Skip to main content
CVE-2025-15256 MEDIUM POC This Month

A vulnerability was identified in Edimax BR-6208AC 1.02/1.03. Affected is the function formStaDrvSetup of the file /goform/formStaDrvSetup of the component Web-based Configuration Interface. The manipulation of the argument rootAPmac leads to command injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. Edimax confirms this issue: "The product mentioned, EDIMAX BR-6208AC V2, has reached its End of Life (EOL) status. It is no longer supported or maintained by Edimax, and it is no longer available for purchase in the market. Consequently, there will be no further firmware updates or patches for this device. We recommend users upgrade to newer models for better security." This vulnerability only affects products that are no longer supported by the maintainer.

Command Injection Br 6208ac Firmware
NVD VulDB
CVSS 4.0
5.5
EPSS
0.5%
CVE-2025-15257 MEDIUM POC This Month

A security flaw has been discovered in Edimax BR-6208AC 1.02/1.03. Affected by this vulnerability is the function formRoute of the file /gogorm/formRoute of the component Web-based Configuration Interface. The manipulation of the argument strIp/strMask/strGateway results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. Edimax confirms this issue: "The product mentioned, EDIMAX BR-6208AC V2, has reached its End of Life (EOL) status. It is no longer supported or maintained by Edimax, and it is no longer available for purchase in the market. Consequently, there will be no further firmware updates or patches for this device. We recommend users upgrade to newer models for better security." This vulnerability only affects products that are no longer supported by the maintainer.

Command Injection Br 6208ac Firmware
NVD VulDB
CVSS 4.0
5.5
EPSS
0.4%
CVE-2025-15354 MEDIUM POC This Month

A flaw has been found in itsourcecode Society Management System 1.0. The affected element is an unknown function of the file /admin/add_admin.php. Executing manipulation of the argument Username can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used.

PHP SQLi Society Management System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-15353 MEDIUM POC This Month

A vulnerability was detected in itsourcecode Society Management System 1.0. Impacted is the function edit_admin_query of the file /admin/edit_admin_query.php. Performing manipulation of the argument Username results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.

PHP SQLi Society Management System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-15263 MEDIUM POC This Month

A weakness has been identified in BiggiDroid Simple PHP CMS 1.0. Affected is an unknown function of the file /admin/login.php of the component Admin Login. Executing a manipulation of the argument Username can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks.

PHP SQLi Simple Php Cms
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-15243 MEDIUM POC This Month

A flaw has been found in code-projects Simple Stock System 1.0. This affects an unknown function of the file /market/login.php. Executing a manipulation of the argument Username can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used.

PHP SQLi Simple Stock System
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-68974 MEDIUM This Month

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in miniOrange WordPress Social Login and Register miniorange-login-openid allows PHP Local File Inclusion.This issue affects WordPress Social Login and Register: from n/a through <= 7.7.0.

WordPress LFI PHP Information Disclosure
NVD
CVSS 3.1
6.6
EPSS
0.2%
CVE-2025-68040 MEDIUM This Month

WP Project Manager plugin through version 3.0.1 exposes sensitive information in sent data due to improper information handling, allowing attackers to retrieve embedded sensitive data without authentication. The vulnerability affects all installations of the weDevs plugin and has been identified with an extremely low EPSS score (0.05%, 14th percentile), suggesting minimal practical exploitation likelihood despite the information disclosure classification.

Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-66103 MEDIUM This Month

DOM-based cross-site scripting (XSS) in WPCal.io WordPress plugin versions 0.9.5.9 and earlier allows attackers to inject malicious scripts into web pages viewed by users. The vulnerability stems from improper neutralization of user input during web page generation, enabling attackers to execute arbitrary JavaScript in the context of affected websites. No CVSS score is available, but the EPSS score of 0.04% (14th percentile) indicates low practical exploitation likelihood despite the XSS vector being a common attack class.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-66094 MEDIUM This Month

Stored cross-site scripting (XSS) in Yada Wiki WordPress plugin through version 3.5 allows authenticated users to inject malicious scripts that execute in the browsers of other site visitors. The vulnerability stems from improper input sanitization during web page generation, enabling persistent XSS attacks that could compromise site integrity, steal credentials, or perform actions on behalf of administrators. EPSS exploitation probability is very low at 0.04%, but the stored nature of the vulnerability means injected payloads persist across sessions.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-64190 MEDIUM This Month

DOM-based cross-site scripting (XSS) in 8theme XStore Core plugin (et-core-plugin) versions below 5.6 allows attackers to inject malicious scripts that execute in users' browsers during web page generation. The vulnerability affects WordPress installations using the vulnerable plugin, and while no CVSS score was assigned, the extremely low EPSS score (0.04%) suggests minimal real-world exploitation likelihood despite the XSS classification.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-63027 MEDIUM This Month

Stored cross-site scripting (XSS) in webcreations907 WBC907 Core WordPress plugin versions up to 3.4.1 allows attackers to inject and execute malicious JavaScript that persists in the application, potentially compromising users who view affected pages. The vulnerability stems from improper input neutralization during web page generation. No public exploit code or active exploitation has been identified at the time of analysis, though the attack vector and complexity depend on the specific injection point within the plugin.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-62746 MEDIUM This Month

Stored cross-site scripting (XSS) in CodeFlavors Featured Video for WordPress (VideographyWP) plugin version 1.0.18 and earlier allows authenticated attackers to inject malicious scripts that execute in the browsers of other site users, potentially compromising administrator accounts and site integrity. The vulnerability stems from improper input sanitization during web page generation, and no public exploit code has been identified at the time of analysis.

WordPress XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-69017 MEDIUM This Month

Stored Cross-Site Scripting (XSS) in Magnigenie RestroPress WordPress plugin through version 3.2.8.4 allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other site visitors, potentially compromising session tokens, stealing sensitive data, or defacing content. The vulnerability requires user interaction (UI:R) and affects only authenticated attackers (PR:L), limiting immediate exploitation risk despite the moderate CVSS score of 6.5. No public exploit code or active exploitation has been confirmed at time of analysis.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68499 MEDIUM This Month

DOM-based cross-site scripting (XSS) in Crocoblock JetTabs WordPress plugin versions up to 2.2.12 allows attackers to inject malicious scripts that execute in users' browsers when viewing affected pages. The vulnerability stems from improper input neutralization during web page generation, enabling stored or reflected XSS attacks without requiring authentication. With an EPSS score of 0.04% (14th percentile), exploitation likelihood is very low despite the publicly documented vulnerability.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68498 MEDIUM This Month

Missing authorization in Crocoblock JetTabs WordPress plugin version 2.2.12 and earlier allows unauthenticated or low-privileged attackers to bypass access control restrictions and exploit misconfigured security levels. The vulnerability stems from improper validation of user permissions before executing sensitive operations, potentially enabling unauthorized access to restricted plugin functionality or data.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-69024 MEDIUM This Month

Missing Authorization vulnerability in bizswoop BizPrint print-google-cloud-print-gcp-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BizPrint: from n/a through <= 4.6.7.

WordPress Authentication Bypass Google
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68991 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in xenioushk BWL Pro Voting Manager bwl-pro-voting-manager allows DOM-Based XSS.This issue affects BWL Pro Voting Manager: from n/a through <= 1.4.9.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68978 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes DesignThemes Core designthemes-core allows DOM-Based XSS.This issue affects DesignThemes Core: from n/a through <= 1.6.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68977 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes DesignThemes Portfolio Addon designthemes-portfolio-addon allows DOM-Based XSS.This issue affects DesignThemes Portfolio Addon: from n/a through <= 1.5.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-15247 MEDIUM This Month

A vulnerability was identified in gmg137 snap7-rs up to 153d3e8c16decd7271e2a5b2e3da4d6f68589424. Affected by this issue is the function snap7_rs::client::S7Client::download of the file client.rs. Such manipulation leads to heap-based buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet.

