2025-01-30
2025-01-30 14:15Z
CRIT

CVE-2024-13742 — Icontrolwp Icontrolwp: The iControlWP – Multiple WordPress Site Manager plugin for WordPress is vulnerable to PHP

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-13742

The iControlWP – Multiple WordPress Site Manager plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.5 via deserialization of untrusted input from the reqpars parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. I CVSSv3.1 9.8 (CRITICAL)

CWECWE 502VNDWordpressVNDIcontrolwpTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-01-30
2025-01-30 14:15Z
HIGH

CVE-2024-10591 — Makewebbetter Hubspot_for_woocommerce: The MWB HubSpot for WooCommerce – CRM, Abandoned Cart, Email Marketing, Marketing Automation &

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-10591

The MWB HubSpot for WooCommerce – CRM, Abandoned Cart, Email Marketing, Marketing Automation & Analytics plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hubwoo_save_updates() function in all versions up to, and including, 1.5.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to update arbitrary options on the WordPress site. This CVSSv3.1 8.8 (HIGH)

CWECWE 862VNDMakewebbetterVNDMwbTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-01-30
2025-01-30 13:00Z
CRIT

CVE-2024-46506: Unauthenticated RCE in NetAlertx

Rhino Security Labs·rhinosecuritylabs.comCVE-2024-46506CVE-2024-48766

Rhino Security Labs disclosed CVE-2024-46506, an unauthenticated command injection in NetAlertX (a popular open-source LAN intrusion detector with 1.4M Docker pulls) affecting versions v23.01.14–v24.9.12. The vulnerability stems from missing authentication checks in util.php's saveSettings() function, allowing attackers to inject arbitrary commands into plugin configurations that execute on server initialization. A secondary CVE-2024-48766 arbitrary file read via path traversal was also identified; both were patched in v24.10.12, though two authentication bypass techniques were discovered and remediated post-patch.

SRFApplicationTACTA0001TACTA0002SRFWebVNDNetalertxTYPWriteupTYPVulnerabilitySTGExecution
82
Edit Score
2025-01-29
2025-01-29 13:01Z
CRIT

CVE-2024-46507: Yeti Platform Server-Side Template Injection (SSTI)

Rhino Security Labs·rhinosecuritylabs.comCVE-2024-46507CVE-2024-46508

Rhino Security Labs disclosed two chained vulnerabilities in Yeti (a DFIR threat intelligence platform): CVE-2024-46507 is a server-side template injection (SSTI) in custom report templates allowing authenticated RCE, and CVE-2024-46508 is a hardcoded JWT secret ('SECRET') in the default docker-compose deployment. Combined, these enable unauthenticated remote code execution on default installations. Patches were released in version 2.1.12.

SRFApplicationTACTA0001TACTA0002VNDYetiTYPWriteupTYPVulnerabilitySTGExecutionSTGInitial Access
78
Edit Score
2025-01-28
2025-01-28 18:15Z
HIGH

CVE-2024-13484 — A flaw was found in openshift-gitops-operator-container.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-13484

A flaw was found in openshift-gitops-operator-container. The openshift.io/cluster-monitoring label is applied to all namespaces that deploy an ArgoCD CR instance, allowing the namespace to create a rogue PrometheusRule. This issue can have adverse effects on the platform monitoring stack, as the rule is rolled out cluster-wide when the label is applied. CVSSv3.1 8.2 (HIGH) · EPSS 10th percentile

CWECWE 668TYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2025-01-27
2025-01-27 17:15Z
HIGH

CVE-2024-48420 — Edimax Br-6476ac_firmware: AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06 is vulnerable to Buffer Overflow via

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-48420

Edimax AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06 is vulnerable to Buffer Overflow via /goform/getWifiBasic. CVSSv3.1 8.8 (HIGH) · EPSS 37th percentile

CWECWE 120VNDEdimaxTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-01-27
2025-01-27 17:15Z
HIGH

CVE-2024-48419 — Edimax Br-6476ac_firmware: AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06 suffers from Command Injection issues in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-48419

