Weekly Vulnerabilities Reports > March 24 to 30, 2025

Overview

161 new vulnerabilities reported during this period, including 18 critical vulnerabilities and 34 high severity vulnerabilities. This weekly summary report vulnerabilities in 8 products from 7 vendors including Phpgurukul, Anujkumar, Yiiframework, Squirrly, and Dante Editor. Vulnerabilities are notably categorized as "Cross-site Scripting", "Injection", "Heap-based Buffer Overflow", "Path Traversal", and "Deserialization of Untrusted Data".

126 reported vulnerabilities are remotely exploitables.
55 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
76 reported vulnerabilities are exploitable by an anonymous user.
Phpgurukul has the most reported vulnerabilities, with 6 reported vulnerabilities.
Phpgurukul has the most reported critical vulnerabilities, with 6 reported vulnerabilities.

TOTAL
VULNERABILITIES

CRITICAL RISK
VULNERABILITIES

HIGH RISK
VULNERABILITIES

MEDIUM RISK
VULNERABILITIES

LOW RISK
VULNERABILITIES

REMOTELY
EXPLOITABLE

LOCALLY
EXPLOITABLE

EXPLOIT
AVAILABLE

EXPLOITABLE
ANONYMOUSLY

AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

18 Critical Vulnerabilities

DATE	CVE	VENDOR	VULNERABILITY	CVSS
2025-03-29	CVE-2025-2266		The Checkout Mestres do WP for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the cwmpUpdateOptions() function in versions 8.6.5 to 8.7.5.	9.8
2025-03-28	CVE-2025-2294		The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function.	9.8
2025-03-27	CVE-2025-2332		The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.13 via deserialization of untrusted input in the 'returnMetaValueAsCustomerInput' function.	9.8
2025-03-26	CVE-2024-47516		A vulnerability was found in Pagure.	9.8
2025-03-24	CVE-2025-2690	Yiiframework	Deserialization of Untrusted Data vulnerability in Yiiframework YII A vulnerability, which was classified as critical, was found in yiisoft Yii2 up to 2.0.39.	9.8
2025-03-24	CVE-2025-2689	Yiiframework	Deserialization of Untrusted Data vulnerability in Yiiframework YII A vulnerability, which was classified as critical, has been found in yiisoft Yii2 up to 2.0.45.	9.8
2025-03-24	CVE-2025-2687	Phpgurukul	Unrestricted Upload of File with Dangerous Type vulnerability in PHPgurukul Elearning System 1.0 A vulnerability classified as critical has been found in PHPGurukul eLearning System 1.0.	9.8
2025-03-24	CVE-2025-2683	Phpgurukul	Injection vulnerability in PHPgurukul Bank Locker Management System 1.0 A vulnerability classified as critical was found in PHPGurukul Bank Locker Management System 1.0.	9.8
2025-03-24	CVE-2025-2684	Phpgurukul	Injection vulnerability in PHPgurukul Bank Locker Management System 1.0 A vulnerability, which was classified as critical, has been found in PHPGurukul Bank Locker Management System 1.0.	9.8
2025-03-24	CVE-2025-2681	Phpgurukul	Injection vulnerability in PHPgurukul Bank Locker Management System 1.0 A vulnerability was found in PHPGurukul Bank Locker Management System 1.0.	9.8
2025-03-24	CVE-2025-2682	Phpgurukul	Injection vulnerability in PHPgurukul Bank Locker Management System 1.0 A vulnerability classified as critical has been found in PHPGurukul Bank Locker Management System 1.0.	9.8
2025-03-24	CVE-2025-2678	Anujkumar	Injection vulnerability in Anujkumar Bank Locker Management System 1.0 A vulnerability was found in PHPGurukul Bank Locker Management System 1.0 and classified as critical.	9.8
2025-03-24	CVE-2025-2679	Anujkumar	Injection vulnerability in Anujkumar Bank Locker Management System 1.0 A vulnerability was found in PHPGurukul Bank Locker Management System 1.0.	9.8
2025-03-24	CVE-2025-2680	Anujkumar	Injection vulnerability in Anujkumar Bank Locker Management System 1.0 A vulnerability was found in PHPGurukul Bank Locker Management System 1.0.	9.8
2025-03-24	CVE-2025-2677	Anujkumar	Injection vulnerability in Anujkumar Bank Locker Management System 1.0 A vulnerability has been found in PHPGurukul Bank Locker Management System 1.0 and classified as critical.	9.8
2025-03-24	CVE-2025-2675	Anujkumar	Injection vulnerability in Anujkumar Bank Locker Management System 1.0 A vulnerability, which was classified as critical, has been found in PHPGurukul Bank Locker Management System 1.0.	9.8
2025-03-24	CVE-2025-2676	Anujkumar	Injection vulnerability in Anujkumar Bank Locker Management System 1.0 A vulnerability, which was classified as critical, was found in PHPGurukul Bank Locker Management System 1.0.	9.8
2025-03-24	CVE-2025-2674	Phpgurukul	Injection vulnerability in PHPgurukul Bank Locker Management System 1.0 A vulnerability classified as critical was found in PHPGurukul Bank Locker Management System 1.0.	9.8

Expand/Hide

34 High Vulnerabilities

DATE	CVE	VENDOR	VULNERABILITY	CVSS
2025-03-29	CVE-2025-2249		The SoJ SoundSlides plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the soj_soundslides_options_subpanel() function in all versions up to, and including, 1.2.2.	8.8
2025-03-28	CVE-2025-2815		The Administrator Z plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the adminz_import_backup() function in all versions up to, and including, 2025.03.24.	8.8
2025-03-28	CVE-2025-2328		The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'dnd_remove_uploaded_files' function in all versions up to, and including, 1.3.8.7.	8.8
2025-03-27	CVE-2025-22783	Squirrly	SQL Injection vulnerability in Squirrly SEO Plugin BY Squirrly SEO Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SEO Squirrly SEO Plugin by Squirrly SEO allows SQL Injection.This issue affects SEO Plugin by Squirrly SEO: from n/a through 12.4.03.	8.8
2025-03-26	CVE-2025-2110		The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to missing capability checks on its on its AJAX functions in all versions up to, and including, 6.30.15.	8.8
2025-03-25	CVE-2025-2319		The EZ SQL Reports Shortcode Widget and DB Backup plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 4.11.13 to 5.25.08.	8.8
2025-03-26	CVE-2024-13801		The BWL Advanced FAQ Manager plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'baf_set_notice_status' AJAX action in all versions up to, and including, 2.1.4.	8.1
2025-03-26	CVE-2025-20229		In Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8, and Splunk Cloud Platform versions below 9.3.2408.104, 9.2.2406.108, 9.2.2403.114, and 9.1.2312.208, a low-privileged user that does not hold the "admin" or "power" Splunk roles could perform a Remote Code Execution (RCE) through a file upload to the "$SPLUNK_HOME/var/run/splunk/apptemp" directory due to missing authorization checks.	8.0
2025-03-25	CVE-2025-2731		A vulnerability was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014.	8.0
2025-03-25	CVE-2025-2732		A vulnerability was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014.	8.0
2025-03-25	CVE-2025-2725		A vulnerability classified as critical was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014.	8.0
2025-03-25	CVE-2025-2726		A vulnerability, which was classified as critical, has been found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014.	8.0
2025-03-25	CVE-2025-2727		A vulnerability, which was classified as critical, was found in H3C Magic NX30 Pro up to V100R007.	8.0
2025-03-25	CVE-2025-2728		A vulnerability has been found in H3C Magic NX30 Pro and Magic NX400 up to V100R014 and classified as critical.	8.0
2025-03-25	CVE-2025-2729		A vulnerability was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014 and classified as critical.	8.0
2025-03-25	CVE-2025-2730		A vulnerability was found in H3C Magic NX15, Magic NX30 Pro, Magic NX400, Magic R3010 and Magic BE18000 up to V100R014.	8.0
2025-03-26	CVE-2025-1912		The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.5.0 via the validate_file() Function.	7.6
2025-03-28	CVE-2025-2485		The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8.7 via deserialization of untrusted input from the 'dnd_upload_cf7_upload' function.	7.5
2025-03-29	CVE-2025-2803		The So-Called Air Quotes plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.1.	7.3
2025-03-27	CVE-2025-2846		A vulnerability classified as critical was found in SourceCodester Online Eyewear Shop 1.0.	7.3
2025-03-26	CVE-2025-1514		The Active Products Tables for WooCommerce.	7.3
2025-03-25	CVE-2025-2737		A vulnerability was found in PHPGurukul Old Age Home Management System 1.0.	7.3
2025-03-25	CVE-2025-2738		A vulnerability was found in PHPGurukul Old Age Home Management System 1.0.	7.3
2025-03-25	CVE-2025-2739		A vulnerability was found in PHPGurukul Old Age Home Management System 1.0.	7.3
2025-03-25	CVE-2025-2734		A vulnerability, which was classified as critical, was found in PHPGurukul Old Age Home Management System 1.0.	7.3
2025-03-25	CVE-2025-2735		A vulnerability has been found in PHPGurukul Old Age Home Management System 1.0 and classified as critical.	7.3
2025-03-25	CVE-2025-2736		A vulnerability was found in PHPGurukul Old Age Home Management System 1.0 and classified as critical.	7.3
2025-03-24	CVE-2025-2705		A vulnerability classified as critical has been found in Digiwin ERP 5.1.	7.3
2025-03-26	CVE-2024-13889		The WordPress Importer plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 0.8.3 via deserialization of untrusted input in the 'maybe_unserialize' function.	7.2
2025-03-26	CVE-2025-1913		The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.5.0 via deserialization of untrusted input from the 'form_data' parameter This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object.	7.2
2025-03-26	CVE-2025-2009		The Newsletters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the logging functionality in all versions up to, and including, 4.9.9.7 due to insufficient input sanitization and output escaping.	7.2
2025-03-26	CVE-2025-2257		The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.16.10 via the compression_level setting.	7.2
2025-03-25	CVE-2024-13690		The WP Church Donation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several donation form submission parameters in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping.	7.2
2025-03-26	CVE-2025-20231		In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and versions below 3.8.38 and 3.7.23 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could run a search using the permissions of a higher-privileged user that could lead to disclosure of sensitive information.<br><br>The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser.	7.1

