2025-07-16
2025-07-16 12:15Z
HIGH

CVE-2025-24779 — Deserialization: of Untrusted Data vulnerability in NooTheme Yogi yogi allows Object Injection.This issue affects

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-24779

Deserialization of Untrusted Data vulnerability in NooTheme Yogi yogi allows Object Injection.This issue affects Yogi: from n/a through < 2.9.3. CVSSv3.1 8.8 (HIGH)

CWECWE 502TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-07-16
2025-07-16 12:15Z
HIGH

CVE-2025-24777 — Deserialization: of Untrusted Data vulnerability in awethemes Hillter hillter allows Object Injection.This issue affects

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-24777

Deserialization of Untrusted Data vulnerability in awethemes Hillter hillter allows Object Injection.This issue affects Hillter: from n/a through <= 3.0.7. CVSSv3.1 8.8 (HIGH)

CWECWE 502TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-07-16
2025-07-16 12:15Z
CRIT

CVE-2025-24759 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-24759

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CMSJunkie - WordPress Business Directory Plugins WP-BusinessDirectory wp-businessdirectory allows Blind SQL Injection.This issue affects WP-BusinessDirectory: from n/a through <= 3.1.4. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-07-16
2025-07-16 11:15Z
HIGH

CVE-2025-54026 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-54026

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in QuanticaLabs GymBase Theme Classes gymbase_classes allows SQL Injection.This issue affects GymBase Theme Classes: from n/a through <= 1.4. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-07-16
2025-07-16 11:15Z
CRIT

CVE-2025-54010 — Site: Cross-Site Request Forgery (CSRF) vulnerability in Shahjahan Jewel FluentSnippets easy-code-manager allows Cross Site Request

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-54010

Cross-Site Request Forgery (CSRF) vulnerability in Shahjahan Jewel FluentSnippets easy-code-manager allows Cross Site Request Forgery.This issue affects FluentSnippets: from n/a through <= 10.50. CVSSv3.1 9.6 (CRITICAL)

CWECWE 352TYPVulnerability
9.6
CVSS v3.1
98
Edit Score
2025-07-16
2025-07-16 11:15Z
CRIT

CVE-2024-9342 — Eclipse Glassfish: In Eclipse GlassFish versions before 8.0.3 it is possible to perform Login Brute Force

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-9342

In Eclipse GlassFish versions before 8.0.3 it is possible to perform Login Brute Force attacks as there is no limitation in the number of failed login attempts. GlassFish 8.0.3 adds automatic attack protection documented in https://glassfish.org/docs/latest/security-guide.html#brute-force-attack-protection . CVSSv3.1 9.8 (CRITICAL)

CWECWE 307VNDEclipseTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-07-16
2025-07-16 07:15Z
HIGH

CVE-2025-7359 — Counter: The Counter live visitors for WooCommerce plugin for WordPress is vulnerable to arbitrary file

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-7359

The Counter live visitors for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wcvisitor_get_block function in all versions up to, and including, 1.3.6. This makes it possible for unauthenticated attackers to delete arbitrary files on the server. NOTE: This particular vulnerability deletes all the files in a targeted arbitrary directory rather than a specified arbitrary file, which can lead to loss of da CVSSv3.1 8.2 (HIGH)

CWECWE 22VNDCounterTYPVulnerability
8.2
CVSS v3.1
91
Edit Score
728 × 90 / responsive · programmatic ad slot
2025-07-16
2025-07-16 07:15Z
HIGH

CVE-2025-6043 — Malcure: The Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal plugin for WordPress

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-6043

The Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal plugin for WordPress is vulnerable to Arbitrary File Deletion due to a missing capability check on the wpmr_delete_file() function in all versions up to, and including, 17.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files making remote code execution possible. This is only exploitable when advanced mode is enabled on the site. CVSSv3.1 8.1 (HIGH)

CWECWE 862VNDMalcureTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-07-15
2025-07-15 14:15Z
CRIT

CVE-2025-6965 — Sqlite Sqlite: This could lead to a memory corruption issue.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-6965

There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above. CVSSv3.1 9.8 (CRITICAL)

CWECWE 197VNDSqliteVNDThereTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-07-15
2025-07-15 05:15Z
CRIT

CVE-2025-7360 — Hasthemes Download_contact_form_7_widget_for_elementor_page_builder_\&_gut: The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-7360

The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation in the handle_files_upload() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). CVSSv3.1 9.1 (CRITICAL)

CWECWE 22VNDHasthemesVNDContactTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2025-07-15
2025-07-15 05:15Z
CRIT

CVE-2025-7341 — Hasthemes Download_contact_form_7_widget_for_elementor_page_builder_\&_gut: The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-7341

The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the temp_file_delete() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). CVSSv3.1 9.1 (CRITICAL)

CWECWE 269VNDHasthemesVNDContactTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2025-07-15
2025-07-15 05:15Z
CRIT

CVE-2025-7340 — Hasthemes Download_contact_form_7_widget_for_elementor_page_builder_\&_gut: The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-7340

The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the temp_file_upload() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. CVSSv3.1 9.8 (CRITICAL)

CWECWE 434VNDHasthemesVNDContactTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-07-15
2025-07-15 04:15Z
CRIT

CVE-2025-5394 — Alone: The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-5394

The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution. CVE-2025-54019 is likely a duplicate of this. CVSSv3.1 9.8 (CRITICAL)