Buffer Overflow Snap7 Rs
NVD VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2025-15264 MEDIUM This Month

A vulnerability was determined in FeehiCMS up to 2.1.1. Impacted is an unknown function of the file frontend/web/timthumb.php of the component TimThumb. Executing manipulation of the argument src can lead to server-side request forgery. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

PHP SSRF Feehicms
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2023-32238 MEDIUM This Month

Vulnerability in CodexThemes TheGem (Elementor), CodexThemes TheGem (WPBakery).8.1.1; TheGem (WPBakery): from n/a before 5.8.1.1. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-68976 MEDIUM This Month

Missing Authorization vulnerability in Eagle-Themes Eagle Booking eagle-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eagle Booking: from n/a through <= 1.3.4.3.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-69032 MEDIUM This Month

Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes FiveStar fivestar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FiveStar: from n/a through <= 1.7.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-69030 MEDIUM This Month

Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Backpack Traveler backpacktraveler allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Backpack Traveler: from n/a through <= 2.10.3.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-69029 MEDIUM This Month

Authorization Bypass Through User-Controlled Key vulnerability in Select-Themes Struktur struktur allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Struktur: from n/a through <= 2.5.1.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-69022 MEDIUM This Month

HR Management Lite WordPress plugin versions 3.6 and earlier contain a missing authorization vulnerability allowing authenticated users to access or modify resources without proper access control checks. An attacker with low-privilege user credentials can exploit incorrectly configured access control to read or modify sensitive data within the plugin's functionality, though the vulnerability requires prior authentication and does not enable privilege escalation or system-wide impact.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-69021 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Popup box ays-popup-box allows Cross Site Request Forgery.This issue affects Popup box: from n/a through <= 6.0.7.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-68998 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Heateor Support Heateor Social Login heateor-social-login allows Cross Site Request Forgery.This issue affects Heateor Social Login: from n/a through <= 1.1.39.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-66080 MEDIUM This Month

Missing authorization controls in WP Cookie Notice for GDPR, CCPA & ePrivacy Consent plugin (versions up to 4.0.3) allow unauthenticated attackers to exploit incorrectly configured access control security levels, potentially enabling unauthorized modification of cookie consent settings and GDPR compliance configurations. No public exploit code has been identified at time of analysis, though the vulnerability carries a low EPSS score (0.06%, 19th percentile) suggesting minimal real-world exploitation likelihood despite the authorization flaw.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-68981 MEDIUM This Month

Missing Authorization vulnerability in designthemes HomeFix Elementor Portfolio homefix-ele-portfolio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HomeFix Elementor Portfolio: from n/a through <= 1.0.1.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-68988 MEDIUM This Month

Unauthorized remote attackers can retrieve embedded sensitive system information from o2oe E-Invoice App Malaysia plugin versions 1.3.0 and earlier without authentication (CVSS:3.1 AV:N/AC:L/PR:N). The vulnerability exposes confidential data through information disclosure, with EPSS exploitation probability at 0.05% (14th percentile). No public exploit identified at time of analysis, though the low attack complexity and unauthenticated attack vector make exploitation straightforward for adversaries with network access to vulnerable WordPress installations.

Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-69031 MEDIUM This Month

Missing Authorization vulnerability in Skywarrior Arcane arcane allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Arcane: from n/a through <= 3.6.6.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-69009 MEDIUM This Month

Missing Authorization vulnerability in kamleshyadav Medicalequipment medicalequipment allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Medicalequipment: from n/a through <= 1.0.9.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-68997 MEDIUM This Month

Authorization bypass in wpDiscuz WordPress plugin through version 7.6.43 allows unauthenticated remote attackers to access user-controlled data via improperly configured access controls, resulting in limited information disclosure with a CVSS score of 5.3. The vulnerability exploits insecure direct object references (IDOR) where access control checks fail to properly validate object ownership, enabling attackers to enumerate or retrieve comment data they should not access. No public exploit code or active exploitation has been confirmed at this time, though the EPSS score of 0.04% suggests minimal real-world exploitation likelihood despite the relatively accessible attack vector.

