2025-04-01
2025-04-01 21:15Z
CRIT

CVE-2025-30580 — Control: Improper Control of Generation of Code ('Code Injection') vulnerability in kellydiek DigiWidgets Image Editor

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-30580

Improper Control of Generation of Code ('Code Injection') vulnerability in kellydiek DigiWidgets Image Editor digiwidgets-image-editor allows Remote Code Inclusion.This issue affects DigiWidgets Image Editor: from n/a through <= 1.10. CVSSv3.1 10.0 (CRITICAL)

CWECWE 94TYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2025-04-01
2025-04-01 13:15Z
HIGH

CVE-2025-3034 — Mozilla Firefox: Some of these bugs showed evidence of memory corruption and we presume that with

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-3034

Memory safety bugs present in Firefox 136 and Thunderbird 136. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 137 and Thunderbird 137. CVSSv3.1 8.1 (HIGH)

CWECWE 787VNDMozillaTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-04-01
2025-04-01 13:15Z
HIGH

CVE-2025-3030 — Mozilla Firefox: Some of these bugs showed evidence of memory corruption and we presume that with

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-3030

Memory safety bugs present in Firefox 136, Thunderbird 136, Firefox ESR 128.8, and Thunderbird 128.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 137, Firefox ESR 128.9, Thunderbird 137, and Thunderbird 128.9. CVSSv3.1 8.1 (HIGH)

CWECWE 416VNDMozillaTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-04-01
2025-04-01 12:15Z
CRIT

CVE-2025-2237 — RealEstate: The WP RealEstate plugin for WordPress, used by the Homeo theme, is vulnerable to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-2237

The WP RealEstate plugin for WordPress, used by the Homeo theme, is vulnerable to privilege escalation in all versions up to, and including, 1.6.26. This is due to insufficient role restrictions in the 'process_register' function. This makes it possible for unauthenticated attackers to register an account with the Administrator role. CVSSv3.1 9.8 (CRITICAL)

CWECWE 269VNDRealestateTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-04-01
2025-04-01 12:00Z
HIGH

GoResolver: Using Control-flow Graph Similarity to Deobfuscate Golang Binaries, Automatically

Volexity·volexity.com

Volexity released GoResolver, an open-source tool that deobfuscates Golang binaries obfuscated with Garble by combining control-flow graph similarity analysis with existing symbol extraction techniques. The tool fingerprints Golang runtime versions and matches CFG patterns against clean reference templates to recover original function and package names, significantly reducing reverse-engineering effort on malware samples.

SRFApplicationTACTA0007VNDVolexityTYPResearchTYPToolTYPWriteupSTGDiscoveryTECT1027
78
Edit Score
2025-04-01
2025-04-01 06:15Z
CRIT

CVE-2025-31095 — Authentication: Bypass Using an Alternate Path or Channel vulnerability in Hossein Material Dashboard material-dashboard

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-31095

Authentication Bypass Using an Alternate Path or Channel vulnerability in Hossein Material Dashboard material-dashboard allows Authentication Bypass.This issue affects Material Dashboard: from n/a through <= 1.4.5. CVSSv3.1 9.8 (CRITICAL)

CWECWE 288TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-04-01
2025-04-01 06:15Z
CRIT

CVE-2025-31087 — Deserialization: of Untrusted Data vulnerability in silverplugins217 Multiple Shipping And Billing Address For Woocommerce

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-31087

Deserialization of Untrusted Data vulnerability in silverplugins217 Multiple Shipping And Billing Address For Woocommerce different-shipping-and-billing-address-for-woocommerce allows Object Injection.This issue affects Multiple Shipping And Billing Address For Woocommerce: from n/a through <= 1.5. CVSSv3.1 9.8 (CRITICAL)

CWECWE 502TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
728 × 90 / responsive · programmatic ad slot
2025-04-01
2025-04-01 06:15Z
CRIT

CVE-2025-31084 — Sunshinephotocart Sunshine_photo_cart: Deserialization of Untrusted Data vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Object Injection.This

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-31084

Deserialization of Untrusted Data vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Object Injection.This issue affects Sunshine Photo Cart: from n/a through <= 3.4.10. CVSSv3.1 9.8 (CRITICAL)

CWECWE 502VNDSunshinephotocartTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-04-01
2025-04-01 06:15Z
HIGH

CVE-2025-31074 — Deserialization: of Untrusted Data vulnerability in MDJM Mobile DJ Manager mobile-dj-manager allows Object Injection.This

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-31074

Deserialization of Untrusted Data vulnerability in MDJM Mobile DJ Manager mobile-dj-manager allows Object Injection.This issue affects Mobile DJ Manager: from n/a through <= 1.7.5.2. CVSSv3.1 8.8 (HIGH)

CWECWE 502TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-04-01
2025-04-01 06:15Z
HIGH

CVE-2025-31024 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-31024

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in randyjensen RJ Quickcharts rj-quickcharts allows SQL Injection.This issue affects RJ Quickcharts: from n/a through <= 0.6.1. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-04-01
2025-04-01 06:15Z
CRIT

CVE-2025-30971 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-30971

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Xavi Ivars XV Random Quotes xv-random-quotes allows SQL Injection.This issue affects XV Random Quotes: from n/a through <= 2.0.0. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-04-01
2025-04-01 06:15Z
CRIT

CVE-2025-30911 — Control: Improper Control of Generation of Code ('Code Injection') vulnerability in Rometheme RTMKit rometheme-for-elementor allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-30911

Improper Control of Generation of Code ('Code Injection') vulnerability in Rometheme RTMKit rometheme-for-elementor allows Command Injection.This issue affects RTMKit: from n/a through <= 1.5.4. CVSSv3.1 9.9 (CRITICAL)

CWECWE 94TYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2025-04-01
2025-04-01 06:15Z
HIGH

CVE-2025-30910 — Limitation: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in CreativeMindsSolutions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-30910

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in CreativeMindsSolutions CM Download Manager cm-download-manager allows Path Traversal.This issue affects CM Download Manager: from n/a through <= 2.9.6. CVSSv3.1 8.6 (HIGH)

CWECWE 22TYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2025-04-01
2025-04-01 06:15Z
HIGH

CVE-2025-30901 — Joomsky Js_help_desk: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-30901

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in JoomSky JS Help Desk js-support-ticket allows PHP Local File Inclusion.This issue affects JS Help Desk: from n/a through <= 2.9.2. CVSSv3.1 8.1 (HIGH)

CWECWE 98VNDJoomskyTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-04-01
2025-04-01 06:15Z
CRIT

CVE-2025-30886 — Joomsky Js_help_desk: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-30886

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JoomSky JS Help Desk js-support-ticket allows SQL Injection.This issue affects JS Help Desk: from n/a through <= 2.9.2. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89VNDJoomskyTYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-04-01
2025-04-01 06:15Z
HIGH

CVE-2025-30878 — Joomsky Js_help_desk: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in JoomSky

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-30878

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in JoomSky JS Help Desk js-support-ticket allows Path Traversal.This issue affects JS Help Desk: from n/a through <= 2.9.2. CVSSv3.1 8.6 (HIGH)

CWECWE 22VNDJoomskyTYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2025-04-01
2025-04-01 06:15Z
CRIT

CVE-2025-30876 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-30876

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ads by WPQuads Ads by WPQuads quick-adsense-reloaded allows SQL Injection.This issue affects Ads by WPQuads: from n/a through <= 2.0.87.1. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-04-01
2025-04-01 06:15Z
HIGH

CVE-2025-30870 — Wptravelengine Wp_travel_engine: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-30870

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Travel Engine WP Travel Engine wp-travel-engine allows PHP Local File Inclusion.This issue affects WP Travel Engine: from n/a through <= 6.3.5. CVSSv3.1 8.1 (HIGH)

CWECWE 98CWECWE 706VNDWptravelengineTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-04-01
2025-04-01 06:15Z
HIGH

CVE-2025-30849 — G5plus Essential_real_estate: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-30849

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in g5theme Essential Real Estate essential-real-estate allows PHP Local File Inclusion.This issue affects Essential Real Estate: from n/a through <= 5.2.0. CVSSv3.1 8.1 (HIGH)

CWECWE 98CWECWE 706VNDG5plusTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-04-01
2025-04-01 06:15Z
HIGH

CVE-2025-30774 — Ays-pro Quiz_maker: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-30774

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ays Pro Quiz Maker quiz-maker allows SQL Injection.This issue affects Quiz Maker: from n/a through <= 6.6.8.7. CVSSv3.1 8.2 (HIGH)

CWECWE 89VNDAys ProTYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2025-04-01
2025-04-01 06:15Z
CRIT

CVE-2025-30622 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-30622

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in torsteino PostMash postmash-custom allows SQL Injection.This issue affects PostMash: from n/a through <= 1.0.3. CVSSv3.1 9.3 (CRITICAL) · EPSS 28th percentile

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-04-01
2025-04-01 06:15Z
HIGH

CVE-2025-30589 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-30589

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Dourou Flickr set slideshows flickr-set-slideshows allows SQL Injection.This issue affects Flickr set slideshows: from n/a through <= 0.9. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-04-01
2025-04-01 06:15Z
HIGH

CVE-2025-22277 — Authentication: Bypass Using an Alternate Path or Channel vulnerability in appsbd Vitepos vitepos-lite allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-22277

Authentication Bypass Using an Alternate Path or Channel vulnerability in appsbd Vitepos vitepos-lite allows Authentication Abuse.This issue affects Vitepos: from n/a through <= 3.1.4. CVSSv3.1 8.8 (HIGH)

CWECWE 288TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-04-01
2025-04-01 05:15Z
HIGH

CVE-2025-2008 — Import: The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-2008

The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import_single_post_as_csv() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Please note this vulnerability was reintroduced in CVSSv3.1 8.8 (HIGH)

CWECWE 434VNDImportTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-04-01
2025-04-01 05:15Z
HIGH

CVE-2025-2007 — Import: The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-2007

The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteImage() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Please note this v CVSSv3.1 8.1 (HIGH)

CWECWE 23VNDImportTYPVulnerability
8.1
CVSS v3.1
91
Edit Score