2025-02-22
2025-02-22 16:15Z
HIGH

CVE-2025-27012 — Site: Cross-Site Request Forgery (CSRF) vulnerability in a1post A1POST.BG Shipping for Woo a1post-bg-shipping-for-woocommerce allows Privilege

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-27012

Cross-Site Request Forgery (CSRF) vulnerability in a1post A1POST.BG Shipping for Woo a1post-bg-shipping-for-woocommerce allows Privilege Escalation.This issue affects A1POST.BG Shipping for Woo: from n/a through <= 1.5. CVSSv3.1 8.8 (HIGH)

CWECWE 352TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-02-22
2025-02-22 16:15Z
CRIT

CVE-2025-26776 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in NotFound Chaty Pro chaty-pro allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-26776

Unrestricted Upload of File with Dangerous Type vulnerability in NotFound Chaty Pro chaty-pro allows Upload a Web Shell to a Web Server.This issue affects Chaty Pro: from n/a through <= 3.3.3. CVSSv3.1 10.0 (CRITICAL)

CWECWE 434TYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2025-02-22
2025-02-22 16:15Z
CRIT

CVE-2025-26763 — Deserialization: of Untrusted Data vulnerability in MetaSlider Responsive Slider by MetaSlider ml-slider allows Object

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-26763

Deserialization of Untrusted Data vulnerability in MetaSlider Responsive Slider by MetaSlider ml-slider allows Object Injection.This issue affects Responsive Slider by MetaSlider: from n/a through <= 3.94.0. CVSSv3.1 9.8 (CRITICAL)

CWECWE 502TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-02-20
2025-02-20 10:15Z
CRIT

CVE-2024-13789 — Matiskiba Ravpage: The ravpage plugin for WordPress is vulnerable to PHP Object Injection in all versions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-13789

The ravpage plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.31 via deserialization of untrusted input from the 'paramsv2' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an add CVSSv3.1 9.8 (CRITICAL)

CWECWE 502VNDWordpressVNDMatiskibaTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-02-20
2025-02-20 10:15Z
HIGH

CVE-2024-13753 — Webcodingplace Ultimate_classified_listings: The Ultimate Classified Listings plugin for WordPress is vulnerable to Cross-Site Request Forgery in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-13753

The Ultimate Classified Listings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the update_profile function. This makes it possible for unauthenticated attackers to modify victim's email via a forged request, which might lead to account takeover, granted they can trick a user into performing an action such as clicking on a link. CVSSv3.1 8.1 (HIGH)

CWECWE 352VNDWebcodingplaceVNDUltimateTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-02-19
2025-02-19 19:15Z
CRIT

CVE-2020-35546 — Lexmark: MX6500 LW75.JD.P296 and previous devices have Incorrect Access Control via the access control

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-35546

Lexmark MX6500 LW75.JD.P296 and previous devices have Incorrect Access Control via the access control settings. CVSSv3.1 9.1 (CRITICAL) · EPSS 25th percentile

CWECWE 284VNDLexmarkTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2025-02-18
2025-02-18 20:15Z
HIGH

CVE-2025-22663 — Limitation: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in videowhisper

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-22663

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in videowhisper Paid Videochat Turnkey Site ppv-live-webcams allows Path Traversal.This issue affects Paid Videochat Turnkey Site: from n/a through <= 7.2.12. CVSSv3.1 8.6 (HIGH)

CWECWE 22TYPVulnerability
8.6
CVSS v3.1
93
Edit Score
728 × 90 / responsive · programmatic ad slot
2025-02-18
2025-02-18 20:15Z
HIGH

CVE-2025-22656 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-22656

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Oscar Alvarez Cookie Monster cookie-monster allows PHP Local File Inclusion.This issue affects Cookie Monster: from n/a through <= 1.2.2. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-02-18
2025-02-18 20:15Z
CRIT

CVE-2025-22654 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in kodeshpa Simplified simplified allows Using

