Skip to main content
CVE-2025-69256 HIGH POC PATCH This Week

Command injection in Serverless Framework versions 4.29.0 through 4.29.2 allows remote code execution through the experimental MCP server feature (@serverless/mcp package). Attackers can inject arbitrary shell commands via unsanitized input parameters passed to child_process.exec, achieving RCE under server process privileges. Publicly available exploit code exists (GHSA-rwc2-f344-q6w6). Impact is limited to less than 0.1% of users utilizing the experimental serverless mcp feature. EPSS probability is low at 0.05% (16th percentile).

Command Injection RCE Serverless
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-66835 HIGH POC This Week

Local code execution in TrueConf Client 8.5.2 lets an already-authenticated local user run arbitrary code in the context of the victim user by planting a malicious wfapi.dll that the application loads insecurely (CWE-427). Publicly available exploit code exists, but there is no public exploit identified in the sense of active exploitation - it is not listed in CISA KEV and EPSS is low (0.17%, 6th percentile), indicating little observed real-world exploitation activity. The impact is confined to the current user's context (no privilege escalation to SYSTEM claimed).

RCE Trueconf
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-68990 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in xenioushk BWL Pro Voting Manager bwl-pro-voting-manager allows Blind SQL Injection.This issue affects BWL Pro Voting Manager: from n/a through <= 1.4.9.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-69034 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Lekker lekker allows PHP Local File Inclusion.This issue affects Lekker: from n/a through <= 1.8.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-59129 HIGH This Week

Blind SQL Injection in Appointify WordPress plugin version 1.0.8 and earlier allows unauthenticated remote attackers to execute arbitrary SQL commands against the underlying database. The vulnerability enables data extraction and manipulation through time-based or error-based inference techniques without requiring valid credentials or authentication. EPSS score of 0.04% indicates low statistical likelihood of exploitation despite the technical severity of SQL injection.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-68987 HIGH This Week

Local file inclusion in Edge-Themes Cinerama WordPress theme versions ≤2.9 enables unauthenticated remote attackers to read arbitrary server files through PHP file inclusion weaknesses. Despite the CVSS critical rating of 9.8, EPSS probability is low (0.17%, 38th percentile) with no public exploit identified at time of analysis. The vulnerability allows server-side file reading which could expose configuration files, credentials, and sensitive data without authentication requirements.

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-68985 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Aora aora allows PHP Local File Inclusion.This issue affects Aora: from n/a through <= 1.3.15.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-68984 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Puca puca allows PHP Local File Inclusion.This issue affects Puca: from n/a through <= 2.6.39.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-68983 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Greenmart greenmart allows PHP Local File Inclusion.This issue affects Greenmart: from n/a through <= 4.2.11.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-62753 HIGH This Week

Local file inclusion vulnerability in MadrasThemes MAS Videos WordPress plugin versions up to 1.3.4 allows unauthenticated attackers to read arbitrary files from the affected server through improper control of filename parameters in PHP include/require statements. The vulnerability affects the masvideos plugin and has been tracked by Patchstack with an EPSS score of 0.17% (38th percentile), indicating low exploitation probability despite the presence of information disclosure risk.

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-68996 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebCodingPlace Responsive Posts Carousel Pro responsive-posts-carousel-pro allows PHP Local File Inclusion.This issue affects Responsive Posts Carousel Pro: from n/a through <= 15.1.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-68036 HIGH This Week

CubeWP framework plugin through version 1.1.27 fails to enforce proper access control checks, allowing attackers to access functionality that should be restricted by access control lists. This authentication bypass vulnerability has low real-world exploitation probability (EPSS 0.05%) but represents a fundamental authorization flaw in the plugin's architecture that could enable privilege escalation or unauthorized feature access depending on implementation context.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-23554 HIGH This Week

Reflected cross-site scripting (XSS) in the Off Page SEO WordPress plugin through version 3.0.3 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during page generation, enabling attackers to steal session cookies, redirect users, or perform actions on behalf of victims through crafted URLs. No public exploit code has been identified, and the low EPSS score (0.04%) suggests minimal real-world exploitation likelihood despite the moderate theoretical attack surface.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-23550 HIGH This Week

Reflected cross-site scripting (XSS) in the Product Puller WordPress plugin through version 1.5.1 allows unauthenticated attackers to inject malicious JavaScript into web pages viewed by other users. The vulnerability stems from improper input sanitization in the plugin's request handling, enabling attackers to craft malicious URLs that execute arbitrary scripts in victim browsers. No public exploit code has been identified, and the EPSS score of 0.04% indicates low exploitation probability in the wild, though the vulnerability remains remotely exploitable without authentication.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-23469 HIGH This Week

Reflected XSS in Sleekplan WordPress plugin through version 0.2.0 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by users. The vulnerability exists in the plugin's input handling during web page generation, enabling attackers to steal session cookies, perform unauthorized actions on behalf of victims, or redirect users to malicious sites. No active exploitation has been confirmed, but the attack vector is network-based with low complexity.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-23458 HIGH This Week

Reflected cross-site scripting (XSS) in the Rakessh Ads24 Lite WordPress plugin (wp-ad-management) up to version 1.0 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to craft malicious URLs that execute arbitrary JavaScript in victims' browsers when visited, potentially compromising user sessions, stealing credentials, or defacing content. No public exploit code or active exploitation has been confirmed at the time of analysis, though the low EPSS score (0.04%) suggests limited real-world exploitation likelihood despite the straightforward attack vector.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-59131 HIGH This Week

WP-CalDav2ICS WordPress plugin through version 1.3.4 contains a Cross-Site Request Forgery (CSRF) vulnerability that enables Stored XSS attacks. The vulnerability allows unauthenticated attackers to craft malicious requests that, when executed by a logged-in administrator or user, inject persistent malicious scripts into the plugin's stored data. This combined CSRF+XSS chain can lead to persistent compromise of the WordPress site through script injection.

CSRF XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy