Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2025-52830 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BSecure - Your Universal Checkout bSecure – Your Universal Checkout bsecure allows Blind SQL Injection.This issue affects bSecure – Your Universal Checkout: from n/a through <= 1.7.9. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-52828 — Deserialization: of Untrusted Data vulnerability in designthemes Red Art redart allows Object Injection.This issue
Deserialization of Untrusted Data vulnerability in designthemes Red Art redart allows Object Injection.This issue affects Red Art: from n/a through <= 3.8. CVSSv3.1 8.8 (HIGH)
CVE-2025-52813 — Authorization: Missing Authorization vulnerability in pietro MobiLoud mobiloud-mobile-app-plugin allows Exploiting Incorrectly Configured Access Control Security
Missing Authorization vulnerability in pietro MobiLoud mobiloud-mobile-app-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MobiLoud: from n/a through <= 4.6.6. CVSSv3.1 8.1 (HIGH)
CVE-2025-52807 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusWP Kossy - Minimalist eCommerce WordPress Theme kossy allows PHP Local File Inclusion.This issue affects Kossy - Minimalist eCommerce WordPress Theme: from n/a through <= 1.45. CVSSv3.1 8.1 (HIGH)
CVE-2025-4414 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in cmsmasters CMSMasters Content Composer cmsmasters-content-composer allows PHP Local File Inclusion.This issue affects CMSMasters Content Composer: from n/a through < 2.5.7. CVSSv3.1 8.1 (HIGH)
CVE-2025-49867 — Inspirythemes Realhomes: Incorrect Privilege Assignment vulnerability in InspiryThemes RealHomes realhomes allows Privilege Escalation.This issue affects RealHomes
Incorrect Privilege Assignment vulnerability in InspiryThemes RealHomes realhomes allows Privilege Escalation.This issue affects RealHomes: from n/a through <= 4.4.0. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-49417 — Deserialization: of Untrusted Data vulnerability in BestWpDeveloper WooCommerce Product Multi-Action Woo-product-multiaction allows Object Injection.This
Deserialization of Untrusted Data vulnerability in BestWpDeveloper WooCommerce Product Multi-Action Woo-product-multiaction allows Object Injection.This issue affects WooCommerce Product Multi-Action: from n/a through <= 1.3. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-49414 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in Fastw3b LLC FW Gallery fw-gallery
Unrestricted Upload of File with Dangerous Type vulnerability in Fastw3b LLC FW Gallery fw-gallery allows Using Malicious Files.This issue affects FW Gallery: from n/a through <= 8.0.0. CVSSv3.1 10.0 (CRITICAL)
CVE-2025-49302 — Control: Improper Control of Generation of Code ('Code Injection') vulnerability in Scott Paterson Easy Stripe
Improper Control of Generation of Code ('Code Injection') vulnerability in Scott Paterson Easy Stripe easy-stripe allows Remote Code Inclusion.This issue affects Easy Stripe: from n/a through <= 1.1. CVSSv3.1 10.0 (CRITICAL)
CVE-2025-32297 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in quantumcloud Simple Link Directory qc-simple-link-directory allows SQL Injection.This issue affects Simple Link Directory: from n/a through < 14.8.1. CVSSv3.1 8.5 (HIGH)
CVE-2025-30933 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in LiquidThemes LogisticsHub logistics-hub allows Upload
Unrestricted Upload of File with Dangerous Type vulnerability in LiquidThemes LogisticsHub logistics-hub allows Upload a Web Shell to a Web Server.This issue affects LogisticsHub: from n/a through <= 1.1.6. CVSSv3.1 10.0 (CRITICAL)
CVE-2025-28983 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect click-pledge-connect allows Privilege Escalation.This issue affects Click & Pledge Connect: from n/a through <= 25.04010101-WP6.8. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-24780 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in printcart Printcart Web to Print Product Designer for WooCommerce printcart-integration allows SQL Injection.This issue affects Printcart Web to Print Product Designer for WooCommerce: from n/a through <= 2.4.0. CVSSv3.1 8.5 (HIGH)