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-22654

Unrestricted Upload of File with Dangerous Type vulnerability in kodeshpa Simplified simplified allows Using Malicious Files.This issue affects Simplified: from n/a through <= 1.0.6. CVSSv3.1 10.0 (CRITICAL)

CWECWE 434TYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2025-02-18
2025-02-18 20:15Z
HIGH

CVE-2025-22639 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-22639

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Techspawn Distance Rate Shipping for WooCommerce distance-rate-shipping-for-woocommerce-pro allows Blind SQL Injection.This issue affects Distance Rate Shipping for WooCommerce: from n/a through <= 1.3.4. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-02-18
2025-02-18 20:15Z
CRIT

CVE-2024-56000 — Incorrect: Privilege Assignment vulnerability in SeventhQueen K Elements k-elements allows Privilege Escalation.This issue affects

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-56000

Incorrect Privilege Assignment vulnerability in SeventhQueen K Elements k-elements allows Privilege Escalation.This issue affects K Elements: from n/a through < 5.4.0. CVSSv3.1 9.8 (CRITICAL) · EPSS 27th percentile

CWECWE 266TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-02-18
2025-02-18 19:15Z
MED

CVE-2025-26465 — Openbsd Openssh: A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-26465

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high. CVSSv3.1 6.8 (MEDIUM) · EPSS 99th percentile

CWECWE 390VNDOpensshTYPVulnerability
6.8
CVSS v3.1
100
Edit Score
2025-02-18
2025-02-18 12:15Z
MED

CVE-2025-1035 — Limitation: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Komtera

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-1035

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Komtera Technolgies KLog Server allows Manipulating Web Input to File System Calls. This issue affects KLog Server: before 3.1.1. CVSSv3.1 5.7 (MEDIUM) · EPSS 99th percentile

CWECWE 22TYPVulnerability
5.7
CVSS v3.1
99
Edit Score
2025-02-18
2025-02-18 05:15Z
CRIT

CVE-2024-13725 — Keap Keap_official_opt_in_forms: The Keap Official Opt-in Forms plugin for WordPress is vulnerable to Local File Inclusion

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-13725

The Keap Official Opt-in Forms plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.1 via the service parameter. This makes it possible for unauthenticated attackers to include PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP files can be uploaded and included. If register_argc_argv is en CVSSv3.1 9.8 (CRITICAL)

CWECWE 22VNDKeapTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-02-18
2025-02-18 05:15Z
HIGH

CVE-2024-13684 — Smartzminds Reset: The Reset plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-13684

The Reset plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6. This is due to missing or incorrect nonce validation on the reset_db_page() function. This makes it possible for unauthenticated attackers to reset several tables in the database like comments, themes, plugins, and more via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVSSv3.1 8.1 (HIGH)

CWECWE 352VNDSmartzmindsVNDResetTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-02-16
2025-02-16 23:15Z
CRIT

CVE-2025-22290 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-22290

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in enituretechnology LTL Freight Quotes – FreightQuote Edition ltl-freight-quotes-freightquote-edition allows SQL Injection.This issue affects LTL Freight Quotes – FreightQuote Edition: from n/a through <= 2.3.11. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-02-14
2025-02-14 14:15Z
HIGH

CVE-2024-12651 — Exposed: HGS Mobile App allows Manipulating User-Controlled Variables.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-12651

Exposed Dangerous Method or Function vulnerability in PTT Inc. HGS Mobile App allows Manipulating User-Controlled Variables. This issue affects HGS Mobile App: before 6.5.0. CVSSv3.1 8.5 (HIGH) · EPSS 27th percentile

CWECWE 749VNDExposedTYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-02-14
2025-02-14 13:15Z
CRIT

CVE-2024-13152 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-13152

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BSS Software Mobuy Online Machinery Monitoring Panel allows SQL Injection. This issue affects Mobuy Online Machinery Monitoring Panel: before 2.0. CVSSv3.1 10.0 (CRITICAL) · EPSS 27th percentile

