Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2025-30580 — Control: Improper Control of Generation of Code ('Code Injection') vulnerability in kellydiek DigiWidgets Image Editor
Improper Control of Generation of Code ('Code Injection') vulnerability in kellydiek DigiWidgets Image Editor digiwidgets-image-editor allows Remote Code Inclusion.This issue affects DigiWidgets Image Editor: from n/a through <= 1.10. CVSSv3.1 10.0 (CRITICAL)
CVE-2025-3034 — Mozilla Firefox: Some of these bugs showed evidence of memory corruption and we presume that with
Memory safety bugs present in Firefox 136 and Thunderbird 136. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 137 and Thunderbird 137. CVSSv3.1 8.1 (HIGH)
CVE-2025-3030 — Mozilla Firefox: Some of these bugs showed evidence of memory corruption and we presume that with
Memory safety bugs present in Firefox 136, Thunderbird 136, Firefox ESR 128.8, and Thunderbird 128.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 137, Firefox ESR 128.9, Thunderbird 137, and Thunderbird 128.9. CVSSv3.1 8.1 (HIGH)
CVE-2025-2237 — RealEstate: The WP RealEstate plugin for WordPress, used by the Homeo theme, is vulnerable to
The WP RealEstate plugin for WordPress, used by the Homeo theme, is vulnerable to privilege escalation in all versions up to, and including, 1.6.26. This is due to insufficient role restrictions in the 'process_register' function. This makes it possible for unauthenticated attackers to register an account with the Administrator role. CVSSv3.1 9.8 (CRITICAL)
GoResolver: Using Control-flow Graph Similarity to Deobfuscate Golang Binaries, Automatically
Volexity released GoResolver, an open-source tool that deobfuscates Golang binaries obfuscated with Garble by combining control-flow graph similarity analysis with existing symbol extraction techniques. The tool fingerprints Golang runtime versions and matches CFG patterns against clean reference templates to recover original function and package names, significantly reducing reverse-engineering effort on malware samples.
CVE-2025-31095 — Authentication: Bypass Using an Alternate Path or Channel vulnerability in Hossein Material Dashboard material-dashboard
Authentication Bypass Using an Alternate Path or Channel vulnerability in Hossein Material Dashboard material-dashboard allows Authentication Bypass.This issue affects Material Dashboard: from n/a through <= 1.4.5. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-31087 — Deserialization: of Untrusted Data vulnerability in silverplugins217 Multiple Shipping And Billing Address For Woocommerce
Deserialization of Untrusted Data vulnerability in silverplugins217 Multiple Shipping And Billing Address For Woocommerce different-shipping-and-billing-address-for-woocommerce allows Object Injection.This issue affects Multiple Shipping And Billing Address For Woocommerce: from n/a through <= 1.5. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-31084 — Sunshinephotocart Sunshine_photo_cart: Deserialization of Untrusted Data vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Object Injection.This
Deserialization of Untrusted Data vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Object Injection.This issue affects Sunshine Photo Cart: from n/a through <= 3.4.10. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-31074 — Deserialization: of Untrusted Data vulnerability in MDJM Mobile DJ Manager mobile-dj-manager allows Object Injection.This
Deserialization of Untrusted Data vulnerability in MDJM Mobile DJ Manager mobile-dj-manager allows Object Injection.This issue affects Mobile DJ Manager: from n/a through <= 1.7.5.2. CVSSv3.1 8.8 (HIGH)
CVE-2025-31024 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in randyjensen RJ Quickcharts rj-quickcharts allows SQL Injection.This issue affects RJ Quickcharts: from n/a through <= 0.6.1. CVSSv3.1 8.5 (HIGH)
CVE-2025-30971 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Xavi Ivars XV Random Quotes xv-random-quotes allows SQL Injection.This issue affects XV Random Quotes: from n/a through <= 2.0.0. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-30911 — Control: Improper Control of Generation of Code ('Code Injection') vulnerability in Rometheme RTMKit rometheme-for-elementor allows
Improper Control of Generation of Code ('Code Injection') vulnerability in Rometheme RTMKit rometheme-for-elementor allows Command Injection.This issue affects RTMKit: from n/a through <= 1.5.4. CVSSv3.1 9.9 (CRITICAL)
CVE-2025-30910 — Limitation: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in CreativeMindsSolutions
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in CreativeMindsSolutions CM Download Manager cm-download-manager allows Path Traversal.This issue affects CM Download Manager: from n/a through <= 2.9.6. CVSSv3.1 8.6 (HIGH)
CVE-2025-30901 — Joomsky Js_help_desk: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in JoomSky JS Help Desk js-support-ticket allows PHP Local File Inclusion.This issue affects JS Help Desk: from n/a through <= 2.9.2. CVSSv3.1 8.1 (HIGH)
CVE-2025-30886 — Joomsky Js_help_desk: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JoomSky JS Help Desk js-support-ticket allows SQL Injection.This issue affects JS Help Desk: from n/a through <= 2.9.2. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-30878 — Joomsky Js_help_desk: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in JoomSky
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in JoomSky JS Help Desk js-support-ticket allows Path Traversal.This issue affects JS Help Desk: from n/a through <= 2.9.2. CVSSv3.1 8.6 (HIGH)
CVE-2025-30876 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ads by WPQuads Ads by WPQuads quick-adsense-reloaded allows SQL Injection.This issue affects Ads by WPQuads: from n/a through <= 2.0.87.1. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-30870 — Wptravelengine Wp_travel_engine: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Travel Engine WP Travel Engine wp-travel-engine allows PHP Local File Inclusion.This issue affects WP Travel Engine: from n/a through <= 6.3.5. CVSSv3.1 8.1 (HIGH)
CVE-2025-30849 — G5plus Essential_real_estate: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in g5theme Essential Real Estate essential-real-estate allows PHP Local File Inclusion.This issue affects Essential Real Estate: from n/a through <= 5.2.0. CVSSv3.1 8.1 (HIGH)
CVE-2025-30774 — Ays-pro Quiz_maker: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ays Pro Quiz Maker quiz-maker allows SQL Injection.This issue affects Quiz Maker: from n/a through <= 6.6.8.7. CVSSv3.1 8.2 (HIGH)
CVE-2025-30622 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in torsteino PostMash postmash-custom allows SQL Injection.This issue affects PostMash: from n/a through <= 1.0.3. CVSSv3.1 9.3 (CRITICAL) · EPSS 28th percentile
CVE-2025-30589 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Dourou Flickr set slideshows flickr-set-slideshows allows SQL Injection.This issue affects Flickr set slideshows: from n/a through <= 0.9. CVSSv3.1 8.5 (HIGH)
CVE-2025-22277 — Authentication: Bypass Using an Alternate Path or Channel vulnerability in appsbd Vitepos vitepos-lite allows
Authentication Bypass Using an Alternate Path or Channel vulnerability in appsbd Vitepos vitepos-lite allows Authentication Abuse.This issue affects Vitepos: from n/a through <= 3.1.4. CVSSv3.1 8.8 (HIGH)
CVE-2025-2008 — Import: The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable
The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import_single_post_as_csv() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Please note this vulnerability was reintroduced in CVSSv3.1 8.8 (HIGH)
CVE-2025-2007 — Import: The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable
The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteImage() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Please note this v CVSSv3.1 8.1 (HIGH)