WordPress PHP Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-68994 MEDIUM This Month

Missing Authorization vulnerability in XforWooCommerce Product Loops for WooCommerce product-loops allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Loops for WooCommerce: from n/a through <= 2.1.2.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-68993 MEDIUM This Month

Missing Authorization vulnerability in XforWooCommerce Share, Print and PDF Products for WooCommerce share-print-pdf-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Share, Print and PDF Products for WooCommerce: from n/a through <= 3.1.2.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-68982 MEDIUM This Month

Missing Authorization vulnerability in designthemes DesignThemes LMS Addon designthemes-lms-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DesignThemes LMS Addon: from n/a through <= 2.6.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-68980 MEDIUM This Month

Missing Authorization vulnerability in designthemes WeDesignTech Portfolio wedesigntech-portfolio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WeDesignTech Portfolio: from n/a through <= 1.0.2.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-68979 MEDIUM This Month

Authorization Bypass Through User-Controlled Key vulnerability in SimpleCalendar Google Calendar Events google-calendar-events allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Google Calendar Events: from n/a through <= 3.5.9.

Authentication Bypass Google
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-69027 MEDIUM This Month

Missing Authorization vulnerability in tychesoftwares Product Delivery Date for WooCommerce - Lite product-delivery-date-for-woocommerce-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Delivery Date for WooCommerce - Lite: from n/a through <= 3.2.0.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-69014 MEDIUM This Month

Server-Side Request Forgery (SSRF) in Youzify WordPress plugin through version 1.3.7 allows authenticated high-privilege users to make arbitrary network requests from the server, exposing internal resources and services. The vulnerability requires administrative credentials (PR:H) but carries high confidentiality impact with EPSS score of 0.04% indicating minimal real-world exploitation likelihood despite the moderate CVSS score of 4.9.

SSRF
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-62128 MEDIUM This Month

Missing authorization in SiteLock Security WordPress plugin versions through 5.0.1 allows attackers to exploit incorrectly configured access control to bypass security restrictions. Unauthenticated remote attackers can leverage this CWE-862 vulnerability to gain unauthorized access to protected functionality or resources without proper privilege validation. The issue is tagged as an authentication bypass with low EPSS exploitation probability (0.05%, 17th percentile), indicating limited real-world attack likelihood despite the authorization flaw.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-68989 MEDIUM This Month

Sensitive data exposure in Contact Form 7 Mailchimp Extension plugin for WordPress (versions ≤0.9.68) allows unauthenticated remote attackers to retrieve embedded sensitive information through network-accessible endpoints. The vulnerability enables unauthorized access to confidential data with low attack complexity and no user interaction required. EPSS score of 0.05% (14th percentile) indicates low observed exploitation probability, and no public exploit identified at time of analysis.

Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-68975 MEDIUM This Month

Authorization Bypass Through User-Controlled Key vulnerability in Eagle-Themes Eagle Booking eagle-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eagle Booking: from n/a through <= 1.3.4.3.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-69026 MEDIUM This Month

Roxnor PopupKit popup-builder-block plugin through version 2.2.4 exposes sensitive system information to authenticated users via an information disclosure vulnerability. An authenticated attacker can retrieve embedded sensitive data that should not be accessible, potentially gaining insight into system configuration or other restricted information. The CVSS 4.3 score reflects low real-world impact (confidentiality only, low privileges required), and EPSS exploitation probability is minimal at 0.04%, indicating this is a lower-priority vulnerability despite affecting a WordPress plugin.

Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-69025 MEDIUM This Month

Aethonic Poptics WordPress plugin through version 1.0.20 exposes sensitive system information to authenticated users through an information disclosure vulnerability. Authenticated attackers with low-level privileges can retrieve embedded sensitive data without user interaction, though exploitation requires valid login credentials. The issue carries a modest CVSS score of 4.3 and extremely low EPSS probability (0.04th percentile), indicating real-world exploitation risk is minimal despite the confirmed vulnerability.

Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-69016 MEDIUM This Month

Authenticated users without proper authorization can modify content in the auxin-elements WordPress plugin (versions up to 2.17.15) due to missing access control checks on shortcode functionality. The vulnerability requires an authenticated account with low privileges and allows integrity compromise through shortcode manipulation, with an EPSS score of 0.04% indicating low real-world exploitation likelihood despite confirmed access control weakness.

WordPress PHP Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-69012 MEDIUM This Month

Missing Authorization vulnerability in Stephen Harris Event Organiser event-organiser allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Event Organiser: from n/a through <= 3.12.8.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy