Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2025-47512 — Limitation: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in tainacan
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in tainacan Tainacan tainacan allows Path Traversal.This issue affects Tainacan: from n/a through <= 0.21.14. CVSSv3.1 8.6 (HIGH)
CVE-2025-47492 — Limitation: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in add-ons.org
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in add-ons.org Drag and Drop File Upload for Elementor Forms drag-and-drop-file-upload-for-elementor-forms allows Path Traversal.This issue affects Drag and Drop File Upload for Elementor Forms: from n/a through <= 1.4.3. CVSSv3.1 8.6 (HIGH)
CVE-2025-47478 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Metagauss ProfileGrid profilegrid-user-profiles-groups-and-communities allows SQL Injection.This issue affects ProfileGrid : from n/a through <= 5.9.5.0. CVSSv3.1 8.5 (HIGH)
CVE-2025-47461 — Authentication: Bypass Using an Alternate Path or Channel vulnerability in mediaticus Subaccounts for WooCommerce
Authentication Bypass Using an Alternate Path or Channel vulnerability in mediaticus Subaccounts for WooCommerce subaccounts-for-woocommerce allows Authentication Abuse.This issue affects Subaccounts for WooCommerce: from n/a through <= 1.6.6. CVSSv3.1 8.8 (HIGH)
CVE-2025-47453 — Xylusthemes Wp_smart_import: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Xylus Themes WP Smart Import wp-smart-import allows PHP Local File Inclusion.This issue affects WP Smart Import: from n/a through <= 1.1.3. CVSSv3.1 8.1 (HIGH)
CVE-2025-47438 — Wpjobportal Wp_job_portal: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpjobportal WP Job Portal wp-job-portal allows PHP Local File Inclusion.This issue affects WP Job Portal: from n/a through <= 2.3.1. CVSSv3.1 8.1 (HIGH) · EPSS 73th percentile
CVE-2025-46539 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPFable Fable Extra fable-extra allows Blind SQL Injection.This issue affects Fable Extra: from n/a through <= 1.0.6. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-46490 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in wordwebsoftware Crossword Compiler Puzzles crossword-compiler-puzzles
Unrestricted Upload of File with Dangerous Type vulnerability in wordwebsoftware Crossword Compiler Puzzles crossword-compiler-puzzles allows Upload a Web Shell to a Web Server.This issue affects Crossword Compiler Puzzles: from n/a through <= 5.2. CVSSv3.1 9.9 (CRITICAL)
CVE-2025-46474 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SEUR OFICIAL SEUR Oficial seur allows PHP Local File Inclusion.This issue affects SEUR Oficial: from n/a through <= 2.2.23. CVSSv3.1 8.1 (HIGH)
CVE-2025-46468 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WPFable Fable Extra fable-extra allows PHP Local File Inclusion.This issue affects Fable Extra: from n/a through <= 1.0.6. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-46463 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Yamna Khawaja Mailing Group Listserv wp-mailing-group allows SQL Injection.This issue affects Mailing Group Listserv: from n/a through <= 3.0.4. CVSSv3.1 8.5 (HIGH)
CVE-2025-46460 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Detheme Easy Guide wp-easy-guide allows SQL Injection.This issue affects Easy Guide: from n/a through <= 1.0.0. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-46458 — Site: Cross-Site Request Forgery (CSRF) vulnerability in x000x occupancyplan occupancyplan allows SQL Injection.This issue affects
Cross-Site Request Forgery (CSRF) vulnerability in x000x occupancyplan occupancyplan allows SQL Injection.This issue affects occupancyplan: from n/a through <= 1.0.3.0. CVSSv3.1 8.2 (HIGH)
CVE-2025-46455 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in IndigoThemes WP HRM LITE wp-hrm-lite-human-resource-management-system allows SQL Injection.This issue affects WP HRM LITE: from n/a through <= 1.1. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-46444 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in scripteo Ads Pro ap-plugin-scripteo allows PHP Local File Inclusion.This issue affects Ads Pro: from n/a through <= 4.89. CVSSv3.1 8.1 (HIGH)
CVE-2025-39536 — Authorization: Missing Authorization vulnerability in Chimpstudio JobHunt Job Alerts jobhunt-notifications allows Exploiting Incorrectly Configured Access
Missing Authorization vulnerability in Chimpstudio JobHunt Job Alerts jobhunt-notifications allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JobHunt Job Alerts: from n/a through <= 3.6. CVSSv3.1 8.2 (HIGH)
CVE-2025-39506 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NasaTheme Nasa Core nasa-core allows PHP Local File Inclusion.This issue affects Nasa Core: from n/a through <= 6.3.2. CVSSv3.1 8.1 (HIGH)
CVE-2025-39504 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in GoodLayers Goodlayers Hotel gdlr-hotel allows Blind SQL Injection.This issue affects Goodlayers Hotel: from n/a through <= 3.1.4. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-39503 — Deserialization: of Untrusted Data vulnerability in GoodLayers Goodlayers Hotel gdlr-hotel allows Object Injection.This issue
Deserialization of Untrusted Data vulnerability in GoodLayers Goodlayers Hotel gdlr-hotel allows Object Injection.This issue affects Goodlayers Hotel: from n/a through <= 3.1.4. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-39501 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in GoodLayers Goodlayers Hostel gdlr-hostel allows Blind SQL Injection.This issue affects Goodlayers Hostel: from n/a through <= 3.1.4. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-39500 — Deserialization: of Untrusted Data vulnerability in GoodLayers Goodlayers Hostel gdlr-hostel allows Object Injection.This issue
Deserialization of Untrusted Data vulnerability in GoodLayers Goodlayers Hostel gdlr-hostel allows Object Injection.This issue affects Goodlayers Hostel: from n/a through <= 3.1.2. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-39499 — Deserialization: of Untrusted Data vulnerability in BoldThemes Medicare medicare allows Object Injection.This issue affects
Deserialization of Untrusted Data vulnerability in BoldThemes Medicare medicare allows Object Injection.This issue affects Medicare: from n/a through <= 2.1.0. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-39495 — Deserialization: of Untrusted Data vulnerability in BoldThemes Avantage avantage allows Object Injection.This issue affects
Deserialization of Untrusted Data vulnerability in BoldThemes Avantage avantage allows Object Injection.This issue affects Avantage: from n/a through <= 2.4.9. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-39494 — Qodeinteractive Wilmer: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wilmër wilmer allows PHP Local File Inclusion.This issue affects Wilmër: from n/a through < 3.4.2. CVSSv3.1 8.1 (HIGH)
CVE-2025-39490 — Qodeinteractive Backpack_traveler: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Backpack Traveler backpacktraveler allows PHP Local File Inclusion.This issue affects Backpack Traveler: from n/a through <= 2.10.2. CVSSv3.1 8.1 (HIGH)