2025-04-04
2025-04-04 16:15Z
CRIT

CVE-2025-32118 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in NiteoThemes CMP – Coming Soon

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-32118

Unrestricted Upload of File with Dangerous Type vulnerability in NiteoThemes CMP – Coming Soon & Maintenance cmp-coming-soon-maintenance allows Using Malicious Files.This issue affects CMP – Coming Soon & Maintenance: from n/a through <= 4.1.14. CVSSv3.1 9.1 (CRITICAL)

CWECWE 434TYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2025-04-04
2025-04-04 14:15Z
CRIT

CVE-2025-31403 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-31403

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shiptrack Booking Calendar and Notification booking-calendar-and-notification allows Blind SQL Injection.This issue affects Booking Calendar and Notification: from n/a through <= 4.0.3. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-04-04
2025-04-04 14:15Z
CRIT

CVE-2024-51800 — Incorrect: Privilege Assignment vulnerability in Favethemes Homey homey allows Privilege Escalation.This issue affects Homey

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-51800

Incorrect Privilege Assignment vulnerability in Favethemes Homey homey allows Privilege Escalation.This issue affects Homey: from n/a through <= 2.4.1. CVSSv3.1 9.8 (CRITICAL)

CWECWE 266TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-04-04
2025-04-04 05:15Z
HIGH

CVE-2025-3192 — Versions of the package spatie/browsershot from 0.0.0 are vulnerable to Server-side Request Forgery (SSRF)

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-3192

Versions of the package spatie/browsershot from 0.0.0 are vulnerable to Server-side Request Forgery (SSRF) in the setUrl() function due to a missing restriction on user input, enabling attackers to access localhost and list all of its directories. CVSSv3.1 8.2 (HIGH) · EPSS 53th percentile

CWECWE 918TYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2025-04-03
2025-04-03 14:15Z
HIGH

CVE-2025-3155 — Gnome Yelp: The Gnome user help application allows the help document to execute arbitrary scripts.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-3155

A flaw was found in Yelp. The Gnome user help application allows the help document to execute arbitrary scripts. This vulnerability allows malicious users to input help documents, which may exfiltrate user files to an external environment. CVSSv3.1 7.4 (HIGH) · EPSS 95th percentile

CWECWE 601VNDGnomeVNDYelpTYPVulnerability
7.4
CVSS v3.1
90
Edit Score
2025-04-03
2025-04-03 14:15Z
CRIT

CVE-2025-31911 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-31911

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in reputeinfosystems Social Share And Social Locker social-share-and-social-locker-arsocial allows Blind SQL Injection.This issue affects Social Share And Social Locker: from n/a through <= 1.4.2. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-04-03
2025-04-03 14:15Z
HIGH

CVE-2025-30889 — Deserialization: of Untrusted Data vulnerability in PickPlugins Testimonial Slider testimonial allows Object Injection.This issue

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-30889

Deserialization of Untrusted Data vulnerability in PickPlugins Testimonial Slider testimonial allows Object Injection.This issue affects Testimonial Slider: from n/a through <= 2.0.13. CVSSv3.1 8.8 (HIGH)

CWECWE 502TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
728 × 90 / responsive · programmatic ad slot
2025-04-02
2025-04-02 10:15Z
CRIT

CVE-2025-2005 — Etoilewebdesign Front_end_users: The Front End Users plugin for WordPress is vulnerable to arbitrary file uploads due

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-2005

The Front End Users plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the file uploads field of the registration form in all versions up to, and including, 3.2.32. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. CVSSv3.1 9.8 (CRITICAL)

CWECWE 434VNDEtoilewebdesignVNDFrontTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-04-01
2025-04-01 21:15Z
HIGH

CVE-2025-31619 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-31619

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in marcoingraiti Actionwear products sync actionwear-products-sync allows SQL Injection.This issue affects Actionwear products sync: from n/a through <= 2.3.3. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-04-01
2025-04-01 21:15Z
CRIT

CVE-2025-31612 — Deserialization: of Untrusted Data vulnerability in Sabuj Kundu CBX Poll cbxpoll allows Object Injection.This

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-31612

Deserialization of Untrusted Data vulnerability in Sabuj Kundu CBX Poll cbxpoll allows Object Injection.This issue affects CBX Poll: from n/a through <= 2.0.4. CVSSv3.1 9.8 (CRITICAL)

CWECWE 502TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-04-01
2025-04-01 21:15Z
CRIT