CWECWE 862VNDAloneTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-07-15
2025-07-15 04:15Z
CRIT

CVE-2025-5393 — Alone: The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-5393

The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 7.8.5. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This was partially patched CVSSv3.1 9.1 (CRITICAL)

CWECWE 73VNDAloneTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2025-07-13
2025-07-13 14:10Z
HIGH

collateral-damage — Kernel exploit for Xbox SystemOS using CVE-2024-30088

GitHub · kernel exploits·github.comGITHUB POCCVE-2024-30088

Collateral Damage is a public kernel exploit for Xbox One and Xbox Series consoles targeting CVE-2024-30088, enabling arbitrary code execution with SYSTEM privileges. The exploit chains a CPU side-channel vulnerability with a race condition, delivered via the Game Script UWP application, and includes staged payloads for network-based code loading. The vulnerability affects kernel versions 25398.4478, 25398.4908, and 25398.4909.

TACTA0004SRFHardwareVNDMicrosoftTYPWriteupTYPExploitSTGPrivescSTGExecutionTECT1559
76
Edit Score
2025-07-09
2025-07-09 13:00Z
HIGH

You’re Pen Testing AI Wrong: Why Prompt Engineering Isn’t Enough

Bishop Fox Labs·bishopfox.com

Bishop Fox publishes guidance on LLM penetration testing methodology, arguing that static prompt filtering and token-based defenses are insufficient. The research emphasizes scenario-driven, conversational testing approaches that exploit context manipulation and intent-shifting, and recommends defense-in-depth architecture including sandboxing, intermediary validation, and human-in-the-loop controls for sensitive operations.

TACTA0001SRFAiTYPResearchTYPTechniqueSTGDiscoveryTECT1589EXPPrompt Injection
68
Edit Score
2025-07-08
2025-07-08 17:15Z
HIGH

CVE-2025-49697 — Microsoft 365_apps: Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49697

Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally. CVSSv3.1 8.4 (HIGH) · EPSS 70th percentile

CWECWE 122VNDMicrosoftVNDHeapTYPVulnerability
8.4
CVSS v3.1
92
Edit Score
2025-07-08
2025-07-08 17:15Z
HIGH

CVE-2025-49696 — Microsoft 365_apps: Out-of-bounds read in Microsoft Office allows an unauthorized attacker to execute code locally.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49696

Out-of-bounds read in Microsoft Office allows an unauthorized attacker to execute code locally. CVSSv3.1 8.4 (HIGH) · EPSS 74th percentile

CWECWE 125CWECWE 122VNDMicrosoftTYPVulnerability
8.4
CVSS v3.1
92
Edit Score
2025-07-08
2025-07-08 17:15Z
HIGH

CVE-2025-49695 — Microsoft 365_apps: Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-49695

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. CVSSv3.1 8.4 (HIGH) · EPSS 74th percentile

CWECWE 416VNDMicrosoftTYPVulnerability
8.4
CVSS v3.1
92
Edit Score
2025-07-07
2025-07-07 15:15Z
HIGH

CVE-2025-5987 — Libssh Libssh: If an attacker manages to exhaust the heap space, this error is not detected

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-5987

A flaw was found in libssh when using the ChaCha20 cipher with the OpenSSL library. If an attacker manages to exhaust the heap space, this error is not detected and may lead to libssh using a partially initialized cipher context. This occurs because the OpenSSL error code returned aliases with the SSH_OK code, resulting in libssh not properly detecting the error returned by the OpenSSL library. This issue can lead to undefined behavior, including compromised data confidential CVSSv3.1 8.1 (HIGH) · EPSS 70th percentile

CWECWE 393VNDLibsshTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-07-06
2025-07-06 18:58Z
CRIT

CVE-2025-32023 — PoC & Exploit for CVE-2025-32023 / PlaidCTF 2025 "Zerodeo"

GitHub · recent CVE PoCs·github.comGITHUB POCCVE-2025-32023

CVE-2025-32023 is a critical integer overflow in Redis HyperLogLog sparse encoding iteration that allows out-of-bounds heap/stack writes. The vulnerability affects Redis versions 2.8 through 8.0.2 and has been patched in 8.0.3, 7.4.5, 7.2.10, and 6.2.19. A public PoC and full RCE exploit chain leveraging heap corruption and fake module object injection is available.

SRFApplicationTACTA0002VNDRedisTYPWriteupTYPExploitTYPVulnerabilitySTGExecutionSTGImpact
92
Edit Score
2025-07-04
2025-07-04 12:15Z
CRIT

CVE-2025-52833 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-52833

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in designthemes LMS lms allows SQL Injection.This issue affects LMS: from n/a through <= 9.2. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-07-04
2025-07-04 12:15Z
CRIT

CVE-2025-52832 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-52832

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpo-HR NGG Smart Image Search ngg-smart-image-search allows SQL Injection.This issue affects NGG Smart Image Search: from n/a through <= 3.4.1. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-07-04
2025-07-04 12:15Z
CRIT

CVE-2025-52831 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-52831

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in thanhtungtnt Video List Manager video-list-manager allows SQL Injection.This issue affects Video List Manager: from n/a through <= 1.7. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-07-04
2025-07-04 12:15Z
CRIT

CVE-2025-52830 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-52830

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BSecure - Your Universal Checkout bSecure &#8211; Your Universal Checkout bsecure allows Blind SQL Injection.This issue affects bSecure &#8211; Your Universal Checkout: from n/a through <= 1.7.9. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score