Edimax AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06 suffers from Command Injection issues in /bin/goahead. Specifically, these issues can be triggered through /goform/tracerouteDiagnosis, /goform/pingDiagnosis, and /goform/fromSysToolPingCmd Each of these issues allows an attacker with access to the web interface to inject and execute arbitrary shell commands, with "root" privileges. CVSSv3.1 8.8 (HIGH) · EPSS 79th percentile

CWECWE 77VNDEdimaxTYPVulnerability
8.8
CVSS v3.1
95
Edit Score
728 × 90 / responsive · programmatic ad slot
2025-01-27
2025-01-27 17:15Z
HIGH

CVE-2024-48418 — Edimax Br-6476ac_firmware: In Edimax AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06, the request /goform/fromSetDDNS does not

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-48418

In Edimax AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06, the request /goform/fromSetDDNS does not properly handle special characters in any of user provided parameters, allowing an attacker with access to the web interface to inject and execute arbitrary shell commands. CVSSv3.1 8.8 (HIGH) · EPSS 24th percentile

CWECWE 352VNDEdimaxTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-01-27
2025-01-27 17:15Z
HIGH

CVE-2024-48416 — Edimax Br-6476ac_firmware: AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06 is vulnerable to Buffer Overflow via

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-48416

Edimax AC1200 Wi-Fi 5 Dual-Band Router BR-6476AC 1.06 is vulnerable to Buffer Overflow via /goform/fromSetLanDhcpsClientbinding. CVSSv3.1 8.8 (HIGH) · EPSS 36th percentile

CWECWE 120VNDEdimaxTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-01-27
2025-01-27 15:15Z
HIGH

CVE-2025-24734 — Authorization: Missing Authorization vulnerability in CodeSolz Better Find and Replace real-time-auto-find-and-replace allows Privilege Escalation.This issue

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-24734

Missing Authorization vulnerability in CodeSolz Better Find and Replace real-time-auto-find-and-replace allows Privilege Escalation.This issue affects Better Find and Replace: from n/a through <= 1.6.7. CVSSv3.1 8.8 (HIGH)

CWECWE 862TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2025-01-27
2025-01-27 15:15Z
CRIT

CVE-2025-24671 — Deserialization: of Untrusted Data vulnerability in Pdfcrowd Dev Team Save as PDF save-as-pdf-by-pdfcrowd allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-24671

Deserialization of Untrusted Data vulnerability in Pdfcrowd Dev Team Save as PDF save-as-pdf-by-pdfcrowd allows Object Injection.This issue affects Save as PDF: from n/a through <= 4.4.0. CVSSv3.1 9.8 (CRITICAL)

CWECWE 502TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-01-27
2025-01-27 15:15Z
CRIT

CVE-2025-24667 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-24667

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in enituretechnology Small Package Quotes – Worldwide Express Edition small-package-quotes-wwe-edition allows SQL Injection.This issue affects Small Package Quotes – Worldwide Express Edition: from n/a through <= 5.2.17. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-01-27
2025-01-27 15:15Z
CRIT

CVE-2025-24665 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-24665

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in enituretechnology Small Package Quotes – Unishippers Edition small-package-quotes-unishippers-edition allows SQL Injection.This issue affects Small Package Quotes – Unishippers Edition: from n/a through <= 2.4.8. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-01-27
2025-01-27 14:15Z
HIGH

CVE-2025-24685 — Path: Traversal: '.../...//' vulnerability in Ihor Kit Morkva UA Shipping morkva-ua-shipping allows PHP Local

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-24685

Path Traversal: '.../...//' vulnerability in Ihor Kit Morkva UA Shipping morkva-ua-shipping allows PHP Local File Inclusion.This issue affects Morkva UA Shipping: from n/a through <= 1.0.18. CVSSv3.1 8.1 (HIGH)

CWECWE 35TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2025-01-27
2025-01-27 14:15Z
CRIT

