Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2025-3455 — Click: The 1 Click WordPress Migration Plugin – 100% FREE for a limited time plugin
The 1 Click WordPress Migration Plugin – 100% FREE for a limited time plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'start_restore' function in all versions up to, and including, 2.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. CVSSv3.1 8.8 (HIGH)
CVE-2025-47657 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Productive Minds Productive Commerce productive-commerce allows SQL Injection.This issue affects Productive Commerce: from n/a through <= 1.1.42. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-47649 — Path: Traversal: '.../...//' vulnerability in StackWC Open Close WooCommerce Store woc-open-close allows PHP Local
Path Traversal: '.../...//' vulnerability in StackWC Open Close WooCommerce Store woc-open-close allows PHP Local File Inclusion.This issue affects Open Close WooCommerce Store: from n/a through <= 5.0.0. CVSSv3.1 8.8 (HIGH)
CVE-2025-47549 — Themefic Ultimate_before_after_image_slider_\&_gallery: Unrestricted Upload of File with Dangerous Type vulnerability in Themefic BEAF beaf-before-and-after-gallery allows Upload
Unrestricted Upload of File with Dangerous Type vulnerability in Themefic BEAF beaf-before-and-after-gallery allows Upload a Web Shell to a Web Server.This issue affects BEAF: from n/a through <= 4.6.10. CVSSv3.1 9.1 (CRITICAL)
CVE-2025-47533 — Site: Cross-Site Request Forgery (CSRF) vulnerability in Iqonic Design Graphina graphina-elementor-charts-and-graphs allows PHP Local File
Cross-Site Request Forgery (CSRF) vulnerability in Iqonic Design Graphina graphina-elementor-charts-and-graphs allows PHP Local File Inclusion.This issue affects Graphina: from n/a through <= 3.0.4. CVSSv3.1 8.1 (HIGH)
CVE-2025-47490 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Rustaurius Ultimate WP Mail ultimate-wp-mail allows SQL Injection.This issue affects Ultimate WP Mail: from n/a through <= 1.3.4. CVSSv3.1 8.5 (HIGH)
CVE-2025-47462 — Site: Cross-Site Request Forgery (CSRF) vulnerability in WebAppick Challan webappick-pdf-invoice-for-woocommerce allows Privilege Escalation.This issue affects
Cross-Site Request Forgery (CSRF) vulnerability in WebAppick Challan webappick-pdf-invoice-for-woocommerce allows Privilege Escalation.This issue affects Challan: from n/a through <= 3.7.58. CVSSv3.1 8.8 (HIGH)
v1.4.0
NetExec v1.4.0 release introduces significant enhancements across SMB, LDAP, MSSQL, RDP, SSH, and NFS protocols with 40+ merged PRs. Notable additions include certificate-based authentication (PFX/PEM), regsecretsdump for stealthier credential extraction, NFS root filesystem escape, Shadow RDP detection, Timeroast module for unauthenticated computer password retrieval, and multiple new post-exploitation modules (Backup Operators automation, DPAPI hash dumping, WAM token extraction).
CVE-2025-0984 — Upload: Unrestricted Upload of File with Dangerous Type, Improper Neutralization of Input During Web Page
Unrestricted Upload of File with Dangerous Type, Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Netoloji Software E-Flow allows Accessing Functionality Not Properly Constrained by ACLs, Stored XSS, File Content Injection. This issue affects E-Flow: before 3.23.00. CVSSv3.1 8.2 (HIGH) · EPSS 34th percentile
CVE-2025-2421 — Felisify Sambabox: Improper Control of Generation of Code ('Code Injection') vulnerability in Profelis Informatics SambaBox allows
Improper Control of Generation of Code ('Code Injection') vulnerability in Profelis Informatics SambaBox allows Code Injection. This issue affects SambaBox: before 5.1. CVSSv3.1 9.8 (CRITICAL) · EPSS 60th percentile
CVE-2025-2812 — Mydata Ticket_sales_automation: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mydata Informatics Ticket Sales Automation allows Blind SQL Injection. This issue affects Ticket Sales Automation: before 03.04.2025 (DD.MM.YYYY). CVSSv3.1 9.8 (CRITICAL) · EPSS 48th percentile
CVE-2024-11142 — Proticaret Proticaret: Cross-Site Request Forgery (CSRF) vulnerability in Gosoft Software Proticaret E-Commerce allows Cross Site Request
Cross-Site Request Forgery (CSRF) vulnerability in Gosoft Software Proticaret E-Commerce allows Cross Site Request Forgery. This issue affects Proticaret E-Commerce: before v6.0 NOTE: According to the vendor, fixing process is still ongoing for v4.05. CVSSv3.1 8.8 (HIGH) · EPSS 26th percentile
CVE-2025-27007 — Incorrect: Privilege Assignment vulnerability in Brainstorm Force OttoKit suretriggers allows Privilege Escalation.This issue affects
