Skip to main content
CVE-2025-68870 HIGH This Week

Local file inclusion in reDim GmbH CookieHint WP plugin versions up to 1.0.0 allows unauthenticated attackers to read arbitrary files from the server filesystem through improper handling of filename parameters in PHP include/require statements. The vulnerability enables information disclosure by permitting attackers to access sensitive configuration files, source code, and other locally stored data without authentication. EPSS score of 0.14% indicates relatively low exploitation probability at time of analysis, and no public exploit code or active exploitation has been confirmed.

Information Disclosure PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-68877 HIGH This Week

Local file inclusion in CedCommerce Integration for Good Market WordPress plugin versions 1.0.6 and earlier allows unauthenticated attackers to read arbitrary files from the server via improper filename validation in PHP include/require statements. The vulnerability affects a popular e-commerce integration plugin used by WooCommerce merchants, exposing sensitive configuration files, database credentials, and other sensitive data accessible to the web server process. EPSS probability of 0.14% suggests low real-world exploitation likelihood despite the information disclosure impact.

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-68861 HIGH This Week

Missing authorization in Plugin Optimizer WordPress plugin through version 1.3.7 allows attackers to exploit incorrectly configured access controls to perform unauthorized actions. The vulnerability stems from improper authentication validation (CWE-862), enabling attackers to bypass security restrictions without proper administrative privileges. While EPSS scoring (0.06%, 17th percentile) indicates low exploitation probability, the authentication bypass classification warrants prompt patching.

Authentication Bypass
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-68879 HIGH This Week

Reflected cross-site scripting (XSS) in the Content Grid Slider WordPress plugin through version 1.5 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. An attacker can craft a malicious URL containing script payloads that execute in the victim's browser when the page is rendered, potentially enabling session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been confirmed; the EPSS score of 0.04% indicates minimal real-world exploitation likelihood despite the vulnerability's technical severity.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68878 HIGH This Week

Reflected cross-site scripting (XSS) in Advanced Custom CSS WordPress plugin versions through 1.1.0 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to steal session tokens, credentials, or perform actions on behalf of victims through crafted URLs. No public exploit code or active exploitation has been confirmed at the time of analysis, though the low EPSS score (0.04th percentile) suggests limited real-world exploitation risk despite the straightforward attack vector.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68876 HIGH This Week

Reflected cross-site scripting (XSS) in INVELITY Invelity SPS connect WordPress plugin through version 1.0.8 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation and carries an extremely low exploitation probability (EPSS 0.04th percentile), suggesting minimal real-world attack motivation despite the CVSS scoring absence.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy