Vulnerabilities > Medium

DATE CVE VULNERABILITY TITLE RISK
2025-04-06 CVE-2025-32369 Cross-site Scripting vulnerability in Kentico Xperience
Kentico Xperience before 13.0.181 allows authenticated users to distribute malicious content (for stored XSS) via certain interactions with the media library file upload feature.
network
low complexity
kentico CWE-79
5.4
5.4
2025-04-06 CVE-2025-1264 The Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links plugin for WordPress is vulnerable to SQL Injection via the 'orderBy' parameter in all versions up to, and including, 1.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.
network
low complexity
CWE-89
6.5
6.5
2025-04-05 CVE-2025-3304 A vulnerability, which was classified as critical, was found in code-projects Patient Record Management System 1.0.
network
low complexity
CWE-74
6.3
6.3
2025-04-05 CVE-2025-32357 Missing Authentication for Critical Function vulnerability in Zammad 6.4.0/6.4.1
In Zammad 6.4.x before 6.4.2, an authenticated agent with knowledge base permissions was able to use the Zammad API to fetch knowledge base content that they have no permission for.
network
low complexity
zammad CWE-306
4.3
4.3
2025-04-05 CVE-2025-32358 Server-Side Request Forgery (SSRF) vulnerability in Zammad 6.4.0/6.4.1
In Zammad 6.4.x before 6.4.2, SSRF can occur.
network
low complexity
zammad CWE-918
4.1
4.1
2025-04-05 CVE-2025-0839 The ZoomSounds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 6.91 due to insufficient input sanitization and output escaping on user supplied attributes.
network
low complexity
CWE-79
6.4
6.4
2025-04-05 CVE-2025-1233 The Lafka Plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'lafka_options_upload' AJAX function in all versions up to, and including, 7.1.0.
network
low complexity
CWE-862
4.3
4.3
2025-04-05 CVE-2025-2789 The MultiVendorX – Empower Your WooCommerce Store with a Dynamic Multivendor Marketplace – Build the Next Amazon, eBay, Etsy plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the delete_table_rate_shipping_row function in all versions up to, and including, 4.2.19.
network
low complexity
CWE-862
5.3
5.3
2025-04-05 CVE-2025-2544 The AI Content Pipelines plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping.
network
low complexity
CWE-79
6.4
6.4
2025-04-05 CVE-2025-1500 IBM Maximo Application Suite 9.0 could allow an authenticated user to upload a file with dangerous types that could be executed by another user if opened.
network
low complexity
CWE-434
5.5
5.5