Weekly Vulnerabilities Reports > December 30, 2024 to January 5, 2025

Overview

96 new vulnerabilities reported during this period, including 21 critical vulnerabilities and 33 high severity vulnerabilities. This weekly summary report vulnerabilities in 34 products from 23 vendors including Phpgurukul, Code Projects, Ashlar, Campcodes, and Wangl1989. Vulnerabilities are notably categorized as "Cross-site Scripting", "SQL Injection", "Out-of-bounds Write", "Cross-Site Request Forgery (CSRF)", and "Server-Side Request Forgery (SSRF)".

  • 82 reported vulnerabilities are remotely exploitables.
  • 56 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 49 reported vulnerabilities are exploitable by an anonymous user.
  • Phpgurukul has the most reported vulnerabilities, with 11 reported vulnerabilities.
  • Code Projects has the most reported critical vulnerabilities, with 6 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

21 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2025-01-04 CVE-2024-12583 The Dynamics 365 Integration plugin for WordPress is vulnerable to Remote Code Execution and Arbitrary File Read in all versions up to, and including, 1.3.23 via Twig Server-Side Template Injection.
9.9
2025-01-05 CVE-2025-0233 Codezips SQL Injection vulnerability in Codezips Project Management System 1.0

A vulnerability was found in Codezips Project Management System 1.0.
9.8
2025-01-05 CVE-2025-0230 Fabianros SQL Injection vulnerability in Fabianros Responsive Hotel Site 1.0

A vulnerability, which was classified as critical, was found in code-projects Responsive Hotel Site 1.0.
9.8
2025-01-05 CVE-2025-0229 Fabianros SQL Injection vulnerability in Fabianros Travel Management System 1.0

A vulnerability, which was classified as critical, has been found in code-projects Travel Management System 1.0.
9.8
2025-01-05 CVE-2024-13136 Wangl1989 Deserialization of Untrusted Data vulnerability in Wangl1989 Mysiteforme 1.0

A vulnerability was found in wangl1989 mysiteforme 1.0 and classified as critical.
9.8
2025-01-04 CVE-2025-0213 Campcodes Unrestricted Upload of File with Dangerous Type vulnerability in Campcodes Project Management System 1.0

A vulnerability was found in Campcodes Project Management System 1.0.
9.8
2025-01-04 CVE-2025-0212 Campcodes SQL Injection vulnerability in Campcodes Student Grading System 1.0

A vulnerability was found in Campcodes Student Grading System 1.0.
9.8
2025-01-04 CVE-2025-0211 Campcodes Unspecified vulnerability in Campcodes School Faculty Scheduling System 1.0

A vulnerability was found in Campcodes School Faculty Scheduling System 1.0 and classified as critical.
9.8
2025-01-04 CVE-2025-0210 Campcodes SQL Injection vulnerability in Campcodes School Faculty Scheduling System 1.0

A vulnerability has been found in Campcodes School Faculty Scheduling System 1.0 and classified as critical.
9.8
2025-01-04 CVE-2025-0207 Code Projects SQL Injection vulnerability in Code-Projects Online Shoe Store 1.0

A vulnerability, which was classified as critical, has been found in code-projects Online Shoe Store 1.0.
9.8
2025-01-04 CVE-2025-0208 Code Projects SQL Injection vulnerability in Code-Projects Online Shoe Store 1.0

A vulnerability, which was classified as critical, was found in code-projects Online Shoe Store 1.0.
9.8
2025-01-04 CVE-2025-0205 Code Projects SQL Injection vulnerability in Code-Projects Online Shoe Store 1.0

A vulnerability classified as critical has been found in code-projects Online Shoe Store 1.0.
9.8
2025-01-04 CVE-2025-0204 Code Projects SQL Injection vulnerability in Code-Projects Online Shoe Store 1.0

A vulnerability was found in code-projects Online Shoe Store 1.0.
9.8
2025-01-04 CVE-2025-0203 Code Projects SQL Injection vulnerability in Code-Projects Student Management System 1.0

A vulnerability was found in code-projects Student Management System 1.0.
9.8
2024-12-31 CVE-2024-13085 Phpgurukul SQL Injection vulnerability in PHPgurukul Land Record System 1.0

A vulnerability, which was classified as critical, has been found in PHPGurukul Land Record System 1.0.
9.8
2024-12-31 CVE-2024-13084 Phpgurukul SQL Injection vulnerability in PHPgurukul Land Record System 1.0

A vulnerability classified as critical was found in PHPGurukul Land Record System 1.0.
9.8
2024-12-31 CVE-2024-13072 1000Projects SQL Injection vulnerability in 1000Projects Beauty Parlour Management System 1.0

A vulnerability was found in 1000 Projects Beauty Parlour Management System 1.0.
9.8
2024-12-30 CVE-2024-13037 1000Projects SQL Injection vulnerability in 1000Projects Attendance Tracking Management System 1.0

A vulnerability was found in 1000 Projects Attendance Tracking Management System 1.0.
9.8
2024-12-30 CVE-2024-13035 Code Projects SQL Injection vulnerability in Code-Projects Chat System 1.0

A vulnerability has been found in code-projects Chat System 1.0 and classified as critical.
9.8
2024-12-31 CVE-2024-12108 Progress Authentication Bypass by Spoofing vulnerability in Progress Whatsup Gold

In WhatsUp Gold versions released before 2024.0.2, an attacker can gain access to the WhatsUp Gold server via the public API.
9.6
2024-12-30 CVE-2024-22063 ZTE Improper Neutralization of Formula Elements in a CSV File vulnerability in ZTE Zenic ONE R58

The ZENIC ONE R58 products by ZTE Corporation have a command injection vulnerability.
9.0

33 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2025-01-05 CVE-2025-0231 Codezips SQL Injection vulnerability in Codezips GYM Management System 1.0

A vulnerability has been found in Codezips Gym Management System 1.0 and classified as critical.
8.8
2025-01-05 CVE-2025-0232 Codezips SQL Injection vulnerability in Codezips Blood Bank Management System 1.0

A vulnerability was found in Codezips Blood Bank Management System 1.0 and classified as critical.
8.8
2025-01-05 CVE-2024-13138 Wangl1989 Unrestricted Upload of File with Dangerous Type vulnerability in Wangl1989 Mysiteforme 1.0

A vulnerability was found in wangl1989 mysiteforme 1.0.
8.8
2025-01-05 CVE-2024-13139 Wangl1989 Server-Side Request Forgery (SSRF) vulnerability in Wangl1989 Mysiteforme 1.0

A vulnerability was found in wangl1989 mysiteforme 1.0.
8.8
2025-01-04 CVE-2025-0206 Code Projects Unspecified vulnerability in Code-Projects Online Shoe Store 1.0

A vulnerability classified as critical was found in code-projects Online Shoe Store 1.0.
8.8
2025-01-04 CVE-2024-10932 The Backup Migration plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.6 via deserialization of untrusted input in the 'recursive_unserialize_replace' function.
8.8
2025-01-02 CVE-2024-37093 Stylemixthemes Cross-Site Request Forgery (CSRF) vulnerability in Stylemixthemes Masterstudy LMS

Cross-Site Request Forgery (CSRF) vulnerability in StylemixThemes MasterStudy LMS allows Cross Site Request Forgery.This issue affects MasterStudy LMS: from n/a through 3.2.1.
8.8
2025-01-02 CVE-2024-37469 Creativethemes Cross-Site Request Forgery (CSRF) vulnerability in Creativethemes Blocksy

Cross-Site Request Forgery (CSRF) vulnerability in CreativeThemes Blocksy allows Cross Site Request Forgery.This issue affects Blocksy: from n/a through 2.0.22.
8.8
2025-01-02 CVE-2024-56266 Sonaar Missing Authorization vulnerability in Sonaar MP3 Audio Player for Music, Radio & Podcast

Missing Authorization vulnerability in Sonaar Music MP3 Audio Player for Music, Radio & Podcast by Sonaar allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects MP3 Audio Player for Music, Radio & Podcast by Sonaar: from n/a through 5.8.
8.8
2024-12-31 CVE-2024-13079 Phpgurukul SQL Injection vulnerability in PHPgurukul Land Record System 1.0

A vulnerability was found in PHPGurukul Land Record System 1.0 and classified as critical.
8.8
2024-12-31 CVE-2024-13078 Phpgurukul SQL Injection vulnerability in PHPgurukul Land Record System 1.0

A vulnerability has been found in PHPGurukul Land Record System 1.0 and classified as critical.
8.8
2024-12-31 CVE-2024-25133 A flaw was found in the Hive ClusterDeployments resource in OpenShift Dedicated.
8.8
2024-12-31 CVE-2024-12838 The passwordless login mechanism in CGFIDO from Changing Information Technology has an Authentication Bypass vulnerability, allowing remote attackers with regular privileges to send a crafted request to switch to the identity of any user, including administrators.
8.8
2024-12-31 CVE-2024-12839 The login mechanism via device authentication of CGFIDO from Changing Information Technology has an Authentication Bypass vulnerability.
8.8
2024-12-31 CVE-2024-13040 The QOCA aim from Quanta Computer has an Authorization Bypass Through User-Controlled Key vulnerability.
8.8
2024-12-30 CVE-2024-13043 Watchguard Link Following vulnerability in Watchguard Panda Dome 22.02.01

Panda Security Dome Link Following Local Privilege Escalation Vulnerability.
7.8
2024-12-30 CVE-2024-13044 Ashlar Out-of-bounds Write vulnerability in Ashlar Cobalt 1204.90

Ashlar-Vellum Cobalt AR File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability.
7.8
2024-12-30 CVE-2024-13045 Ashlar Out-of-bounds Write vulnerability in Ashlar Cobalt 1204.90

Ashlar-Vellum Cobalt AR File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability.
7.8
2024-12-30 CVE-2024-13046 Ashlar Out-of-bounds Write vulnerability in Ashlar Cobalt 1204.90

Ashlar-Vellum Cobalt CO File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability.
7.8
2024-12-30 CVE-2024-13047 Ashlar Type Confusion vulnerability in Ashlar Cobalt 1204.90

Ashlar-Vellum Cobalt CO File Parsing Type Confusion Remote Code Execution Vulnerability.
7.8
2024-12-30 CVE-2024-13048 Ashlar Out-of-bounds Write vulnerability in Ashlar Cobalt 1204.90

Ashlar-Vellum Cobalt XE File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability.
7.8
2024-12-30 CVE-2024-13049 Ashlar Type Confusion vulnerability in Ashlar Cobalt 1204.90

Ashlar-Vellum Cobalt XE File Parsing Type Confusion Remote Code Execution Vulnerability.
7.8
2024-12-30 CVE-2024-13050 Ashlar Out-of-bounds Write vulnerability in Ashlar Graphite 13.0.48

Ashlar-Vellum Graphite VC6 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability.
7.8
2024-12-30 CVE-2024-13051 Ashlar Out-of-bounds Write vulnerability in Ashlar Graphite 13.0.48

Ashlar-Vellum Graphite VC6 File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability.
7.8
2024-12-31 CVE-2024-45497 A flaw was found in the OpenShift build process, where the docker-build container is configured with a hostPath volume mount that maps the node's /var/lib/kubelet/config.json file into the build pod.
7.6
2024-12-30 CVE-2024-13034 Code Projects Cross-site Scripting vulnerability in Code-Projects Chat System 1.0

A vulnerability, which was classified as problematic, was found in code-projects Chat System 1.0.
7.6
2025-01-04 CVE-2024-41766 IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 could allow a remote attacker to cause a denial of service using a complex regular expression.
7.5
2024-12-31 CVE-2023-6603 A flaw was found in FFmpeg's HLS playlist parsing.
7.5
2024-12-31 CVE-2024-12106 Progress Missing Authentication for Critical Function vulnerability in Progress Whatsup Gold

In WhatsUp Gold versions released before 2024.0.2, an unauthenticated attacker can configure LDAP settings.
7.5
2024-12-30 CVE-2024-13036 Fabianros SQL Injection vulnerability in Fabianros Chat System 1.0

A vulnerability was found in code-projects Chat System 1.0 and classified as critical.
7.5
2025-01-04 CVE-2024-41767 IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 is vulnerable to SQL injection.
7.3
2025-01-03 CVE-2024-11733 The The WordPress Popular Posts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 7.1.0.
7.3
2024-12-30 CVE-2024-54181 IBM WebSphere Automation 1.7.5 could allow a remote privileged user, who has authorized access to the swagger UI, to execute arbitrary code.
7.2

42 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2025-01-04 CVE-2024-41765 IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 could allow a remote attacker to traverse directories on the system.
6.5
2025-01-04 CVE-2024-41768 IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 could allow a remote attacker to cause an unhandled SSL exception which could leave the connection in an unexpected or insecure state.
6.5
2025-01-04 CVE-2024-12195 The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to SQL Injection via the 'project_id' parameter of the /wp-json/pm/v2/projects/2/task-lists REST API endpoint in all versions up to, and including, 2.6.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.
6.5
2024-12-31 CVE-2024-12105 Progress Path Traversal vulnerability in Progress Whatsup Gold

In WhatsUp Gold versions released before 2024.0.2, an authenticated user can use a specially crafted HTTP request that can lead to information disclosure.
6.5
2025-01-04 CVE-2024-12475 The WP Multi Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping.
6.4
2025-01-04 CVE-2024-11930 The Taskbuilder – WordPress Project & Task Management plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wppm_tasks shortcode in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping on user supplied attributes.
6.4
2025-01-04 CVE-2024-12279 The WP Social AutoConnect plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6.2.
6.1
2025-01-04 CVE-2024-12221 The Turnkey bbPress by WeaverTheme plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘_wpnonce’ parameter in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping.
6.1
2025-01-04 CVE-2024-11974 The Media Library Assistant plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘smc_settings_tab', 'unattachfixit-action', and 'woofixit-action’ parameters in all versions up to, and including, 3.23 due to insufficient input sanitization and output escaping.
6.1
2025-01-04 CVE-2024-12047 The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘custom_server’ parameter in all versions up to, and including, 6.30.03 due to insufficient input sanitization and output escaping.
6.1
2025-01-04 CVE-2024-12701 The WP Smart Import : Import any XML File to WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘ page’ parameter in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping.
6.1
2024-12-31 CVE-2024-13082 Phpgurukul Cross-site Scripting vulnerability in PHPgurukul Land Record System 1.0

A vulnerability was found in PHPGurukul Land Record System 1.0.
6.1
2024-12-30 CVE-2024-13033 Code Projects Cross-site Scripting vulnerability in Code-Projects Chat System 1.0

A vulnerability, which was classified as problematic, has been found in code-projects Chat System 1.0.
6.1
2025-01-04 CVE-2024-41763 IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
5.9
2025-01-05 CVE-2025-0222 I0Bit NULL Pointer Dereference vulnerability in I0Bit Protected Folder

A vulnerability was found in IObit Protected Folder up to 13.6.0.5 and classified as problematic.
5.5
2025-01-05 CVE-2025-0223 I0Bit NULL Pointer Dereference vulnerability in I0Bit Protected Folder

A vulnerability was found in IObit Protected Folder up to 13.6.0.5.
5.5
2025-01-05 CVE-2025-0221 I0Bit NULL Pointer Dereference vulnerability in I0Bit Protected Folder

A vulnerability has been found in IOBit Protected Folder up to 1.3.0 and classified as problematic.
5.5
2025-01-02 CVE-2022-49035 Linux Allocation of Resources Without Limits or Throttling vulnerability in Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: media: s5p_cec: limit msg.len to CEC_MAX_MSG_SIZE I expect that the hardware will have limited this to 16, but just in case it hasn't, check for this corner case.
5.5
2025-01-05 CVE-2024-13141 Osuuu Cross-site Scripting vulnerability in Osuuu Lightpicture 1.2.0/1.2.1/1.2.2

A vulnerability classified as problematic was found in osuuu LightPicture up to 1.2.2.
5.4
2025-01-05 CVE-2024-13140 Emlog Cross-site Scripting vulnerability in Emlog

A vulnerability classified as problematic has been found in Emlog Pro up to 2.4.3.
5.4
2025-01-05 CVE-2024-13137 Wangl1989 Cross-site Scripting vulnerability in Wangl1989 Mysiteforme 1.0

A vulnerability was found in wangl1989 mysiteforme 1.0.
5.4
2025-01-04 CVE-2024-12545 The Scratch & Win – Giveaways and Contests.
5.4
2025-01-03 CVE-2024-55896 IBM PowerHA SystemMirror for i 7.4 and 7.5 contains improper restrictions when rendering content via iFrames.
5.4
2025-01-02 CVE-2024-56252 Themelooks Cross-site Scripting vulnerability in Themelooks Enter Addons

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeLooks Enter Addons allows Stored XSS.This issue affects Enter Addons: from n/a through 2.1.9.
5.4
2025-01-02 CVE-2024-56254 Moveaddons Cross-site Scripting vulnerability in Moveaddons Move Addons for Elementor

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in moveaddons Move Addons for Elementor allows Stored XSS.This issue affects Move Addons for Elementor: from n/a through 1.3.6.
5.4
2024-12-31 CVE-2024-13083 Phpgurukul Cross-site Scripting vulnerability in PHPgurukul Land Record System 1.0

A vulnerability classified as problematic has been found in PHPGurukul Land Record System 1.0.
5.4
2024-12-31 CVE-2024-13081 Phpgurukul Cross-site Scripting vulnerability in PHPgurukul Land Record System 1.0

A vulnerability was found in PHPGurukul Land Record System 1.0.
5.4
2024-12-31 CVE-2024-13080 Phpgurukul Cross-site Scripting vulnerability in PHPgurukul Land Record System 1.0

A vulnerability was found in PHPGurukul Land Record System 1.0.
5.4
2024-12-31 CVE-2024-13077 Phpgurukul Cross-site Scripting vulnerability in PHPgurukul Land Record System 1.0

A vulnerability, which was classified as problematic, was found in PHPGurukul Land Record System 1.0.
5.4
2024-12-31 CVE-2024-13075 Phpgurukul Cross-site Scripting vulnerability in PHPgurukul Land Record System 1.0

A vulnerability classified as problematic was found in PHPGurukul Land Record System 1.0.
5.4
2024-12-31 CVE-2024-13076 Phpgurukul Cross-site Scripting vulnerability in PHPgurukul Land Record System 1.0

A vulnerability, which was classified as problematic, has been found in PHPGurukul Land Record System 1.0.
5.4
2024-12-31 CVE-2023-6602 A flaw was found in FFmpeg's TTY Demuxer.
5.3
2024-12-30 CVE-2024-13032 Antabot Server-Side Request Forgery (SSRF) vulnerability in Antabot White-Jotter

A vulnerability classified as problematic was found in Antabot White-Jotter up to 0.2.2.
4.9
2025-01-05 CVE-2024-13142 Zerowdd Cross-site Scripting vulnerability in Zerowdd Studentmanager 1.0

A vulnerability was found in ZeroWdd studentmanager 1.0.
4.8
2025-01-05 CVE-2025-0228 Code Projects Cross-site Scripting vulnerability in Code-Projects Local Storage Todo APP 1.0

A vulnerability has been found in code-projects Local Storage Todo App 1.0 and classified as problematic.
4.8
2024-12-30 CVE-2024-13031 Antabot Cross-site Scripting vulnerability in Antabot White-Jotter

A vulnerability classified as problematic has been found in Antabot White-Jotter up to 0.2.2.
4.8
2025-01-03 CVE-2024-12237 The Photo Gallery Slideshow & Masonry Tiled Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.15 via the rjg_get_youtube_info_justified_gallery_callback function.
4.3
2025-01-03 CVE-2024-55897 IBM PowerHA SystemMirror for i 7.4 and 7.5 does not set the secure attribute on authorization tokens or session cookies.
4.3
2025-01-03 CVE-2024-5591 IBM Jazz Foundation 7.0.2, 7.0.3, and 7.1.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser.
4.3
2025-01-03 CVE-2024-12132 The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.4 due to missing validation on a user controlled key.
4.3
2025-01-02 CVE-2023-45765 Wedevs Missing Authorization vulnerability in Wedevs WP ERP

Missing Authorization vulnerability in weDevs WP ERP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP ERP: from n/a through 1.12.6.
4.3
2025-01-03 CVE-2024-41780 IBM Jazz Foundation 7.0.2, 7.0.3, and 7.1.0 could could allow a physical user to obtain sensitive information due to not masking passwords during entry.
4.2

0 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS