Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2025-31429 — Deserialization: of Untrusted Data vulnerability in themeton PressGrid - Frontend Publish Reaction & Multimedia
Deserialization of Untrusted Data vulnerability in themeton PressGrid - Frontend Publish Reaction & Multimedia Theme press-grid allows Object Injection.This issue affects PressGrid - Frontend Publish Reaction & Multimedia Theme: from n/a through <= 1.3.1. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-31424 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav WP Lead Capturing Pages leadcapture allows Blind SQL Injection.This issue affects WP Lead Capturing Pages: from n/a through < 2.6. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-31398 — Deserialization: of Untrusted Data vulnerability in themeton PIMP - Creative MultiPurpose pimp allows Object
Deserialization of Untrusted Data vulnerability in themeton PIMP - Creative MultiPurpose pimp allows Object Injection.This issue affects PIMP - Creative MultiPurpose: from n/a through <= 1.7. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-31396 — Deserialization: of Untrusted Data vulnerability in themeton FLAP - Business WordPress Theme flap allows
Deserialization of Untrusted Data vulnerability in themeton FLAP - Business WordPress Theme flap allows Object Injection.This issue affects FLAP - Business WordPress Theme: from n/a through <= 1.5. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-31059 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in woobewoo WBW Product Table PRO woo-producttables-pro allows SQL Injection.This issue affects WBW Product Table PRO: from n/a through <= 2.2.6. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-31052 — Deserialization: of Untrusted Data vulnerability in themeton The Fashion - Model Agency One Page
Deserialization of Untrusted Data vulnerability in themeton The Fashion - Model Agency One Page Beauty Theme nrgfashion allows Object Injection.This issue affects The Fashion - Model Agency One Page Beauty Theme: from n/a through <= 1.4.4. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-31039 — Restriction: Improper Restriction of XML External Entity Reference vulnerability in pixelgrade Category Icon category-icon allows
Improper Restriction of XML External Entity Reference vulnerability in pixelgrade Category Icon category-icon allows XML Entity Linking.This issue affects Category Icon: from n/a through <= 1.0.3. CVSSv3.1 9.1 (CRITICAL)
CVE-2025-31022 — Authentication: Bypass Using an Alternate Path or Channel vulnerability in PayU India PayU India
Authentication Bypass Using an Alternate Path or Channel vulnerability in PayU India PayU India payu-india allows Authentication Abuse.This issue affects PayU India: from n/a through < 3.8.8. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-31019 — Authentication: Bypass Using an Alternate Path or Channel vulnerability in miniOrange Password Policy Manager
Authentication Bypass Using an Alternate Path or Channel vulnerability in miniOrange Password Policy Manager password-policy-manager allows Authentication Abuse.This issue affects Password Policy Manager: from n/a through <= 2.0.4. CVSSv3.1 8.8 (HIGH)
CVE-2025-28992 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme SNS Anton snsanton allows PHP Local File Inclusion.This issue affects SNS Anton: from n/a through <= 4.1. CVSSv3.1 8.1 (HIGH)
CVE-2025-28945 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme Valen - Sport, Fashion WooCommerce WordPress Theme valen allows PHP Local File Inclusion.This issue affects Valen - Sport, Fashion WooCommerce WordPress Theme: from n/a through <= 2.4. CVSSv3.1 8.1 (HIGH)
CVE-2025-28944 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme Avaz snsavaz allows PHP Local File Inclusion.This issue affects Avaz: from n/a through <= 2.8. CVSSv3.1 8.1 (HIGH)
CVE-2025-28888 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme GiftXtore bw-giftxtore allows PHP Local File Inclusion.This issue affects GiftXtore: from n/a through < 1.7.7. CVSSv3.1 8.1 (HIGH)
CVE-2025-27362 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme Petito bw-petito allows PHP Local File Inclusion.This issue affects Petito: from n/a through < 1.6.6. CVSSv3.1 8.1 (HIGH)
CVE-2025-26592 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Lab lab allows PHP Local File Inclusion.This issue affects Lab: from n/a through <= 1.0.0. CVSSv3.1 8.1 (HIGH)
CVE-2025-24770 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme CraftXtore bw-craftxtore allows PHP Local File Inclusion.This issue affects CraftXtore: from n/a through <= 1.7. CVSSv3.1 8.1 (HIGH)
CVE-2025-24768 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme Nitan snsnitan allows PHP Local File Inclusion.This issue affects Nitan: from n/a through <= 2.9. CVSSv3.1 8.1 (HIGH)
CVE-2025-24767 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in facturaone TicketBAI Facturas para WooCommerce wp-ticketbai allows Blind SQL Injection.This issue affects TicketBAI Facturas para WooCommerce: from n/a through <= 3.19. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-23974 — Incorrect: Privilege Assignment vulnerability in ifkooo One-Login one-login allows Privilege Escalation.This issue affects One-Login
Incorrect Privilege Assignment vulnerability in ifkooo One-Login one-login allows Privilege Escalation.This issue affects One-Login: from n/a through <= 1.4. CVSSv3.1 8.1 (HIGH)
CVE-2023-26005 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme Fitrush bw-fitrush allows PHP Local File Inclusion.This issue affects Fitrush: from n/a through <= 1.3.4. CVSSv3.1 8.1 (HIGH)
CVE-2023-25999 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme BodyCenter - Gym, Fitness WooCommerce WordPress Theme bodycenter allows PHP Local File Inclusion.This issue affects BodyCenter - Gym, Fitness WooCommerce WordPress Theme: from n/a through <= 2.4. CVSSv3.1 8.1 (HIGH)
k8s-container-escape-lkm
RBT Security released a proof-of-concept Kubernetes container escape leveraging a custom Linux Kernel Module (LKM) to achieve host-level code execution from a privileged container. The exploit chains initial code execution (e.g., via SSTI) with kernel module loading to spawn a reverse shell with full host privileges, demonstrating the critical risk of running containers with CAP_SYS_MODULE capability.
CVE-2025-47601 — Authorization: Missing Authorization vulnerability in Christiaan Pieterse MaxiBlocks maxi-blocks allows Privilege Escalation.This issue affects MaxiBlocks
Missing Authorization vulnerability in Christiaan Pieterse MaxiBlocks maxi-blocks allows Privilege Escalation.This issue affects MaxiBlocks: from n/a through <= 2.1.0. CVSSv3.1 8.8 (HIGH)
CVE-2025-49323 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themefic Hydra Booking hydra-booking allows SQL Injection.This issue affects Hydra Booking: from n/a through <= 1.1.10. CVSSv3.1 8.5 (HIGH)
CVE-2025-49288 — Authorization: Missing Authorization vulnerability in Rustaurius Ultimate WP Mail ultimate-wp-mail allows Authentication Bypass.This issue affects
Missing Authorization vulnerability in Rustaurius Ultimate WP Mail ultimate-wp-mail allows Authentication Bypass.This issue affects Ultimate WP Mail: from n/a through <= 1.3.5. CVSSv3.1 8.8 (HIGH)