CWECWE 89TYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2025-02-14
2025-02-14 07:15Z
CRIT

CVE-2025-22630 — Neutralization: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Marketing

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-22630

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Marketing Fire Widget Options widget-options allows OS Command Injection.This issue affects Widget Options: from n/a through <= 4.1.0. CVSSv3.1 9.9 (CRITICAL)

CWECWE 77TYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2025-02-13
2025-02-13 12:00Z
HIGH

Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication

Volexity·volexity.comin the wild

Volexity disclosed coordinated campaigns by Russian threat actors (CozyLarch/APT29, UTA0304, UTA0307) exploiting Microsoft Device Code Authentication flow via spear-phishing and social engineering since mid-January 2025. Attackers impersonated US State Department, Ukrainian Ministry of Defence, and EU Parliament officials to trick targets into entering device codes, granting long-term account access to M365 tenants. The technique bypasses MFA by leveraging the legitimate 15-minute device code window and real-time communication coordination to ensure victim compliance.

TACTA0001TACTA0006SRFIdentitySRFCloudVNDMicrosoftTYPResearchTYPThreat IntelSTGInitial Access
82
Edit Score
2025-02-12
2025-02-12 15:15Z
HIGH

CVE-2025-1244 — A command injection flaw was found in the text editor Emacs.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-1244

A command injection flaw was found in the text editor Emacs. It could allow a remote, unauthenticated attacker to execute arbitrary shell commands on a vulnerable system. Exploitation is possible by tricking users into visiting a specially crafted website or an HTTP URL with a redirect. CVSSv3.1 8.8 (HIGH) · EPSS 84th percentile

CWECWE 78TYPVulnerability
8.8
CVSS v3.1
95
Edit Score
2025-02-12
2025-02-12 10:15Z
HIGH

CVE-2024-12296 — Apusthemes Superio: The Apus Framework plugin for WordPress is vulnerable to unauthorized modification of data that

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-12296

The Apus Framework plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'import_page_options' function in all versions up to, and including, 2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable CVSSv3.1 8.8 (HIGH)

CWECWE 862VNDApusthemesVNDApusTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-02-12
2025-02-12 10:15Z
CRIT

CVE-2024-12213 — Apusthemes Superio: The WP Job Board Pro plugin for WordPress is vulnerable to privilege escalation in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-12213

The WP Job Board Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to 2.3.16. This is due to the plugin allowing a user to supply the 'role' field when registering. This makes it possible for unauthenticated attackers to register as an administrator on vulnerable sites. Please note that this may have been patched sooner, however, the oldest available version for us to confirm this is patched in was 1.2.85. CVSSv3.1 9.8 (CRITICAL)

CWECWE 266VNDApusthemesVNDJobTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-02-12
2025-02-12 05:15Z
HIGH

CVE-2024-13653 — Mvpthemes Zoxpress: The ZoxPress - The All-In-One WordPress News Theme theme for WordPress is vulnerable to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-13653

The ZoxPress - The All-In-One WordPress News Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'backup_options' and 'restore_options' functions in all versions up to, and including, 2.12.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the defau CVSSv3.1 8.8 (HIGH)

CWECWE 862VNDMvpthemesVNDZoxpressTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-02-12
2025-02-12 04:51Z
HIGH

oidc-code-to-cloud — Tool for mapping attack paths between Entra ID and GitHub

GitHub · Azure / Entra tools·github.comGITHUB POC

O3 Cyber released oidc-code-to-cloud, a Python tool that maps attack paths between Entra ID and GitHub by fetching tenant data via Graph and ARM APIs and visualizing relationships in Neo4j. The tool demonstrates how OIDC federation and service principal configurations can create lateral movement and privilege escalation vectors across cloud identity and CI/CD infrastructure.

TACTA0007SRFIdentitySRFCloudTACTA0043VNDMicrosoftVNDGithubTYPResearchTYPTool
76
Edit Score