Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2025-32665 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WebbyTemplate Office Locator office-locator allows SQL Injection.This issue affects Office Locator: from n/a through <= 1.3.0. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-32662 — Deserialization: of Untrusted Data vulnerability in Stylemix uListing ulisting allows Object Injection.This issue affects
Deserialization of Untrusted Data vulnerability in Stylemix uListing ulisting allows Object Injection.This issue affects uListing: from n/a through <= 2.2.0. CVSSv3.1 8.8 (HIGH)
CVE-2025-32660 — Joomsky Js_job_manager: Unrestricted Upload of File with Dangerous Type vulnerability in JoomSky JS Job Manager js-jobs
Unrestricted Upload of File with Dangerous Type vulnerability in JoomSky JS Job Manager js-jobs allows Upload a Web Shell to a Web Server.This issue affects JS Job Manager: from n/a through <= 2.0.2. CVSSv3.1 10.0 (CRITICAL)
CVE-2025-32658 — Deserialization: of Untrusted Data vulnerability in wpWax HelpGent helpgent allows Object Injection.This issue affects
Deserialization of Untrusted Data vulnerability in wpWax HelpGent helpgent allows Object Injection.This issue affects HelpGent: from n/a through <= 2.2.5. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-32652 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in solacewp Solace Extra solace-extra allows
Unrestricted Upload of File with Dangerous Type vulnerability in solacewp Solace Extra solace-extra allows Using Malicious Files.This issue affects Solace Extra: from n/a through <= 1.3.1. CVSSv3.1 9.9 (CRITICAL)
CVE-2025-32648 — Incorrect: Privilege Assignment vulnerability in Projectopia Projectopia projectopia-core allows Privilege Escalation.This issue affects Projectopia
Incorrect Privilege Assignment vulnerability in Projectopia Projectopia projectopia-core allows Privilege Escalation.This issue affects Projectopia: from n/a through <= 5.1.24. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-32647 — Deserialization: of Untrusted Data vulnerability in PickPlugins Question Answer question-answer allows Object Injection.This issue
Deserialization of Untrusted Data vulnerability in PickPlugins Question Answer question-answer allows Object Injection.This issue affects Question Answer: from n/a through <= 1.2.73. CVSSv3.1 8.8 (HIGH)
CVE-2025-32636 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in matthewrubin Local Magic local-magic allows SQL Injection.This issue affects Local Magic: from n/a through <= 2.9.0. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-32626 — Joomsky Js_job_manager: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JoomSky JS Job Manager js-jobs allows SQL Injection.This issue affects JS Job Manager: from n/a through <= 2.0.2. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-32593 — Authorization: Missing Authorization vulnerability in Bytes Technolab Add Product Frontend for WooCommerce add-product-frontend-for-woocommerce allows Exploiting
Missing Authorization vulnerability in Bytes Technolab Add Product Frontend for WooCommerce add-product-frontend-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Add Product Frontend for WooCommerce: from n/a through <= 1.0.8. CVSSv3.1 8.2 (HIGH)
CVE-2025-32583 — Control: Improper Control of Generation of Code ('Code Injection') vulnerability in termel PDF 2 Post
Improper Control of Generation of Code ('Code Injection') vulnerability in termel PDF 2 Post pdf2post allows Remote Code Inclusion.This issue affects PDF 2 Post: from n/a through <= 2.4.0. CVSSv3.1 9.9 (CRITICAL)
CVE-2025-32573 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Kiotviet KiotViet Sync kiotvietsync allows SQL Injection.This issue affects KiotViet Sync: from n/a through <= 1.8.4. CVSSv3.1 8.5 (HIGH)
CVE-2025-32572 — Deserialization: of Untrusted Data vulnerability in Climax Themes Kata Plus kata-plus allows Object Injection.This
Deserialization of Untrusted Data vulnerability in Climax Themes Kata Plus kata-plus allows Object Injection.This issue affects Kata Plus: from n/a through <= 1.5.3. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-32571 — Deserialization: of Untrusted Data vulnerability in TuriTop TuriTop Booking System turitop-booking-system allows Object Injection.This
Deserialization of Untrusted Data vulnerability in TuriTop TuriTop Booking System turitop-booking-system allows Object Injection.This issue affects TuriTop Booking System: from n/a through <= 1.0.10. CVSSv3.1 8.8 (HIGH)
CVE-2025-31380 — Weak: Password Recovery Mechanism for Forgotten Password vulnerability in videowhisper Paid Videochat Turnkey Site
Weak Password Recovery Mechanism for Forgotten Password vulnerability in videowhisper Paid Videochat Turnkey Site ppv-live-webcams allows Password Recovery Exploitation.This issue affects Paid Videochat Turnkey Site: from n/a through <= 7.3.11. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-27302 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Claudio Adrian Marrero CHATLIVE chatlive allows SQL Injection.This issue affects CHATLIVE: from n/a through <= 2.0.1. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-27287 — Deserialization: of Untrusted Data vulnerability in ssvadim SS Quiz ssquiz allows Object Injection.This issue
Deserialization of Untrusted Data vulnerability in ssvadim SS Quiz ssquiz allows Object Injection.This issue affects SS Quiz: from n/a through <= 2.0.5. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-27286 — Deserialization: of Untrusted Data vulnerability in saoshyant1994 Saoshyant Slider saoshyant-slider allows Object Injection.This issue
Deserialization of Untrusted Data vulnerability in saoshyant1994 Saoshyant Slider saoshyant-slider allows Object Injection.This issue affects Saoshyant Slider: from n/a through <= 3.0. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-27282 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in rockgod100 Theme File Duplicator theme-file-duplicator
Unrestricted Upload of File with Dangerous Type vulnerability in rockgod100 Theme File Duplicator theme-file-duplicator allows Using Malicious Files.This issue affects Theme File Duplicator: from n/a through <= 1.3. CVSSv3.1 9.9 (CRITICAL)
CVE-2025-22655 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Caio Web Dev CWD – Stealth Links cwd-stealth-links allows SQL Injection.This issue affects CWD – Stealth Links: from n/a through <= 1.3. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-22636 — Neutralization: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vicente Ruiz
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vicente Ruiz Gálvez VR-Frases vr-frases allows Reflected XSS.This issue affects VR-Frases: from n/a through <= 4.0.1. CVSSv3.1 8.2 (HIGH)
CVE-2025-22040 — Linux Linux_kernel: In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix session use-after-free
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix session use-after-free in multichannel connection There is a race condition between session setup and ksmbd_sessions_deregister. The session can be freed before the connection is added to channel list of session. This patch check reference count of session before freeing it. CVSSv3.1 8.8 (HIGH)
CVE-2025-39601 — Site: Cross-Site Request Forgery (CSRF) vulnerability in WPFactory Custom CSS, JS & PHP custom-css allows
Cross-Site Request Forgery (CSRF) vulnerability in WPFactory Custom CSS, JS & PHP custom-css allows Remote Code Inclusion.This issue affects Custom CSS, JS & PHP: from n/a through <= 2.4.1. CVSSv3.1 9.6 (CRITICAL)
CVE-2025-39570 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Lomu WPCOM Member wpcom-member allows PHP Local File Inclusion.This issue affects WPCOM Member: from n/a through <= 1.7.7. CVSSv3.1 8.8 (HIGH)
CVE-2025-39557 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in StellarWP Kadence WooCommerce Email Designer
Unrestricted Upload of File with Dangerous Type vulnerability in StellarWP Kadence WooCommerce Email Designer kadence-woocommerce-email-designer allows Upload a Web Shell to a Web Server.This issue affects Kadence WooCommerce Email Designer: from n/a through <= 1.5.14. CVSSv3.1 9.1 (CRITICAL)