2025-05-09
2025-05-09 07:16Z
HIGH

CVE-2025-3455 — Click: The 1 Click WordPress Migration Plugin – 100% FREE for a limited time plugin

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-3455

The 1 Click WordPress Migration Plugin – 100% FREE for a limited time plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'start_restore' function in all versions up to, and including, 2.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. CVSSv3.1 8.8 (HIGH)

CWECWE 434VNDClickTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-05-07
2025-05-07 15:16Z
CRIT

CVE-2025-47657 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-47657

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Productive Minds Productive Commerce productive-commerce allows SQL Injection.This issue affects Productive Commerce: from n/a through <= 1.1.42. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-05-07
2025-05-07 15:16Z
HIGH

CVE-2025-47649 — Path: Traversal: '.../...//' vulnerability in StackWC Open Close WooCommerce Store woc-open-close allows PHP Local

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-47649

Path Traversal: '.../...//' vulnerability in StackWC Open Close WooCommerce Store woc-open-close allows PHP Local File Inclusion.This issue affects Open Close WooCommerce Store: from n/a through <= 5.0.0. CVSSv3.1 8.8 (HIGH)

CWECWE 35TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-05-07
2025-05-07 15:16Z
CRIT

CVE-2025-47549 — Themefic Ultimate_before_after_image_slider_\&_gallery: Unrestricted Upload of File with Dangerous Type vulnerability in Themefic BEAF beaf-before-and-after-gallery allows Upload

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-47549

Unrestricted Upload of File with Dangerous Type vulnerability in Themefic BEAF beaf-before-and-after-gallery allows Upload a Web Shell to a Web Server.This issue affects BEAF: from n/a through <= 4.6.10. CVSSv3.1 9.1 (CRITICAL)

CWECWE 434VNDThemeficTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2025-05-07
2025-05-07 15:16Z
HIGH

CVE-2025-47533 — Site: Cross-Site Request Forgery (CSRF) vulnerability in Iqonic Design Graphina graphina-elementor-charts-and-graphs allows PHP Local File

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-47533

Cross-Site Request Forgery (CSRF) vulnerability in Iqonic Design Graphina graphina-elementor-charts-and-graphs allows PHP Local File Inclusion.This issue affects Graphina: from n/a through <= 3.0.4. CVSSv3.1 8.1 (HIGH)

CWECWE 352TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-05-07
2025-05-07 15:16Z
HIGH

CVE-2025-47490 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-47490

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Rustaurius Ultimate WP Mail ultimate-wp-mail allows SQL Injection.This issue affects Ultimate WP Mail: from n/a through <= 1.3.4. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-05-07
2025-05-07 15:16Z
HIGH

CVE-2025-47462 — Site: Cross-Site Request Forgery (CSRF) vulnerability in WebAppick Challan webappick-pdf-invoice-for-woocommerce allows Privilege Escalation.This issue affects

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-47462

Cross-Site Request Forgery (CSRF) vulnerability in WebAppick Challan webappick-pdf-invoice-for-woocommerce allows Privilege Escalation.This issue affects Challan: from n/a through <= 3.7.58. CVSSv3.1 8.8 (HIGH)

CWECWE 352TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
728 × 90 / responsive · programmatic ad slot
2025-05-06
2025-05-06 19:39Z
HIGH

v1.4.0

NetExec releases·github.com

NetExec v1.4.0 release introduces significant enhancements across SMB, LDAP, MSSQL, RDP, SSH, and NFS protocols with 40+ merged PRs. Notable additions include certificate-based authentication (PFX/PEM), regsecretsdump for stealthier credential extraction, NFS root filesystem escape, Shadow RDP detection, Timeroast module for unauthenticated computer password retrieval, and multiple new post-exploitation modules (Backup Operators automation, DPAPI hash dumping, WAM token extraction).

