons-for-elementor allows Retrieve Embedded Sensitive Data.This issue affects Premium Addons for Elementor: from n/a through <= 4.11.53.

Information Disclosure
CVE-2025-67633 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brownbagmarketing Greenhouse Job Board greenhouse-job-board allows DOM-Based XSS.This issue affects Greenhouse Job Board: from n/a through <= 2.7.3.

XSS
CVE-2025-67632 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in The Plugin Factory Google AdSense for Responsive Design – GARD google-adsense-for-responsive-design-gard allows DOM-Based XSS.This issue affects Google AdSense for Responsive Design – GA...

XSS Google
CVE-2025-67631 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ecommerce Platforms Gift Hunt gift-hunt allows Stored XSS.This issue affects Gift Hunt: from n/a through <= 2.0.2.

XSS
CVE-2025-67630 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webheadcoder WH Tweaks wh-tweaks allows Stored XSS.This issue affects WH Tweaks: from n/a through <= 1.0.2.

XSS
CVE-2025-67629 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basticom Basticom Framework basticom-framework allows Stored XSS.This issue affects Basticom Framework: from n/a through <= 1.5.2.

XSS
CVE-2025-67628 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AMP-MODE Review Disclaimer review-disclaimer allows Stored XSS.This issue affects Review Disclaimer: from n/a through <= 2.0.3.

XSS
CVE-2025-67627 MEDIUM CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TouchOfTech Draft Notify draft-notify allows Stored XSS.This issue affects Draft Notify: from n/a through <= 1.5.

XSS
CVE-2025-67625 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in tmtraderunner Trade Runner traderunner allows Cross Site Request Forgery.This issue affects Trade Runner: from n/a through <= 3.14.

CSRF
CVE-2025-67623 MEDIUM CVSS 5.4
Server-Side Request Forgery (SSRF) in 6Storage Rentals WordPress plugin versions ≤2.20.2 allows unauthenticated remote attackers to send crafted requests from the vulnerable server to arbitrary internal or external systems. With CVSS 9.1 (critical) due to network-accessible attack vector requiring no authentication or user interaction, attackers can achieve high confidentiality and integrity impact by potentially accessing internal services, cloud metadata endpoints, or exfiltrating sensitive data. EPSS score of 0.04% (14th percentile) indicates relatively low observed exploitation probability despite the critical severity rating. No confirmed active exploitation (not in CISA KEV) and no public exploit code identified at time of analysis.

SSRF
CVE-2025-67621 MEDIUM CVSS 4.3
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in 10up Eight Day Week Print Workflow eight-day-week-print-workflow allows Retrieve Embedded Sensitive Data.This issue affects Eight Day Week Print Workflow: from n/a through <= 1.2.5.

Information Disclosure
CVE-2025-15073 MEDIUM CVSS 5.5
A vulnerability was determined in itsourcecode Online Frozen Foods Ordering System 1.0. This affects an unknown part of the file /contact_us.php. This manipulation of the argument Name causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and m...

PHP SQLi Online Frozen Foods Ordering System
CVE-2025-15053 MEDIUM CVSS 5.5
A flaw has been found in code-projects Student Information System 1.0. This issue affects some unknown processing of the file /searchresults.php. Executing manipulation of the argument searchbox can lead to sql injection. The attack may be performed from remote. The exploit has been published and ma...

PHP SQLi Student Information System
CVE-2025-68736 None
Linux kernel Landlock security module fails to properly enforce access controls on disconnected directories (files or directories visible through bind mounts but inaccessible from the mount point after rename/move operations), potentially widening access rights and causing inconsistent access results when sandboxed tasks interact with such paths. The vulnerability affects the Landlock mandatory access control framework's ability to prevent privilege escalation through filesystem operations on out-of-scope paths, requiring the sandboxed task to already possess write access to the bind mount source and read access to the mount point to trigger the issue.

Privilege Escalation Linux Linux Kernel
CVE-2025-68585 LOW CVSS 2.7
Missing Authorization vulnerability in Ben Balter WP Document Revisions wp-document-revisions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Document Revisions: from n/a through <= 3.7.2.

Authentication Bypass
CVE-2025-68357 None
Linux kernel iomap subsystem fails to allocate the s_dio_done_wq workqueue for asynchronous read operations, causing read error completions deferred by commit 222f2c7c6d14 to lack proper execution context and potentially leading to information disclosure or system instability. The vulnerability affects Linux kernel versions where the read error completion deferral was implemented without corresponding workqueue allocation for async reads. With an EPSS score of 0.01% and no evidence of active exploitation, this is a low-probability but correctness-critical issue affecting async I/O error handling on affected kernel versions.

Denial Of Service Linux Linux Kernel
CVE-2025-15052 LOW CVSS 2.0
Cross-site scripting (XSS) via unsanitized firstname and lastname parameters in /profile.php of code-projects Student Information System 1.0 allows authenticated remote attackers with user interaction to inject malicious scripts affecting confidentiality. The vulnerability carries a low CVSS score (2.0) due to authentication and user interaction requirements, but publicly available exploit code exists and EPSS analysis assigns 0.06% exploitation probability, reflecting limited real-world attack likelihood despite public POC availability.

PHP XSS Student Information System
CVE-2025-15050 LOW CVSS 2.1
Unauthenticated file upload vulnerability in code-projects Student File Management System 1.0 allows authenticated remote attackers to bypass file upload restrictions via manipulation of the File parameter in /save_file.php, despite the CVSS v4.0 score of 2.1 reflecting only low confidentiality, integrity, and availability impact with no scope change. The exploit is publicly available and the low EPSS score (0.09%, 25th percentile) suggests limited real-world exploitation attempts despite public disclosure.

PHP Authentication Bypass File Upload Student File Management System

Track CVEs for your stack Sign up free →

Today's Vulnerabilities Vulnerabilities