2025-08-28
2025-08-28 17:15Z
CRIT

CVE-2025-57819 — Sangoma Freepbx: 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-57819in the wild

FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data allowing unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution. This issue has been patched in endpoint versions 15.0.66, 16.0.89, and 17.0.3. CVSSv3.1 9.8 (CRITICAL) · EPSS 100th percentile

CWECWE 89CWECWE 288VNDFreepbxVNDSangomaTYPVulnerabilitySTAitw exploited
9.8
CVSS v3.1
100
Edit Score
2025-08-28
2025-08-28 15:16Z
HIGH

CVE-2025-8067 — A flaw was found in the Udisks daemon, where it allows unprivileged users to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-8067

A flaw was found in the Udisks daemon, where it allows unprivileged users to create loop devices using the D-BUS system. This is achieved via the loop device handler, which handles requests sent through the D-BUS interface. As two of the parameters of this handle, it receives the file descriptor list and index specifying the file where the loop device should be backed. The function itself validates the index value to ensure it isn't bigger than the maximum value allowed. Howe CVSSv3.1 8.5 (HIGH) · EPSS 47th percentile

CWECWE 125TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-08-28
2025-08-28 13:16Z
HIGH

CVE-2025-54742 — Deserialization: of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-54742

Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through <= 4.4.8. CVSSv3.1 8.8 (HIGH)

CWECWE 502TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-08-28
2025-08-28 13:16Z
CRIT

CVE-2025-54738 — Authentication: Bypass Using an Alternate Path or Channel vulnerability in NooTheme Jobmonster noo-jobmonster allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-54738

Authentication Bypass Using an Alternate Path or Channel vulnerability in NooTheme Jobmonster noo-jobmonster allows Authentication Abuse.This issue affects Jobmonster: from n/a through <= 4.7.9. CVSSv3.1 9.8 (CRITICAL)

CWECWE 288TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-08-28
2025-08-28 13:16Z
HIGH

CVE-2025-54731 — Control: Improper Control of Generation of Code ('Code Injection') vulnerability in emarket-design YouTube Showcase youtube-showcase

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-54731

Improper Control of Generation of Code ('Code Injection') vulnerability in emarket-design YouTube Showcase youtube-showcase allows Object Injection.This issue affects YouTube Showcase: from n/a through <= 3.5.1. CVSSv3.1 8.1 (HIGH)

CWECWE 94TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-08-28
2025-08-28 13:16Z
CRIT

CVE-2025-54725 — Authentication: Bypass Using an Alternate Path or Channel vulnerability in uxper Golo golo allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-54725

Authentication Bypass Using an Alternate Path or Channel vulnerability in uxper Golo golo allows Authentication Abuse.This issue affects Golo: from n/a through <= 1.7.0. CVSSv3.1 9.8 (CRITICAL)

CWECWE 288TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-08-28
2025-08-28 13:16Z
CRIT

CVE-2025-54720 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-54720

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SteelThemes Nest Addons nest-addons allows SQL Injection.This issue affects Nest Addons: from n/a through <= 1.6.3. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
728 × 90 / responsive · programmatic ad slot
2025-08-28
2025-08-28 13:16Z
HIGH

CVE-2025-54716 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-54716

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Ireca ireca allows PHP Local File Inclusion.This issue affects Ireca: from n/a through <= 1.8.5. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-08-28
2025-08-28 13:16Z
HIGH

CVE-2025-53584 — Deserialization: of Untrusted Data vulnerability in emarket-design WP Ticket Customer Service Software & Support

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-53584

Deserialization of Untrusted Data vulnerability in emarket-design WP Ticket Customer Service Software & Support Ticket System wp-ticket allows Object Injection.This issue affects WP Ticket Customer Service Software & Support Ticket System: from n/a through <= 6.0.2. CVSSv3.1 8.1 (HIGH)

CWECWE 502TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-08-28
2025-08-28 13:16Z
HIGH

CVE-2025-53583 — Deserialization: of Untrusted Data vulnerability in emarket-design Employee Spotlight employee-spotlight allows Object Injection.This issue

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-53583

Deserialization of Untrusted Data vulnerability in emarket-design Employee Spotlight employee-spotlight allows Object Injection.This issue affects Employee Spotlight: from n/a through <= 5.1.1. CVSSv3.1 8.1 (HIGH)

CWECWE 502TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-08-28
2025-08-28 13:16Z
HIGH

CVE-2025-53578 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-53578

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Kipso kipso allows PHP Local File Inclusion.This issue affects Kipso: from n/a through <= 1.3.4. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-08-28
2025-08-28 13:16Z
HIGH

CVE-2025-53576 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-53576

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Ovatheme Events ova-events allows PHP Local File Inclusion.This issue affects Ovatheme Events: from n/a through <= 1.2.8. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-08-28
2025-08-28 13:16Z
HIGH

CVE-2025-53572 — Deserialization: of Untrusted Data vulnerability in emarket-design WP Easy Contact wp-easy-contact allows Object Injection.This

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-53572

Deserialization of Untrusted Data vulnerability in emarket-design WP Easy Contact wp-easy-contact allows Object Injection.This issue affects WP Easy Contact: from n/a through <= 4.0.1. CVSSv3.1 8.1 (HIGH)

CWECWE 502TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-08-28
2025-08-28 13:16Z
HIGH

CVE-2025-53334 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-53334

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TieLabs Jannah jannah allows PHP Local File Inclusion.This issue affects Jannah: from n/a through < 7.5.1. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-08-28
2025-08-28 13:16Z
HIGH

CVE-2025-53248 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-53248

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in unfoldwp Magazine eximious-magazine allows PHP Local File Inclusion.This issue affects Magazine: from n/a through <= 1.2.2. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-08-28
2025-08-28 13:16Z
HIGH

CVE-2025-53247 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-53247

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpinterface BlogMarks blogmarks allows PHP Local File Inclusion.This issue affects BlogMarks: from n/a through <= 1.0.8. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-08-28
2025-08-28 13:16Z
HIGH

CVE-2025-53244 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-53244

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in unfoldwp Magazine Elite magazine-elite allows PHP Local File Inclusion.This issue affects Magazine Elite: from n/a through <= 1.2.4. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-08-28
2025-08-28 13:16Z
HIGH

CVE-2025-53243 — Deserialization: of Untrusted Data vulnerability in emarket-design Employee Directory – Staff Listing &amp; Team

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-53243

Deserialization of Untrusted Data vulnerability in emarket-design Employee Directory – Staff Listing &amp; Team Directory Plugin for WordPress employee-directory allows Object Injection.This issue affects Employee Directory – Staff Listing &amp; Team Directory Plugin for WordPress: from n/a through <= 4.5.5. CVSSv3.1 8.1 (HIGH)

CWECWE 502TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-08-28
2025-08-28 13:16Z
HIGH

CVE-2025-53227 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-53227

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in unfoldwp Magazine Saga magazine-saga allows PHP Local File Inclusion.This issue affects Magazine Saga: from n/a through <= 1.2.7. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-08-28
2025-08-28 13:16Z
HIGH

CVE-2025-53216 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-53216

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themeuniver Glamer glamer allows PHP Local File Inclusion.This issue affects Glamer: from n/a through <= 1.0.2. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-08-28
2025-08-28 13:16Z
CRIT

CVE-2025-52761 — Deserialization: of Untrusted Data vulnerability in manfcarlo WP Funnel Manager wp-funnel-manager allows Object Injection.This

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-52761

Deserialization of Untrusted Data vulnerability in manfcarlo WP Funnel Manager wp-funnel-manager allows Object Injection.This issue affects WP Funnel Manager: from n/a through <= 1.4.0. CVSSv3.1 9.8 (CRITICAL)

CWECWE 502TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-08-28
2025-08-28 13:16Z
HIGH

CVE-2025-49407 — Incorrect: Privilege Assignment vulnerability in favethemes Premium SEO Pack premium-seo-pack allows Privilege Escalation.This issue

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49407

Incorrect Privilege Assignment vulnerability in favethemes Premium SEO Pack premium-seo-pack allows Privilege Escalation.This issue affects Premium SEO Pack: from n/a through <= 3.3.2. CVSSv3.1 8.8 (HIGH)

CWECWE 266TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-08-28
2025-08-28 13:15Z
HIGH

CVE-2025-49404 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49404

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in purethemes Listeo Core listeo-core allows SQL Injection.This issue affects Listeo Core: from n/a through < 2.0.7. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-08-28
2025-08-28 13:15Z
HIGH

CVE-2025-49402 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49402

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in scriptsbundle Exertio Framework exertio-framework allows Blind SQL Injection.This issue affects Exertio Framework: from n/a through <= 1.3.3. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-08-28
2025-08-28 13:15Z
CRIT

CVE-2025-49388 — Incorrect: Privilege Assignment vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Privilege Escalation.This issue

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49388

Incorrect Privilege Assignment vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Privilege Escalation.This issue affects Miraculous Core Plugin: from n/a through <= 2.0.7. CVSSv3.1 9.8 (CRITICAL)

CWECWE 266TYPVulnerability
9.8
CVSS v3.1
99
Edit Score