Skip to main content
CVE-2025-15262 LOW POC Monitor

A security flaw has been discovered in BiggiDroid Simple PHP CMS 1.0. This impacts an unknown function of the file /admin/edit.php of the component Site Logo Handler. Performing a manipulation of the argument image results in unrestricted upload. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks.

PHP Authentication Bypass File Upload Simple Php Cms
NVD VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-15258 LOW POC Monitor

Open redirect vulnerability in Edimax BR-6208AC firmware versions 1.02 and 1.03 allows authenticated remote attackers to redirect users to arbitrary websites via manipulation of the wlan-url parameter in the formALGSetup web interface function. The vulnerability requires user interaction (clicking a malicious link) and authenticated access, resulting in limited integrity impact. Public exploit code is available, but the device has reached end-of-life status with no further firmware updates planned by Edimax.

Open Redirect Br 6208ac Firmware
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-15221 LOW POC Monitor

A flaw has been found in SohuTV CacheCloud up to 3.2.0. This vulnerability affects the function index of the file src/main/java/com/sohu/cache/web/controller/AppDataMigrateController.java. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Java XSS Cachecloud
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-15214 LOW POC Monitor

Stored cross-site scripting (XSS) in Campcodes Park Ticketing System 1.0 allows high-privileged users to inject malicious scripts via the name/ride parameter in the save_pricing function of admin_class.php, affecting user sessions with user interaction. Publicly available exploit code exists, though EPSS scoring (0.02%) and high privilege requirement (PR:H) suggest limited real-world exploitation likelihood despite the low CVSS score of 1.9.

PHP XSS Park Ticketing System
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-15247 MEDIUM This Month

A vulnerability was identified in gmg137 snap7-rs up to 153d3e8c16decd7271e2a5b2e3da4d6f68589424. Affected by this issue is the function snap7_rs::client::S7Client::download of the file client.rs. Such manipulation leads to heap-based buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet.

Buffer Overflow Snap7 Rs
NVD VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-15264 MEDIUM This Month

A vulnerability was determined in FeehiCMS up to 2.1.1. Impacted is an unknown function of the file frontend/web/timthumb.php of the component TimThumb. Executing manipulation of the argument src can lead to server-side request forgery. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

PHP SSRF Feehicms
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2023-32238 MEDIUM This Month

Vulnerability in CodexThemes TheGem (Elementor), CodexThemes TheGem (WPBakery).8.1.1; TheGem (WPBakery): from n/a before 5.8.1.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-68976 MEDIUM This Month

Missing Authorization vulnerability in Eagle-Themes Eagle Booking eagle-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eagle Booking: from n/a through <= 1.3.4.3.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-69032 MEDIUM This Month

Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes FiveStar fivestar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FiveStar: from n/a through <= 1.7.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-69030 MEDIUM This Month

Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Backpack Traveler backpacktraveler allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Backpack Traveler: from n/a through <= 2.10.3.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-69029 MEDIUM This Month

Authorization Bypass Through User-Controlled Key vulnerability in Select-Themes Struktur struktur allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Struktur: from n/a through <= 2.5.1.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-69022 MEDIUM This Month

HR Management Lite WordPress plugin versions 3.6 and earlier contain a missing authorization vulnerability allowing authenticated users to access or modify resources without proper access control checks. An attacker with low-privilege user credentials can exploit incorrectly configured access control to read or modify sensitive data within the plugin's functionality, though the vulnerability requires prior authentication and does not enable privilege escalation or system-wide impact.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-69021 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Popup box ays-popup-box allows Cross Site Request Forgery.This issue affects Popup box: from n/a through <= 6.0.7.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-68998 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Heateor Support Heateor Social Login heateor-social-login allows Cross Site Request Forgery.This issue affects Heateor Social Login: from n/a through <= 1.1.39.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-66080 MEDIUM This Month

Missing authorization controls in WP Cookie Notice for GDPR, CCPA & ePrivacy Consent plugin (versions up to 4.0.3) allow unauthenticated attackers to exploit incorrectly configured access control security levels, potentially enabling unauthorized modification of cookie consent settings and GDPR compliance configurations. No public exploit code has been identified at time of analysis, though the vulnerability carries a low EPSS score (0.06%, 19th percentile) suggesting minimal real-world exploitation likelihood despite the authorization flaw.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-68981 MEDIUM This Month

Missing Authorization vulnerability in designthemes HomeFix Elementor Portfolio homefix-ele-portfolio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HomeFix Elementor Portfolio: from n/a through <= 1.0.1.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-68988 MEDIUM This Month

Unauthorized remote attackers can retrieve embedded sensitive system information from o2oe E-Invoice App Malaysia plugin versions 1.3.0 and earlier without authentication (CVSS:3.1 AV:N/AC:L/PR:N). The vulnerability exposes confidential data through information disclosure, with EPSS exploitation probability at 0.05% (14th percentile). No public exploit identified at time of analysis, though the low attack complexity and unauthenticated attack vector make exploitation straightforward for adversaries with network access to vulnerable WordPress installations.

Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-15242 LOW POC Monitor

Race condition in PHPEMS Coupon Handler component up to version 11.0 allows authenticated remote attackers to manipulate coupon processing logic, potentially resulting in integrity compromise. The vulnerability requires high attack complexity and authenticated access, limiting practical exploitation despite publicly available proof-of-concept code. EPSS score of 0.04% indicates low real-world exploitation probability despite public POC availability.

Information Disclosure Race Condition Phpems
NVD VulDB
CVSS 4.0
1.3
EPSS
0.0%
CVE-2025-69031 MEDIUM This Month

Missing Authorization vulnerability in Skywarrior Arcane arcane allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Arcane: from n/a through <= 3.6.6.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-69009 MEDIUM This Month

Missing Authorization vulnerability in kamleshyadav Medicalequipment medicalequipment allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Medicalequipment: from n/a through <= 1.0.9.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-68997 MEDIUM This Month

Authorization bypass in wpDiscuz WordPress plugin through version 7.6.43 allows unauthenticated remote attackers to access user-controlled data via improperly configured access controls, resulting in limited information disclosure with a CVSS score of 5.3. The vulnerability exploits insecure direct object references (IDOR) where access control checks fail to properly validate object ownership, enabling attackers to enumerate or retrieve comment data they should not access. No public exploit code or active exploitation has been confirmed at this time, though the EPSS score of 0.04% suggests minimal real-world exploitation likelihood despite the relatively accessible attack vector.

WordPress PHP Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-68994 MEDIUM This Month

Missing Authorization vulnerability in XforWooCommerce Product Loops for WooCommerce product-loops allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Loops for WooCommerce: from n/a through <= 2.1.2.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-68993 MEDIUM This Month

Missing Authorization vulnerability in XforWooCommerce Share, Print and PDF Products for WooCommerce share-print-pdf-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Share, Print and PDF Products for WooCommerce: from n/a through <= 3.1.2.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-68982 MEDIUM This Month

Missing Authorization vulnerability in designthemes DesignThemes LMS Addon designthemes-lms-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DesignThemes LMS Addon: from n/a through <= 2.6.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-68980 MEDIUM This Month

Missing Authorization vulnerability in designthemes WeDesignTech Portfolio wedesigntech-portfolio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WeDesignTech Portfolio: from n/a through <= 1.0.2.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-68979 MEDIUM This Month

Authorization Bypass Through User-Controlled Key vulnerability in SimpleCalendar Google Calendar Events google-calendar-events allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Google Calendar Events: from n/a through <= 3.5.9.

Authentication Bypass Google
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-69027 MEDIUM This Month

Missing Authorization vulnerability in tychesoftwares Product Delivery Date for WooCommerce - Lite product-delivery-date-for-woocommerce-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Delivery Date for WooCommerce - Lite: from n/a through <= 3.2.0.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-69014 MEDIUM This Month

Server-Side Request Forgery (SSRF) in Youzify WordPress plugin through version 1.3.7 allows authenticated high-privilege users to make arbitrary network requests from the server, exposing internal resources and services. The vulnerability requires administrative credentials (PR:H) but carries high confidentiality impact with EPSS score of 0.04% indicating minimal real-world exploitation likelihood despite the moderate CVSS score of 4.9.

SSRF
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-62128 MEDIUM This Month

Missing authorization in SiteLock Security WordPress plugin versions through 5.0.1 allows attackers to exploit incorrectly configured access control to bypass security restrictions. Unauthenticated remote attackers can leverage this CWE-862 vulnerability to gain unauthorized access to protected functionality or resources without proper privilege validation. The issue is tagged as an authentication bypass with low EPSS exploitation probability (0.05%, 17th percentile), indicating limited real-world attack likelihood despite the authorization flaw.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-68989 MEDIUM This Month

Sensitive data exposure in Contact Form 7 Mailchimp Extension plugin for WordPress (versions ≤0.9.68) allows unauthenticated remote attackers to retrieve embedded sensitive information through network-accessible endpoints. The vulnerability enables unauthorized access to confidential data with low attack complexity and no user interaction required. EPSS score of 0.05% (14th percentile) indicates low observed exploitation probability, and no public exploit identified at time of analysis.

Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-68975 MEDIUM This Month

Authorization Bypass Through User-Controlled Key vulnerability in Eagle-Themes Eagle Booking eagle-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eagle Booking: from n/a through <= 1.3.4.3.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-69026 MEDIUM This Month

Roxnor PopupKit popup-builder-block plugin through version 2.2.4 exposes sensitive system information to authenticated users via an information disclosure vulnerability. An authenticated attacker can retrieve embedded sensitive data that should not be accessible, potentially gaining insight into system configuration or other restricted information. The CVSS 4.3 score reflects low real-world impact (confidentiality only, low privileges required), and EPSS exploitation probability is minimal at 0.04%, indicating this is a lower-priority vulnerability despite affecting a WordPress plugin.

Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-69025 MEDIUM This Month

Aethonic Poptics WordPress plugin through version 1.0.20 exposes sensitive system information to authenticated users through an information disclosure vulnerability. Authenticated attackers with low-level privileges can retrieve embedded sensitive data without user interaction, though exploitation requires valid login credentials. The issue carries a modest CVSS score of 4.3 and extremely low EPSS probability (0.04th percentile), indicating real-world exploitation risk is minimal despite the confirmed vulnerability.

Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-69016 MEDIUM This Month

Authenticated users without proper authorization can modify content in the auxin-elements WordPress plugin (versions up to 2.17.15) due to missing access control checks on shortcode functionality. The vulnerability requires an authenticated account with low privileges and allows integrity compromise through shortcode manipulation, with an EPSS score of 0.04% indicating low real-world exploitation likelihood despite confirmed access control weakness.

WordPress PHP Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-69012 MEDIUM This Month

Missing Authorization vulnerability in Stephen Harris Event Organiser event-organiser allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Event Organiser: from n/a through <= 3.12.8.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-68995 MEDIUM This Month

Missing authorization in Premio My Sticky Elements plugin (version 2.3.3 and earlier) allows authenticated users to modify data they should not have access to due to incorrectly configured access control security levels. The vulnerability requires an authenticated attacker with low privileges and carries a CVSS score of 4.3 with low real-world exploitation probability (EPSS 0.04%). No public exploit code or active exploitation has been identified.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-69013 MEDIUM This Month

Missing Authorization vulnerability in jetmonsters Stratum stratum allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Stratum: from n/a through <= 1.6.1.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62112 MEDIUM This Month

Cross-site request forgery (CSRF) vulnerability in the Easy Property Listings XML/CSV Import plugin for WordPress (versions <= 2.2.1) allows attackers to perform unauthorized actions on behalf of authenticated administrators without their knowledge or consent. The vulnerability affects the import functionality and carries minimal real-world exploitation risk based on EPSS scoring (0.02%, 5th percentile), indicating low likelihood of automated exploitation despite the CSRF vector requiring no special privileges or authentication from the attacker's perspective.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-69015 LOW Monitor

Missing Authorization vulnerability in Automattic Crowdsignal Forms crowdsignal-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Crowdsignal Forms: from n/a through <= 1.7.2.

Authentication Bypass
NVD
CVSS 3.1
3.8
EPSS
0.0%
CVE-2025-15246 LOW Monitor

A vulnerability was determined in aizuda snail-job up to 1.7.0 on macOS. Affected by this vulnerability is the function FurySerializer.deserialize of the component API. This manipulation of the argument argsStr causes deserialization. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.

Apple Deserialization
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-61594 LOW PATCH Monitor

URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier (bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue has been fixed in versions 0.12.5, 0.13.3 and 1.0.4.

Information Disclosure Uri
NVD GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-15250 LOW Monitor

A security vulnerability has been detected in 08CMS Novel System up to 3.4. This issue affects some unknown processing of the file admina/mtpls.inc.php of the component Template Handler. The manipulation leads to code injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used.

PHP Information Disclosure
NVD VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-15241 LOW Monitor

Open redirect vulnerability in CloudPanel Community Edition up to version 2.5.1 allows authenticated attackers with user interaction to redirect users to arbitrary external websites via a malicious Referer header in the /admin/users endpoint. The vulnerability carries a CVSS 2.0 score with low severity impact, EPSS exploitation probability of 0.04%, publicly available exploit code, and vendor-confirmed patch in version 2.5.2.

Open Redirect
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-15248 LOW Monitor

A security flaw has been discovered in sunhailin12315 product-review 商品评价系统 up to 91ead6890b4065bb45b7602d0d73348e75cb4639. This affects an unknown part of the component Write a Review. Performing manipulation of the argument content results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. This product adopts a rolling release strategy to maintain continuous delivery The project was informed of the problem early through an issue report but has not responded yet.

XSS
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-15222 LOW Monitor

A vulnerability has been found in Dromara Sa-Token up to 1.44.0. This issue affects the function ObjectInputStream.readObject of the file SaSerializerTemplateForJdkUseBase64.java. Such manipulation leads to deserialization. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Deserialization
NVD GitHub VulDB
CVSS 4.0
1.3
EPSS
0.1%
CVE-2023-54271 Monitor

In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Fix NULL deref caused by blkg_policy_data being installed before init blk-iocost sometimes causes the following crash:. No vendor patch available.

Linux Denial Of Service
NVD VulDB
EPSS
0.2%
CVE-2023-54322 Monitor

In the Linux kernel, the following vulnerability has been resolved: arm64: set __exception_irq_entry with __irq_entry as a default filter_irq_stacks() is supposed to cut entries which are related irq. No vendor patch available.

Information Disclosure Linux
NVD VulDB
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy