Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2024-13742 — Icontrolwp Icontrolwp: The iControlWP – Multiple WordPress Site Manager plugin for WordPress is vulnerable to PHP
The iControlWP – Multiple WordPress Site Manager plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.5 via deserialization of untrusted input from the reqpars parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. I CVSSv3.1 9.8 (CRITICAL)
CVE-2024-10591 — Makewebbetter Hubspot_for_woocommerce: The MWB HubSpot for WooCommerce – CRM, Abandoned Cart, Email Marketing, Marketing Automation &
The MWB HubSpot for WooCommerce – CRM, Abandoned Cart, Email Marketing, Marketing Automation & Analytics plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hubwoo_save_updates() function in all versions up to, and including, 1.5.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to update arbitrary options on the WordPress site. This CVSSv3.1 8.8 (HIGH)
CVE-2024-46506: Unauthenticated RCE in NetAlertx
Rhino Security Labs disclosed CVE-2024-46506, an unauthenticated command injection in NetAlertX (a popular open-source LAN intrusion detector with 1.4M Docker pulls) affecting versions v23.01.14–v24.9.12. The vulnerability stems from missing authentication checks in util.php's saveSettings() function, allowing attackers to inject arbitrary commands into plugin configurations that execute on server initialization. A secondary CVE-2024-48766 arbitrary file read via path traversal was also identified; both were patched in v24.10.12, though two authentication bypass techniques were discovered and remediated post-patch.
CVE-2024-46507: Yeti Platform Server-Side Template Injection (SSTI)
Rhino Security Labs disclosed two chained vulnerabilities in Yeti (a DFIR threat intelligence platform): CVE-2024-46507 is a server-side template injection (SSTI) in custom report templates allowing authenticated RCE, and CVE-2024-46508 is a hardcoded JWT secret ('SECRET') in the default docker-compose deployment. Combined, these enable unauthenticated remote code execution on default installations. Patches were released in version 2.1.12.
CVE-2024-13484 — A flaw was found in openshift-gitops-operator-container.
A flaw was found in openshift-gitops-operator-container. The openshift.io/cluster-monitoring label is applied to all namespaces that deploy an ArgoCD CR instance, allowing the namespace to create a rogue PrometheusRule. This issue can have adverse effects on the platform monitoring stack, as the rule is rolled out cluster-wide when the label is applied. CVSSv3.1 8.2 (HIGH) · EPSS 10th percentile
CVE-2024-48420 — Edimax Br-6476ac_firmware: AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06 is vulnerable to Buffer Overflow via
Edimax AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06 is vulnerable to Buffer Overflow via /goform/getWifiBasic. CVSSv3.1 8.8 (HIGH) · EPSS 37th percentile
CVE-2024-48419 — Edimax Br-6476ac_firmware: AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06 suffers from Command Injection issues in
Edimax AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06 suffers from Command Injection issues in /bin/goahead. Specifically, these issues can be triggered through /goform/tracerouteDiagnosis, /goform/pingDiagnosis, and /goform/fromSysToolPingCmd Each of these issues allows an attacker with access to the web interface to inject and execute arbitrary shell commands, with "root" privileges. CVSSv3.1 8.8 (HIGH) · EPSS 79th percentile
CVE-2024-48418 — Edimax Br-6476ac_firmware: In Edimax AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06, the request /goform/fromSetDDNS does not
In Edimax AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06, the request /goform/fromSetDDNS does not properly handle special characters in any of user provided parameters, allowing an attacker with access to the web interface to inject and execute arbitrary shell commands. CVSSv3.1 8.8 (HIGH) · EPSS 24th percentile
CVE-2024-48416 — Edimax Br-6476ac_firmware: AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06 is vulnerable to Buffer Overflow via
Edimax AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06 is vulnerable to Buffer Overflow via /goform/fromSetLanDhcpsClientbinding. CVSSv3.1 8.8 (HIGH) · EPSS 36th percentile
CVE-2025-24734 — Authorization: Missing Authorization vulnerability in CodeSolz Better Find and Replace real-time-auto-find-and-replace allows Privilege Escalation.This issue
Missing Authorization vulnerability in CodeSolz Better Find and Replace real-time-auto-find-and-replace allows Privilege Escalation.This issue affects Better Find and Replace: from n/a through <= 1.6.7. CVSSv3.1 8.8 (HIGH)
CVE-2025-24671 — Deserialization: of Untrusted Data vulnerability in Pdfcrowd Dev Team Save as PDF save-as-pdf-by-pdfcrowd allows
Deserialization of Untrusted Data vulnerability in Pdfcrowd Dev Team Save as PDF save-as-pdf-by-pdfcrowd allows Object Injection.This issue affects Save as PDF: from n/a through <= 4.4.0. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-24667 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in enituretechnology Small Package Quotes – Worldwide Express Edition small-package-quotes-wwe-edition allows SQL Injection.This issue affects Small Package Quotes – Worldwide Express Edition: from n/a through <= 5.2.17. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-24665 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in enituretechnology Small Package Quotes – Unishippers Edition small-package-quotes-unishippers-edition allows SQL Injection.This issue affects Small Package Quotes – Unishippers Edition: from n/a through <= 2.4.8. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-24685 — Path: Traversal: '.../...//' vulnerability in Ihor Kit Morkva UA Shipping morkva-ua-shipping allows PHP Local
Path Traversal: '.../...//' vulnerability in Ihor Kit Morkva UA Shipping morkva-ua-shipping allows PHP Local File Inclusion.This issue affects Morkva UA Shipping: from n/a through <= 1.0.18. CVSSv3.1 8.1 (HIGH)
CVE-2025-24664 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in enituretechnology LTL Freight Quotes – Worldwide Express Edition ltl-freight-quotes-worldwide-express-edition allows SQL Injection.This issue affects LTL Freight Quotes – Worldwide Express Edition: from n/a through <= 5.0.20. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-24612 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ihor Kit Shipping for Nova Poshta nova-poshta-ttn allows SQL Injection.This issue affects Shipping for Nova Poshta: from n/a through <= 1.19.6. CVSSv3.1 9.3 (CRITICAL)
CVE-2025-24601 — Deserialization: of Untrusted Data vulnerability in ThimPress FundPress fundpress allows Object Injection.This issue affects
Deserialization of Untrusted Data vulnerability in ThimPress FundPress fundpress allows Object Injection.This issue affects FundPress: from n/a through <= 2.0.6. CVSSv3.1 9.8 (CRITICAL)
CVE-2024-57041 — Nodebb Nodebb: A persistent cross-site scripting (XSS) vulnerability in NodeBB v3.11.0 allows remote attackers to store
A persistent cross-site scripting (XSS) vulnerability in NodeBB v3.11.0 allows remote attackers to store arbitrary code in the 'about me' section of their profile. CVSSv3.1 4.6 (MEDIUM) · EPSS 98th percentile
CVE-2025-24728 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Yannick Lefebvre Bug Library bug-library allows Blind SQL Injection.This issue affects Bug Library: from n/a through <= 2.1.4. CVSSv3.1 8.5 (HIGH)
CVE-2025-24672 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in codepeople Form Builder CP cp-easy-form-builder allows SQL Injection.This issue affects Form Builder CP: from n/a through <= 1.2.41. CVSSv3.1 8.5 (HIGH)
CVE-2025-24669 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in serpednet SERPed.net serped-net allows SQL Injection.This issue affects SERPed.net: from n/a through <= 4.4. CVSSv3.1 8.5 (HIGH)
CVE-2025-24650 — Themefic Tourfic: Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Tourfic tourfic allows Upload
Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Tourfic tourfic allows Upload a Web Shell to a Web Server.This issue affects Tourfic: from n/a through <= 2.15.3. CVSSv3.1 9.1 (CRITICAL)
CVE-2025-23914 — Deserialization: of Untrusted Data vulnerability in muzaara Muzaara Google Ads Report muzaara-adwords-optimize-dashboard allows Object
Deserialization of Untrusted Data vulnerability in muzaara Muzaara Google Ads Report muzaara-adwords-optimize-dashboard allows Object Injection.This issue affects Muzaara Google Ads Report: from n/a through <= 3.1. CVSSv3.1 9.8 (CRITICAL)
CVE-2025-23953 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in Scriptonite user files user-files allows
Unrestricted Upload of File with Dangerous Type vulnerability in Scriptonite user files user-files allows Upload a Web Shell to a Web Server.This issue affects user files: from n/a through <= 2.4.2. CVSSv3.1 10.0 (CRITICAL)
CVE-2025-23949 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in dzeriho Improved Sale Badges – Free Version improved-sale-badges-free-version allows PHP Local File Inclusion.This issue affects Improved Sale Badges – Free Version: from n/a through <= 1.0.1. CVSSv3.1 8.1 (HIGH)