Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2025-24779 — Deserialization: of Untrusted Data vulnerability in NooTheme Yogi yogi allows Object Injection.This issue affects
Deserialization of Untrusted Data vulnerability in NooTheme Yogi yogi allows Object Injection.This issue affects Yogi: from n/a through < 2.9.3. CVSSv3.1 8.8 (HIGH)
CVE-2025-24777 — Deserialization: of Untrusted Data vulnerability in awethemes Hillter hillter allows Object Injection.This issue affects
Deserialization of Untrusted Data vulnerability in awethemes Hillter hillter allows Object Injection.This issue affects Hillter: from n/a through <= 3.0.7. CVSSv3.1 8.8 (HIGH)
CVE-2025-24759 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CMSJunkie - WordPress Business Directory Plugins WP-BusinessDirectory wp-businessdirectory allows Blind SQL Injection.This issue affects WP-BusinessDirectory: from n/a through <= 3.1.4. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-54026 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in QuanticaLabs GymBase Theme Classes gymbase_classes allows SQL Injection.This issue affects GymBase Theme Classes: from n/a through <= 1.4. CVSSv3.1 8.5 (HIGH)
CVE-2025-54010 — Site: Cross-Site Request Forgery (CSRF) vulnerability in Shahjahan Jewel FluentSnippets easy-code-manager allows Cross Site Request
Cross-Site Request Forgery (CSRF) vulnerability in Shahjahan Jewel FluentSnippets easy-code-manager allows Cross Site Request Forgery.This issue affects FluentSnippets: from n/a through <= 10.50. CVSSv3.1 9.6 (CRITICAL)
CVE-2024-9342 — Eclipse Glassfish: In Eclipse GlassFish versions before 8.0.3 it is possible to perform Login Brute Force
In Eclipse GlassFish versions before 8.0.3 it is possible to perform Login Brute Force attacks as there is no limitation in the number of failed login attempts. GlassFish 8.0.3 adds automatic attack protection documented in https://glassfish.org/docs/latest/security-guide.html#brute-force-attack-protection . CVSSv3.1 9.8 (CRITICAL)
CVE-2025-7359 — Counter: The Counter live visitors for WooCommerce plugin for WordPress is vulnerable to arbitrary file
The Counter live visitors for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wcvisitor_get_block function in all versions up to, and including, 1.3.6. This makes it possible for unauthenticated attackers to delete arbitrary files on the server. NOTE: This particular vulnerability deletes all the files in a targeted arbitrary directory rather than a specified arbitrary file, which can lead to loss of da CVSSv3.1 8.2 (HIGH)
CVE-2025-6043 — Malcure: The Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal plugin for WordPress
The Malcure Malware Scanner — #1 Toolset for WordPress Malware Removal plugin for WordPress is vulnerable to Arbitrary File Deletion due to a missing capability check on the wpmr_delete_file() function in all versions up to, and including, 17.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files making remote code execution possible. This is only exploitable when advanced mode is enabled on the site. CVSSv3.1 8.1 (HIGH)
CVE-2025-6965 — Sqlite Sqlite: This could lead to a memory corruption issue.
There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-7360 — Hasthemes Download_contact_form_7_widget_for_elementor_page_builder_\&_gut: The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation in the handle_files_upload() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). CVSSv3.1 9.1 (CRITICAL)
CVE-2025-7341 — Hasthemes Download_contact_form_7_widget_for_elementor_page_builder_\&_gut: The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the temp_file_delete() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). CVSSv3.1 9.1 (CRITICAL)
CVE-2025-7340 — Hasthemes Download_contact_form_7_widget_for_elementor_page_builder_\&_gut: The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form
The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the temp_file_upload() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-5394 — Alone: The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to
The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution. CVE-2025-54019 is likely a duplicate of this. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-5393 — Alone: The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to
The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 7.8.5. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This was partially patched CVSSv3.1 9.1 (CRITICAL)
collateral-damage — Kernel exploit for Xbox SystemOS using CVE-2024-30088
Collateral Damage is a public kernel exploit for Xbox One and Xbox Series consoles targeting CVE-2024-30088, enabling arbitrary code execution with SYSTEM privileges. The exploit chains a CPU side-channel vulnerability with a race condition, delivered via the Game Script UWP application, and includes staged payloads for network-based code loading. The vulnerability affects kernel versions 25398.4478, 25398.4908, and 25398.4909.
You’re Pen Testing AI Wrong: Why Prompt Engineering Isn’t Enough
Bishop Fox publishes guidance on LLM penetration testing methodology, arguing that static prompt filtering and token-based defenses are insufficient. The research emphasizes scenario-driven, conversational testing approaches that exploit context manipulation and intent-shifting, and recommends defense-in-depth architecture including sandboxing, intermediary validation, and human-in-the-loop controls for sensitive operations.
CVE-2025-49697 — Microsoft 365_apps: Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally.
Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally. CVSSv3.1 8.4 (HIGH) · EPSS 70th percentile
CVE-2025-49696 — Microsoft 365_apps: Out-of-bounds read in Microsoft Office allows an unauthorized attacker to execute code locally.
Out-of-bounds read in Microsoft Office allows an unauthorized attacker to execute code locally. CVSSv3.1 8.4 (HIGH) · EPSS 74th percentile
CVE-2025-49695 — Microsoft 365_apps: Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. CVSSv3.1 8.4 (HIGH) · EPSS 74th percentile
CVE-2025-5987 — Libssh Libssh: If an attacker manages to exhaust the heap space, this error is not detected
A flaw was found in libssh when using the ChaCha20 cipher with the OpenSSL library. If an attacker manages to exhaust the heap space, this error is not detected and may lead to libssh using a partially initialized cipher context. This occurs because the OpenSSL error code returned aliases with the SSH_OK code, resulting in libssh not properly detecting the error returned by the OpenSSL library. This issue can lead to undefined behavior, including compromised data confidential CVSSv3.1 8.1 (HIGH) · EPSS 70th percentile
CVE-2025-32023 — PoC & Exploit for CVE-2025-32023 / PlaidCTF 2025 "Zerodeo"
CVE-2025-32023 is a critical integer overflow in Redis HyperLogLog sparse encoding iteration that allows out-of-bounds heap/stack writes. The vulnerability affects Redis versions 2.8 through 8.0.2 and has been patched in 8.0.3, 7.4.5, 7.2.10, and 6.2.19. A public PoC and full RCE exploit chain leveraging heap corruption and fake module object injection is available.
CVE-2025-52833 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in designthemes LMS lms allows SQL Injection.This issue affects LMS: from n/a through <= 9.2. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-52832 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpo-HR NGG Smart Image Search ngg-smart-image-search allows SQL Injection.This issue affects NGG Smart Image Search: from n/a through <= 3.4.1. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-52831 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in thanhtungtnt Video List Manager video-list-manager allows SQL Injection.This issue affects Video List Manager: from n/a through <= 1.7. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-52830 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BSecure - Your Universal Checkout bSecure – Your Universal Checkout bsecure allows Blind SQL Injection.This issue affects bSecure – Your Universal Checkout: from n/a through <= 1.7.9. CVSSv3.1 9.3 (CRITICAL)