Incorrect Privilege Assignment vulnerability in Brainstorm Force OttoKit suretriggers allows Privilege Escalation.This issue affects OttoKit: from n/a through <= 1.0.82. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-4093 — Mozilla Firefox: This bug showed evidence of memory corruption and we presume that with enough effort
Memory safety bug present in Firefox ESR 128.9, and Thunderbird 128.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox ESR 128.10 and Thunderbird 128.10. CVSSv3.1 8.1 (HIGH)
CVE-2025-4091 — Mozilla Firefox: Some of these bugs showed evidence of memory corruption and we presume that with
Memory safety bugs present in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 138, Firefox ESR 128.10, Thunderbird 138, and Thunderbird 128.10. CVSSv3.1 8.1 (HIGH)
CVE-2025-4083 — Mozilla Firefox: A process isolation vulnerability in Thunderbird stemmed from improper handling of javascript: URIs, which
A process isolation vulnerability in Thunderbird stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended frame, potentially enabling a sandbox escape. This vulnerability was fixed in Firefox 138, Firefox ESR 128.10, Firefox ESR 115.23, Thunderbird 138, and Thunderbird 128.10. CVSSv3.1 9.1 (CRITICAL)
CVE-2025-2817 — Mozilla Firefox: By injecting code into the user-privileged process, an attacker could bypass intended access controls
Thunderbird's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file operations on paths controlled by a non-privileged user and enabling privilege escalation. This vulnerability was fixed in Firefox 138, Firefox ESR 128.10, Firefox ESR 115.23, Thunderbird 138, CVSSv3.1 8.8 (HIGH)
CVE-2025-45953 — Phpgurukul Hostel_management_system: Improper handling of session data allows a Session Hijacking attack, exploitable remotely
A vulnerability was found in PHPGurukul Hostel Management System 2.1 in the /hostel/change-password.php file of the user panel - Change Password component. Improper handling of session data allows a Session Hijacking attack, exploitable remotely CVSSv3.1 9.1 (CRITICAL) · EPSS 30th percentile
CVE-2025-45949 — Phpgurukul User_registration_\&_login_and_user_management_system: Improper handling of session data allows a Session Hijacking attack, exploitable remotely and leading
A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /loginsystem/change-password.php file of the user panel - Change Password component. Improper handling of session data allows a Session Hijacking attack, exploitable remotely and leading to account takeover. CVSSv3.1 9.8 (CRITICAL) · EPSS 36th percentile
CVE-2025-45947 — Phpgurukul Online_banquet_booking_system: An issue in phpgurukul Online Banquet Booking System V1.2 allows an attacker to execute
An issue in phpgurukul Online Banquet Booking System V1.2 allows an attacker to execute arbitrary code via the /obbs/change-password.php file of the My Account - Change Password component CVSSv3.1 9.8 (CRITICAL) · EPSS 47th percentile
CVE-2025-46264 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in blubrry PowerPress Podcasting powerpress allows
Unrestricted Upload of File with Dangerous Type vulnerability in blubrry PowerPress Podcasting powerpress allows Upload a Web Shell to a Web Server.This issue affects PowerPress Podcasting: from n/a through <= 11.12.5. CVSSv3.1 9.9 (CRITICAL)
CVE-2025-46248 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in M A Vinoth Kumar Frontend Dashboard frontend-dashboard allows SQL Injection.This issue affects Frontend Dashboard: from n/a through <= 2.2.5. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-39377 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs Appsero Helper appsero-helper allows SQL Injection.This issue affects Appsero Helper: from n/a through <= 1.3.4. CVSSv3.1 8.5 (HIGH)
SonicWall Sonicos Versions 7.1.x and 8.0.x
Bishop Fox disclosed CVE-2025-32818, a remote unauthenticated denial-of-service vulnerability in SonicWall SonicOS 7.1.x and 8.0.x affecting the SSL VPN interface. A null pointer dereference in the SSL VPN web server can be triggered via crafted HTTP POST requests to specific endpoints, causing a segmentation fault and forcing the appliance to reboot. SonicWall released patches (versions 7.2.0 and 8.0.1) on April 23, 2025.
CVE-2025-3607 — Frontend: The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation
The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.8. This is due to the plugin not properly validating a user's identity prior to updating a password. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. CVSSv3.1 8.8 (HIGH)