Vulnerabilities > High

DATE CVE VULNERABILITY TITLE RISK
2025-03-26 CVE-2025-20229 In Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8, and Splunk Cloud Platform versions below 9.3.2408.104, 9.2.2406.108, 9.2.2403.114, and 9.1.2312.208, a low-privileged user that does not hold the "admin" or "power" Splunk roles could perform a Remote Code Execution (RCE) through a file upload to the "$SPLUNK_HOME/var/run/splunk/apptemp" directory due to missing authorization checks.
network
low complexity
CWE-284
8.0
8.0
2025-03-26 CVE-2025-20231 In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and versions below 3.8.38 and 3.7.23 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could run a search using the permissions of a higher-privileged user that could lead to disclosure of sensitive information.<br><br>The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser.
network
high complexity
CWE-532
7.1
7.1
2025-03-26 CVE-2024-13889 The WordPress Importer plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 0.8.3 via deserialization of untrusted input in the 'maybe_unserialize' function.
network
low complexity
CWE-502
7.2
7.2
2025-03-26 CVE-2025-1912 The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.5.0 via the validate_file() Function.
network
low complexity
CWE-918
7.6
7.6
2025-03-26 CVE-2025-1913 The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.5.0 via deserialization of untrusted input from the 'form_data' parameter This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object.
network
low complexity
CWE-502
7.2
7.2
2025-03-26 CVE-2025-2110 The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to missing capability checks on its on its AJAX functions in all versions up to, and including, 6.30.15.
network
low complexity
CWE-862
8.8
8.8
2025-03-26 CVE-2024-13801 The BWL Advanced FAQ Manager plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'baf_set_notice_status' AJAX action in all versions up to, and including, 2.1.4.
network
low complexity
CWE-862
8.1
8.1
2025-03-26 CVE-2025-1514 The Active Products Tables for WooCommerce.
network
low complexity
CWE-20
7.3
7.3
2025-03-26 CVE-2025-2009 The Newsletters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the logging functionality in all versions up to, and including, 4.9.9.7 due to insufficient input sanitization and output escaping.
network
low complexity
CWE-79
7.2
7.2
2025-03-26 CVE-2025-2257 The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.16.10 via the compression_level setting.
network
low complexity
CWE-78
7.2
7.2