Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2025-49407 — Incorrect: Privilege Assignment vulnerability in favethemes Premium SEO Pack premium-seo-pack allows Privilege Escalation.This issue
Incorrect Privilege Assignment vulnerability in favethemes Premium SEO Pack premium-seo-pack allows Privilege Escalation.This issue affects Premium SEO Pack: from n/a through <= 3.3.2. CVSSv3.1 8.8 (HIGH)
CVE-2025-49404 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in purethemes Listeo Core listeo-core allows SQL Injection.This issue affects Listeo Core: from n/a through < 2.0.7. CVSSv3.1 8.5 (HIGH)
CVE-2025-49402 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in scriptsbundle Exertio Framework exertio-framework allows Blind SQL Injection.This issue affects Exertio Framework: from n/a through <= 1.3.3. CVSSv3.1 8.5 (HIGH)
CVE-2025-49388 — Incorrect: Privilege Assignment vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Privilege Escalation.This issue
Incorrect Privilege Assignment vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Privilege Escalation.This issue affects Miraculous Core Plugin: from n/a through <= 2.0.7. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-49387 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in add-ons.org Drag and Drop File
Unrestricted Upload of File with Dangerous Type vulnerability in add-ons.org Drag and Drop File Upload for Elementor Forms drag-and-drop-file-upload-for-elementor-forms allows Upload a Web Shell to a Web Server.This issue affects Drag and Drop File Upload for Elementor Forms: from n/a through <= 1.5.3. CVSSv3.1 10.0 (CRITICAL)
CVE-2025-49383 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CocoBasic Neresa neresa-wp allows PHP Local File Inclusion.This issue affects Neresa: from n/a through <= 1.3. CVSSv3.1 8.1 (HIGH)
CVE-2025-48100 — Control: Improper Control of Generation of Code ('Code Injection') vulnerability in extremeidea bidorbuy Store Integrator
Improper Control of Generation of Code ('Code Injection') vulnerability in extremeidea bidorbuy Store Integrator bidorbuystoreintegrator allows Remote Code Inclusion.This issue affects bidorbuy Store Integrator: from n/a through <= 2.12.0. CVSSv3.1 9.1 (CRITICAL)
CVE-2025-39496 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WBW WooBeWoo Product Filter Pro woofilter-pro allows SQL Injection.This issue affects WooBeWoo Product Filter Pro: from n/a through < 2.9.6. CVSSv3.1 9.3 (CRITICAL)
TAOTH Campaign Exploits End-of-Support Software to Target Traditional Chinese Users and Dissidents
The TAOTH campaign exploited an abandoned Sogou Zhuyin IME update server (hijacked in October 2024) to distribute four malware families (TOSHIS, C6DOOR, DESFY, GTELAM) targeting Taiwanese users, dissidents, and journalists across Eastern Asia. Parallel spear-phishing operations deployed malware via fake cloud storage and login pages, with attackers harvesting OAuth credentials for email account compromise and lateral targeting.
CVE-2025-34523 — Arcserve Udp: A heap-based buffer overflow vulnerability exists in the network-facing input handling routines of Arcserve
A heap-based buffer overflow vulnerability exists in the network-facing input handling routines of Arcserve Unified Data Protection (UDP). This flaw is reachable without authentication and results from improper bounds checking when processing attacker-controlled input. By sending specially crafted data, a remote attacker can corrupt heap memory, potentially causing a denial of service or enabling arbitrary code execution depending on the memory layout and exploitation techniq CVSSv3.1 9.8 (CRITICAL) · EPSS 67th percentile
CVE-2025-55422 — Foxcms Foxcms: In FoxCMS 1.2.6, there is a reflected Cross Site Scripting (XSS) vulnerability in /index.php/plus.
In FoxCMS 1.2.6, there is a reflected Cross Site Scripting (XSS) vulnerability in /index.php/plus. CVSSv3.1 8.8 (HIGH) · EPSS 33th percentile
Referral Beware, Your Rewards are Mine (Part 1)
Rhino Security Labs published a comprehensive analysis of security vulnerabilities in referral rewards programs across 20+ companies, identifying three common implementation patterns and discovering 25+ vulnerability classes including business logic flaws, race conditions, cookie injection, client-side path traversals, and a novel attack vector called referral hijacking via cookie fixation. The research demonstrates how attackers can steal referral rewards, hijack referral codes, and achieve XSS/CSRF through gadget chaining in client-side code.
CVE-2025-50753 — Mitrastar: GPT-2741GNAC-N2 devices are provided with access through ssh into a restricted default shell.The
Mitrastar GPT-2741GNAC-N2 devices are provided with access through ssh into a restricted default shell.The command "deviceinfo show file" is supposed to be used from restricted shell to show files and directories. By providing " /bin/sh" (quotes included) to the argument of this command will drop a root shell. CVSSv3.1 8.4 (HIGH) · EPSS 5th percentile
CVE-2025-50383 — Easyappointments Easy\!appointments: alextselegidis Easy!Appointments v1.5.1 was discovered to contain a SQL injection vulnerability via the order_by
alextselegidis Easy!Appointments v1.5.1 was discovered to contain a SQL injection vulnerability via the order_by parameter. CVSSv3.1 8.1 (HIGH) · EPSS 27th percentile
CVE-2025-55409 — Foxcms Foxcms: 1.2.6, there is a Cross Site Scripting vulnerability in /index.php/article.
FoxCMS 1.2.6, there is a Cross Site Scripting vulnerability in /index.php/article. This allows attackers to execute arbitrary code. CVSSv3.1 8.8 (HIGH) · EPSS 38th percentile
CVE-2025-56216 — Phpgurukul Hospital_management_system: Hospital Management System 4.0 is vulnerable to SQL Injection in about-us.php via the
phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in about-us.php via the pagetitle parameter. CVSSv3.1 8.5 (HIGH)
CVE-2025-56214 — Phpgurukul Hospital_management_system: Hospital Management System 4.0 is vulnerable to SQL Injection in index.php via the
phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in index.php via the username parameter. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-56212 — Phpgurukul Hospital_management_system: Hospital Management System 4.0 is vulnerable to SQL Injection in add-doctor.php via the
phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in add-doctor.php via the docname parameter. CVSSv3.1 9.8 (CRITICAL)
v3.4.10
Nuclei v3.4.10 released with a single bug fix addressing a segmentation fault in template caching logic. This is a maintenance release with no security implications or feature additions.
CVE-2025-5821 — Case: The Case Theme User plugin for WordPress is vulnerable to Authentication Bypass in all
The Case Theme User plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.3. This is due to the plugin not properly logging in a user with the data that was previously verified through the facebook_ajax_login_callback() function. This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site which can easily be created by default through the temp user CVSSv3.1 9.8 (CRITICAL)
CVE-2025-5060 — Bravis: The Bravis User plugin for WordPress is vulnerable to Authentication Bypass in all versions
The Bravis User plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.1. This is due to the plugin not properly logging a user in with the data that was previously verified through the facebook_ajax_login_callback(). This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site, and access to the administrative user's email. CVSSv3.1 8.1 (HIGH)
CVE-2025-57105 — Dlink Di-7400g\+_firmware: The DI-7400G+ router has a command injection vulnerability, which allows attackers to execute arbitrary
The DI-7400G+ router has a command injection vulnerability, which allows attackers to execute arbitrary commands on the device. The sub_478D28 function in in mng_platform.asp, and sub_4A12DC function in wayos_ac_server.asp of the jhttpd program, with the parameter ac_mng_srv_host. CVSSv3.1 9.8 (CRITICAL) · EPSS 88th percentile
v3.4.9
Nuclei v3.4.9 released with a minor bug fix addressing output event handling for skipped hosts. This is a routine maintenance release with no security implications or feature additions.
CVE-2025-53251 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in An-Themes Pin WP pin-wp allows
Unrestricted Upload of File with Dangerous Type vulnerability in An-Themes Pin WP pin-wp allows Upload a Web Shell to a Web Server.This issue affects Pin WP: from n/a through < 7.2. CVSSv3.1 9.9 (CRITICAL)
CVE-2025-55370 — Jishenghua Jsherp: Incorrect access control in the component \controller\ResourceController.java of jshERP v3.5 allows unauthorized attackers to
Incorrect access control in the component \controller\ResourceController.java of jshERP v3.5 allows unauthorized attackers to obtain all the corresponding ID data by modifying the ID value. CVSSv3.1 8.8 (HIGH) · EPSS 32th percentile