CVE-2025-23970 — Incorrect: Privilege Assignment vulnerability in aonetheme Service Finder Booking sf-booking allows Privilege Escalation.This issue
Incorrect Privilege Assignment vulnerability in aonetheme Service Finder Booking sf-booking allows Privilege Escalation.This issue affects Service Finder Booking: from n/a through <= 6.1. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-30979 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in gopiplus Pixelating image slideshow gallery pixelating-image-slideshow-gallery allows SQL Injection.This issue affects Pixelating image slideshow gallery: from n/a through <= 8.0. CVSSv3.1 8.5 (HIGH)
CVE-2025-30969 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in gopiplus iFrame Images Gallery wp-iframe-images-gallery allows SQL Injection.This issue affects iFrame Images Gallery: from n/a through <= 9.0. CVSSv3.1 8.5 (HIGH)
CVE-2025-30947 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in gopiplus Cool fade popup cool-fade-popup allows Blind SQL Injection.This issue affects Cool fade popup: from n/a through <= 10.1. CVSSv3.1 8.5 (HIGH)
CVE-2025-28969 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in cybio Gallery Widget gallery-widget allows SQL Injection.This issue affects Gallery Widget: from n/a through <= 1.2.1. CVSSv3.1 8.5 (HIGH)
CVE-2025-28967 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Steve Truman Contact Us page - Contact people LITE contact-us-page-contact-people allows SQL Injection.This issue affects Contact Us page - Contact people LITE: from n/a through <= 3.7.4. CVSSv3.1 8.5 (HIGH)
CVE-2025-28951 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in CreedAlly Bulk Featured Image bulk-featured-image
Unrestricted Upload of File with Dangerous Type vulnerability in CreedAlly Bulk Featured Image bulk-featured-image allows Upload a Web Shell to a Web Server.This issue affects Bulk Featured Image: from n/a through <= 1.2.4. CVSSv3.1 9.1 (CRITICAL)
CVE-2025-23968 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in WebFactory AiBud WP aibuddy-openai-chatgpt allows
Unrestricted Upload of File with Dangerous Type vulnerability in WebFactory AiBud WP aibuddy-openai-chatgpt allows Upload a Web Shell to a Web Server.This issue affects AiBud WP: from n/a through <= 1.9. CVSSv3.1 9.1 (CRITICAL)
CVE-2025-32463 — Local Privilege Escalation to Root via Sudo chroot in Linux
CVE-2025-32463 is a local privilege escalation vulnerability in sudo versions 1.9.14–1.9.17 affecting the chroot functionality, allowing unprivileged users to escalate to root. A public PoC exploit is available on GitHub; patched versions 1.9.17p1 and later are available.
CVE-2025-5746 — Drag: The Drag and Drop Multiple File Upload (Pro) - WooCommerce plugin for WordPress is
The Drag and Drop Multiple File Upload (Pro) - WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the dnd_upload_cf7_upload_chunks() function in version 5.0 - 5.0.5 (when bundled with the PrintSpace theme) and all versions up to, and including, 1.7.1 (in the standalone version). This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code exe CVSSv3.1 9.8 (CRITICAL)
NeacController — Exploit vulnerabilities in NeacSafe64.sys to achieve privilege escalation and kernel-mode shellcode execution
NeacController is a public exploit for CVE-2025-45737 affecting NetEase's NeacSafe64.sys anti-cheat driver (versions <1.0.0.8). The vulnerability exposes IOCTL handlers (Opcodes 14 and 70) that implement arbitrary kernel-space read/write primitives, enabling local privilege escalation to SYSTEM and arbitrary kernel-mode code execution via function pointer hijacking in NonPagedPool memory.
CVE-2025-49029 — Control: Improper Control of Generation of Code ('Code Injection') vulnerability in bitto.kazi Custom Login And
Improper Control of Generation of Code ('Code Injection') vulnerability in bitto.kazi Custom Login And Signup Widget custom-login-and-signup-widget allows Code Injection.This issue affects Custom Login And Signup Widget: from n/a through <= 1.0. CVSSv3.1 9.1 (CRITICAL)