Vulnerabilities > Critical

DATE CVE VULNERABILITY TITLE RISK
2025-03-15 CVE-2025-1771 PHP Remote File Inclusion vulnerability in Shinecommerce Traveler
The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.8 via the 'hotel_alone_load_more_post' function 'style' parameter.
network
low complexity
shinecommerce CWE-98
critical
9.8
2025-03-14 CVE-2025-29384 Out-of-bounds Write vulnerability in Tenda AC9 Firmware 15.03.05.14
In Tenda AC9 v1.0 V15.03.05.14_multi, the wanMTU parameter of /goform/AdvSetMacMtuWan has a stack overflow vulnerability, which can lead to remote arbitrary code execution.
network
low complexity
tenda CWE-787
critical
9.8
2025-03-14 CVE-2025-29385 Out-of-bounds Write vulnerability in Tenda AC9 Firmware 15.03.05.14
In Tenda AC9 v1.0 V15.03.05.14_multi, the cloneType parameter of /goform/AdvSetMacMtuWan has a stack overflow vulnerability, which can lead to remote arbitrary code execution.
network
low complexity
tenda CWE-787
critical
9.8
2025-03-14 CVE-2025-29386 Out-of-bounds Write vulnerability in Tenda AC9 Firmware 15.03.05.14
In Tenda AC9 v1.0 V15.03.05.14_multi, the mac parameter of /goform/AdvSetMacMtuWan has a stack overflow vulnerability, which can lead to remote arbitrary code execution.
network
low complexity
tenda CWE-787
critical
9.8
2025-03-14 CVE-2025-29029 Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.16
Tenda AC6 v15.03.05.16 was discovered to contain a buffer overflow via the formSetSpeedWan function.
network
low complexity
tenda CWE-787
critical
9.8
2025-03-14 CVE-2025-29030 Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.16
Tenda AC6 v15.03.05.16 was discovered to contain a buffer overflow via the formWifiWpsOOB function.
network
low complexity
tenda CWE-787
critical
9.8
2025-03-14 CVE-2025-29031 Out-of-bounds Write vulnerability in Tenda AC6 Firmware 15.03.05.16
Tenda AC6 v15.03.05.16 was discovered to contain a buffer overflow via the fromAddressNat function.
network
low complexity
tenda CWE-787
critical
9.8
2025-03-14 CVE-2025-2000 A maliciously crafted QPY file can potential execute arbitrary-code embedded in the payload without privilege escalation when deserialising QPY formats < 13.
network
low complexity
CWE-502
critical
9.8
2025-03-14 CVE-2025-2232 Improper Privilege Management vulnerability in Purethemes Realteo 1.2.4
The Realteo - Real Estate Plugin by Purethemes plugin for WordPress, used by the Findeo Theme, is vulnerable to authentication bypass in all versions up to, and including, 1.2.8.
network
low complexity
purethemes CWE-269
critical
9.8
2025-03-14 CVE-2024-13321 SQL Injection vulnerability in Analyticswp
The AnalyticsWP plugin for WordPress is vulnerable to SQL Injection via the 'custom_sql' parameter in all versions up to, and including, 2.0.0 due to insufficient authorization checks on the handle_get_stats() function.
network
low complexity
analyticswp CWE-89
critical
9.8