SRFOsSRFNetworkTACTA0006TACTA0007TACTA0008VNDNetexecTYPToolSTGDiscovery
78
Edit Score
2025-05-06
2025-05-06 12:15Z
HIGH

CVE-2025-0984 — Upload: Unrestricted Upload of File with Dangerous Type, Improper Neutralization of Input During Web Page

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-0984

Unrestricted Upload of File with Dangerous Type, Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Netoloji Software E-Flow allows Accessing Functionality Not Properly Constrained by ACLs, Stored XSS, File Content Injection. This issue affects E-Flow: before 3.23.00. CVSSv3.1 8.2 (HIGH) · EPSS 34th percentile

CWECWE 434CWECWE 79TYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2025-05-02
2025-05-02 12:15Z
CRIT

CVE-2025-2421 — Felisify Sambabox: Improper Control of Generation of Code ('Code Injection') vulnerability in Profelis Informatics SambaBox allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-2421

Improper Control of Generation of Code ('Code Injection') vulnerability in Profelis Informatics SambaBox allows Code Injection. This issue affects SambaBox: before 5.1. CVSSv3.1 9.8 (CRITICAL) · EPSS 60th percentile

CWECWE 94VNDFelisifyTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-05-02
2025-05-02 09:15Z
CRIT

CVE-2025-2812 — Mydata Ticket_sales_automation: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-2812

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mydata Informatics Ticket Sales Automation allows Blind SQL Injection. This issue affects Ticket Sales Automation: before 03.04.2025 (DD.MM.YYYY). CVSSv3.1 9.8 (CRITICAL) · EPSS 48th percentile

CWECWE 89VNDMydataTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-05-02
2025-05-02 08:15Z
HIGH

CVE-2024-11142 — Proticaret Proticaret: Cross-Site Request Forgery (CSRF) vulnerability in Gosoft Software Proticaret E-Commerce allows Cross Site Request

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-11142

Cross-Site Request Forgery (CSRF) vulnerability in Gosoft Software Proticaret E-Commerce allows Cross Site Request Forgery. This issue affects Proticaret E-Commerce: before v6.0 NOTE: According to the vendor, fixing process is still ongoing for v4.05. CVSSv3.1 8.8 (HIGH) · EPSS 26th percentile

CWECWE 352VNDProticaretTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-05-01
2025-05-01 11:15Z
CRIT

CVE-2025-27007 — Incorrect: Privilege Assignment vulnerability in Brainstorm Force OttoKit suretriggers allows Privilege Escalation.This issue affects

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-27007

Incorrect Privilege Assignment vulnerability in Brainstorm Force OttoKit suretriggers allows Privilege Escalation.This issue affects OttoKit: from n/a through <= 1.0.82. CVSSv3.1 9.8 (CRITICAL)

CWECWE 266TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-04-29
2025-04-29 14:15Z
HIGH

CVE-2025-4093 — Mozilla Firefox: This bug showed evidence of memory corruption and we presume that with enough effort

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-4093

Memory safety bug present in Firefox ESR 128.9, and Thunderbird 128.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox ESR 128.10 and Thunderbird 128.10. CVSSv3.1 8.1 (HIGH)

CWECWE 119VNDMozillaTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-04-29
2025-04-29 14:15Z
HIGH

CVE-2025-4091 — Mozilla Firefox: Some of these bugs showed evidence of memory corruption and we presume that with

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-4091

Memory safety bugs present in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 138, Firefox ESR 128.10, Thunderbird 138, and Thunderbird 128.10. CVSSv3.1 8.1 (HIGH)

CWECWE 119VNDMozillaTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-04-29
2025-04-29 14:15Z
CRIT

CVE-2025-4083 — Mozilla Firefox: A process isolation vulnerability in Thunderbird stemmed from improper handling of javascript: URIs, which

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-4083

A process isolation vulnerability in Thunderbird stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended frame, potentially enabling a sandbox escape. This vulnerability was fixed in Firefox 138, Firefox ESR 128.10, Firefox ESR 115.23, Thunderbird 138, and Thunderbird 128.10. CVSSv3.1 9.1 (CRITICAL)

CWECWE 653VNDMozillaVNDThunderbirdTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2025-04-29
2025-04-29 14:15Z
HIGH

CVE-2025-2817 — Mozilla Firefox: By injecting code into the user-privileged process, an attacker could bypass intended access controls

