Vulnerabilities > Critical

DATE CVE VULNERABILITY TITLE RISK
2025-03-19 CVE-2024-13442 The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.0.
network
low complexity
CWE-288
critical
 9.8
9.8
2025-03-19 CVE-2025-2512 The File Away plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check and missing file type validation in the upload() function in all versions up to, and including, 3.9.9.0.1.
network
low complexity
CWE-434
critical
 9.8
9.8
2025-03-19 CVE-2024-13790 The MinimogWP – The High Converting eCommerce WordPress Theme theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.7.0 via the 'template' parameter.
network
low complexity
CWE-98
critical
 9.8
9.8
2025-03-19 CVE-2024-13410 The CozyStay and TinySalt plugins for WordPress are vulnerable to PHP Object Injection in all versions up to, and including, 1.7.0, and in all versions up to, and including 3.9.0, respectively, via deserialization of untrusted input in the 'ajax_handler' function.
network
low complexity
CWE-502
critical
 9.8
9.8
2025-03-19 CVE-2024-12922 The Altair theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check within functions.php in all versions up to, and including, 5.2.4.
network
low complexity
CWE-862
critical
 9.8
9.8
2025-03-18 CVE-2024-56346 IBM AIX 7.2 and 7.3 nimesis NIM master service could allow a remote attacker to execute arbitrary commands due to improper process controls.
network
low complexity
CWE-114
critical
 10.0
10
2025-03-18 CVE-2024-56347 IBM AIX 7.2 and 7.3 nimsh service SSL/TLS protection mechanisms could allow a remote attacker to execute arbitrary commands due to improper process controls.
network
low complexity
CWE-114
critical
 9.6
9.6
2025-03-18 CVE-2024-8997 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Vestel EVC04 Configuration Interface allows SQL Injection.This issue affects EVC04 Configuration Interface: through 18.03.2025.
network
low complexity
CWE-89
critical
 9.8
9.8
2025-03-18 CVE-2024-23943 An unauthenticated remote attacker can gain access to the cloud API due to a lack of authentication for a critical function in the affected devices.
network
low complexity
CWE-306
critical
 9.1
9.1
2025-03-17 CVE-2025-2395 The U-Office Force from e-Excellence has an Improper Authentication vulnerability, allowing unauthenticated remote attackers to use a particular API and alter cookies to log in as an administrator.
network
low complexity
CWE-565
critical
 9.8
9.8