CVE-2025-24664 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-24664

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in enituretechnology LTL Freight Quotes – Worldwide Express Edition ltl-freight-quotes-worldwide-express-edition allows SQL Injection.This issue affects LTL Freight Quotes – Worldwide Express Edition: from n/a through <= 5.0.20. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-01-27
2025-01-27 14:15Z
CRIT

CVE-2025-24612 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-24612

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ihor Kit Shipping for Nova Poshta nova-poshta-ttn allows SQL Injection.This issue affects Shipping for Nova Poshta: from n/a through <= 1.19.6. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2025-01-27
2025-01-27 14:15Z
CRIT

CVE-2025-24601 — Deserialization: of Untrusted Data vulnerability in ThimPress FundPress fundpress allows Object Injection.This issue affects

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-24601

Deserialization of Untrusted Data vulnerability in ThimPress FundPress fundpress allows Object Injection.This issue affects FundPress: from n/a through <= 2.0.6. CVSSv3.1 9.8 (CRITICAL)

CWECWE 502TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-01-24
2025-01-24 20:15Z
MED

CVE-2024-57041 — Nodebb Nodebb: A persistent cross-site scripting (XSS) vulnerability in NodeBB v3.11.0 allows remote attackers to store

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-57041

A persistent cross-site scripting (XSS) vulnerability in NodeBB v3.11.0 allows remote attackers to store arbitrary code in the 'about me' section of their profile. CVSSv3.1 4.6 (MEDIUM) · EPSS 98th percentile

CWECWE 79VNDXssVNDNodebbTYPVulnerability
4.6
CVSS v3.1
81
Edit Score
2025-01-24
2025-01-24 18:15Z
HIGH

CVE-2025-24728 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-24728

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Yannick Lefebvre Bug Library bug-library allows Blind SQL Injection.This issue affects Bug Library: from n/a through <= 2.1.4. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-01-24
2025-01-24 18:15Z
HIGH

CVE-2025-24672 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-24672

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in codepeople Form Builder CP cp-easy-form-builder allows SQL Injection.This issue affects Form Builder CP: from n/a through <= 1.2.41. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-01-24
2025-01-24 18:15Z
HIGH

CVE-2025-24669 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-24669

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in serpednet SERPed.net serped-net allows SQL Injection.This issue affects SERPed.net: from n/a through <= 4.4. CVSSv3.1 8.5 (HIGH)

CWECWE 89TYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2025-01-24
2025-01-24 18:15Z
CRIT

CVE-2025-24650 — Themefic Tourfic: Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Tourfic tourfic allows Upload

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-24650

Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Tourfic tourfic allows Upload a Web Shell to a Web Server.This issue affects Tourfic: from n/a through <= 2.15.3. CVSSv3.1 9.1 (CRITICAL)

CWECWE 434VNDThemeficTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2025-01-22
2025-01-22 16:15Z
CRIT

CVE-2025-23914 — Deserialization: of Untrusted Data vulnerability in muzaara Muzaara Google Ads Report muzaara-adwords-optimize-dashboard allows Object

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-23914

Deserialization of Untrusted Data vulnerability in muzaara Muzaara Google Ads Report muzaara-adwords-optimize-dashboard allows Object Injection.This issue affects Muzaara Google Ads Report: from n/a through <= 3.1. CVSSv3.1 9.8 (CRITICAL)

CWECWE 502TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2025-01-22
2025-01-22 15:15Z
CRIT

CVE-2025-23953 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in Scriptonite user files user-files allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-23953

Unrestricted Upload of File with Dangerous Type vulnerability in Scriptonite user files user-files allows Upload a Web Shell to a Web Server.This issue affects user files: from n/a through <= 2.4.2. CVSSv3.1 10.0 (CRITICAL)

CWECWE 434TYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2025-01-22
2025-01-22 15:15Z
HIGH

CVE-2025-23949 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-23949

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in dzeriho Improved Sale Badges – Free Version improved-sale-badges-free-version allows PHP Local File Inclusion.This issue affects Improved Sale Badges – Free Version: from n/a through <= 1.0.1. CVSSv3.1 8.1 (HIGH)

CWECWE 98TYPVulnerability
8.1
CVSS v3.1
91
Edit Score