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-2817

Thunderbird's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file operations on paths controlled by a non-privileged user and enabling privilege escalation. This vulnerability was fixed in Firefox 138, Firefox ESR 128.10, Firefox ESR 115.23, Thunderbird 138, CVSSv3.1 8.8 (HIGH)

CWECWE 22VNDMozillaTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-04-28
2025-04-28 20:15Z
CRIT

CVE-2025-45953 — Phpgurukul Hostel_management_system: Improper handling of session data allows a Session Hijacking attack, exploitable remotely

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-45953

A vulnerability was found in PHPGurukul Hostel Management System 2.1 in the /hostel/change-password.php file of the user panel - Change Password component. Improper handling of session data allows a Session Hijacking attack, exploitable remotely CVSSv3.1 9.1 (CRITICAL) · EPSS 30th percentile

CWECWE 384VNDPhpgurukulTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2025-04-28
2025-04-28 20:15Z
CRIT

CVE-2025-45949 — Phpgurukul User_registration_\&_login_and_user_management_system: Improper handling of session data allows a Session Hijacking attack, exploitable remotely and leading

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-45949

A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /loginsystem/change-password.php file of the user panel - Change Password component. Improper handling of session data allows a Session Hijacking attack, exploitable remotely and leading to account takeover. CVSSv3.1 9.8 (CRITICAL) · EPSS 36th percentile

CWECWE 384VNDPhpgurukulTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-04-28
2025-04-28 20:15Z
CRIT

CVE-2025-45947 — Phpgurukul Online_banquet_booking_system: An issue in phpgurukul Online Banquet Booking System V1.2 allows an attacker to execute

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-45947

An issue in phpgurukul Online Banquet Booking System V1.2 allows an attacker to execute arbitrary code via the /obbs/change-password.php file of the My Account - Change Password component CVSSv3.1 9.8 (CRITICAL) · EPSS 47th percentile

CWECWE 94VNDPhpgurukulVNDOnlineTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-04-24
2025-04-24 16:15Z
CRIT

CVE-2025-46264 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in blubrry PowerPress Podcasting powerpress allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-46264

Unrestricted Upload of File with Dangerous Type vulnerability in blubrry PowerPress Podcasting powerpress allows Upload a Web Shell to a Web Server.This issue affects PowerPress Podcasting: from n/a through <= 11.12.5. CVSSv3.1 9.9 (CRITICAL)

CWECWE 434TYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2025-04-24
2025-04-24 16:15Z
CRIT

CVE-2025-46248 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-46248

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in M A Vinoth Kumar Frontend Dashboard frontend-dashboard allows SQL Injection.This issue affects Frontend Dashboard: from n/a through <= 2.2.5. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-04-24
2025-04-24 16:15Z
HIGH

CVE-2025-39377 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-39377

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs Appsero Helper appsero-helper allows SQL Injection.This issue affects Appsero Helper: from n/a through <= 1.3.4. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-04-24
2025-04-24 13:00Z
HIGH

SonicWall Sonicos Versions 7.1.x and 8.0.x

Bishop Fox Labs·bishopfox.comCVE-2025-32818

Bishop Fox disclosed CVE-2025-32818, a remote unauthenticated denial-of-service vulnerability in SonicWall SonicOS 7.1.x and 8.0.x affecting the SSL VPN interface. A null pointer dereference in the SSL VPN web server can be triggered via crafted HTTP POST requests to specific endpoints, causing a segmentation fault and forcing the appliance to reboot. SonicWall released patches (versions 7.2.0 and 8.0.1) on April 23, 2025.

SRFNetwork ApplianceTACTA0040VNDSonicwallTYPVulnerabilityTYPAdvisorySTGInitial AccessSTGImpactTECT1499
72
Edit Score
2025-04-24
2025-04-24 09:15Z
HIGH

CVE-2025-3607 — Frontend: The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-3607

The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.8. This is due to the plugin not properly validating a user's identity prior to updating a password. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. CVSSv3.1 8.8 (HIGH)

CWECWE 620VNDFrontendTYPVulnerability
8.8
CVSS v3.1
94
Edit Score