CVE-2025-31579 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-31579

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in EXEIdeas International WP AutoKeyword wp-autokeyword allows SQL Injection.This issue affects WP AutoKeyword: from n/a through <= 1.0. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-04-01
2025-04-01 21:15Z
HIGH

CVE-2025-31564 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-31564

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in aitool Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One ai-auto-tool allows Blind SQL Injection.This issue affects Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One: from n/a through <= 2.2.6. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-04-01
2025-04-01 21:15Z
HIGH

CVE-2025-31561 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-31561

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CodeSolz Ultimate Push Notifications ultimate-push-notifications allows SQL Injection.This issue affects Ultimate Push Notifications: from n/a through <= 1.2.0. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-04-01
2025-04-01 21:15Z
CRIT

CVE-2025-31553 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-31553

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPFactory Advanced WooCommerce Product Sales Reporting webd-woocommerce-advanced-reporting-statistics allows SQL Injection.This issue affects Advanced WooCommerce Product Sales Reporting: from n/a through <= 4.1.1. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-04-01
2025-04-01 21:15Z
CRIT

CVE-2025-31552 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-31552

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in davidfcarr RSVPMarker rsvpmaker allows SQL Injection.This issue affects RSVPMarker : from n/a through <= 11.6.7. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-04-01
2025-04-01 21:15Z
CRIT

CVE-2025-31551 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-31551

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Salesmate.io Salesmate Add-On for Gravity Forms gf-salesmate-add-on allows SQL Injection.This issue affects Salesmate Add-On for Gravity Forms: from n/a through <= 2.0.3. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-04-01
2025-04-01 21:15Z
CRIT

CVE-2025-31534 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-31534

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shopperdotcom Shopper shopper allows SQL Injection.This issue affects Shopper: from n/a through <= 3.2.5. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-04-01
2025-04-01 21:15Z
CRIT

CVE-2025-31531 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-31531

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in click5 History Log by click5 history-log-by-click5 allows SQL Injection.This issue affects History Log by click5: from n/a through <= 1.0.13. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-04-01
2025-04-01 21:15Z
HIGH

CVE-2025-31097 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-31097

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Hossein Material Dashboard material-dashboard allows PHP Local File Inclusion.This issue affects Material Dashboard: from n/a through <= 1.4.5. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-04-01
2025-04-01 21:15Z
HIGH

CVE-2025-31089 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-31089

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Fahad Mahmood Order Splitter for WooCommerce woo-order-splitter allows SQL Injection.This issue affects Order Splitter for WooCommerce: from n/a through <= 5.3.0. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-04-01
2025-04-01 21:15Z
HIGH

CVE-2025-31082 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-31082

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in InfornWeb News & Blog Designer Pack blog-designer-pack allows PHP Local File Inclusion.This issue affects News & Blog Designer Pack: from n/a through <= 4.0. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-04-01
2025-04-01 21:15Z
HIGH

CVE-2025-30892 — Deserialization: of Untrusted Data vulnerability in magepeopleteam WpTravelly tour-booking-manager allows Object Injection.This issue affects

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-30892

Deserialization of Untrusted Data vulnerability in magepeopleteam WpTravelly tour-booking-manager allows Object Injection.This issue affects WpTravelly: from n/a through <= 1.8.7. CVSSv3.1 8.8 (HIGH)

CWECWE 502TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-04-01
2025-04-01 21:15Z
CRIT

CVE-2025-30841 — Limitation: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in adamskaat

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-30841

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in adamskaat Countdown & Clock countdown-builder allows Remote Code Inclusion.This issue affects Countdown & Clock: from n/a through <= 2.8.8. CVSSv3.1 9.9 (CRITICAL) · EPSS 48th percentile

CWECWE 22TYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2025-04-01
2025-04-01 21:15Z
HIGH

CVE-2025-30825 — Authorization: Missing Authorization vulnerability in WPClever WPC Smart Linked Products - Upsells & Cross-sells for

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-30825

Missing Authorization vulnerability in WPClever WPC Smart Linked Products - Upsells & Cross-sells for WooCommerce wpc-smart-linked-products allows Privilege Escalation.This issue affects WPC Smart Linked Products - Upsells & Cross-sells for WooCommerce: from n/a through <= 1.3.5. CVSSv3.1 8.8 (HIGH)

CWECWE 862TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-04-01
2025-04-01 21:15Z
CRIT

CVE-2025-30807 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-30807

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Martin Nguyen Next-Cart Store to WooCommerce Migration nextcart-woocommerce-migration allows SQL Injection.This issue affects Next-Cart Store to WooCommerce Migration: from n/a through <= 3.9.4. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score