Expand/Hide

95 Medium Vulnerabilities

DATE	CVE	VENDOR	VULNERABILITY	CVSS
2025-03-28	CVE-2025-2919		A vulnerability was found in Netis WF-2404 1.1.124EN.	6.8
2025-03-30	CVE-2025-2958		A vulnerability was found in TRENDnet TEW-818DRU 1.0.14.6.	6.5
2025-03-30	CVE-2025-2957		A vulnerability was found in TRENDnet TEW-411BRP+ 2.07.	6.5
2025-03-30	CVE-2025-2956		A vulnerability was found in TRENDnet TI-G102i 1.0.7.S0_ /1.0.8.S0_ and classified as problematic.	6.5
2025-03-29	CVE-2024-13557		The Shortcodes by United Themes plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.1.6.	6.5
2025-03-28	CVE-2024-6875		A vulnerability was found in the Infinispan component in Red Hat Data Grid.	6.5
2025-03-27	CVE-2023-37405		IBM Cloud Pak System 2.3.3.0, 2.3.3.3, 2.3.3.3 iFix1, 2.3.3.4, 2.3.3.5, 2.3.3.6, 2.3.36 iFix1, 2.3.3.6 iFix2, 2.3.3.7, 2.3.3.7 iFix1, 2.3.4.0, and 2.3.4.1 stores sensitive data in memory, that could be obtained by an unauthorized user.	6.5
2025-03-26	CVE-2025-20228		In Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8 and Splunk Cloud Platform versions below 9.2.2403.108, and 9.1.2312.204, a low-privileged user that does not hold the "admin" or "power" Splunk roles could change the maintenance mode state of App Key Value Store (KVStore) through a Cross-Site Request Forgery (CSRF).	6.5
2025-03-26	CVE-2025-1310		The Jobs for WordPress plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.7.11 via the 'job_postings_get_file' parameter.	6.5
2025-03-24	CVE-2025-2686		A vulnerability has been found in mingyuefusu ???? tushuguanlixitong ?????? up to d4836f6b49cd0ac79a4021b15ce99ff7229d4694 and classified as critical.	6.5
2025-03-29	CVE-2024-11180		The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown Timer Widget ekit_countdown_timer_title parameter in all versions up to, and including, 3.4.7 due to insufficient input sanitization and output escaping.	6.4
2025-03-27	CVE-2025-2685		The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘table-name’ parameter in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping.	6.4
2025-03-26	CVE-2024-13411		The Zapier for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.5.1 via the updated_user() function.	6.4
2025-03-26	CVE-2025-1312		The Ultimate Blocks – WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buttonTextColor’ parameter in all versions up to, and including, 3.2.7 due to insufficient input sanitization and output escaping.	6.4
2025-03-26	CVE-2025-1437		The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2024.5 due to insufficient input sanitization and output escaping on user supplied attributes.	6.4
2025-03-26	CVE-2025-1439		The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2024.5 due to insufficient input sanitization and output escaping on user supplied attributes through the 'src' attribute when the src supplied returns a header with an injected value .	6.4
2025-03-26	CVE-2025-1703		The Ultimate Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘content’ parameter in all versions up to, and including, 3.2.7 due to insufficient input sanitization and output escaping.	6.4
2025-03-26	CVE-2024-13702		The CRM and Lead Management by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'vCitaMeetingScheduler' and 'vCitaSchedulingCalendar' shortcodes in all versions up to, and including, 2.7.4 due to insufficient input sanitization and output escaping on user supplied attributes.	6.4
2025-03-26	CVE-2025-1784		The Spectra – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the uagb block in all versions up to, and including, 2.19.0 due to insufficient input sanitization and output escaping.	6.4
2025-03-26	CVE-2025-2573		The Amazing service box Addons For WPBakery Page Builder (formerly Visual Composer) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping.	6.4
2025-03-26	CVE-2025-2576		The Ayyash Studio — The kick-start kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping.	6.4
2025-03-26	CVE-2025-2302		The Advanced Woo Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aws_search_terms shortcode in all versions up to, and including, 3.28 due to insufficient input sanitization and output escaping on user supplied attributes.	6.4
2025-03-25	CVE-2025-2542		The Your Simple SVG Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping.	6.4
2025-03-25	CVE-2024-13731		The Alert Box Block – Display notice/alerts in the front end.	6.4
2025-03-25	CVE-2024-12623		The DICOM Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dcm' shortcode in all versions up to, and including, 0.10.6 due to insufficient input sanitization and output escaping on user supplied attributes.	6.4
2025-03-25	CVE-2025-0845		The DesignThemes Core Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 4.8 due to insufficient input sanitization and output escaping on user supplied attributes.	6.4
2025-03-28	CVE-2025-2916		A vulnerability, which was classified as critical, has been found in Aishida Call Center System up to 20250314.	6.3
2025-03-27	CVE-2024-56469		IBM UrbanCode Deploy (UCD) 7.1 through 7.1.2.22, 7.2 through 7.2.3.15, and 7.3 through 7.3.2.10 / IBM DevOps Deploy 8.0 through 8.0.1.5 and 8.1 through 8.1.0.1 could allow unauthorized access to other services or potential exposure of sensitive data due to missing authentication in its Agent Relay service.	6.3
2025-03-27	CVE-2025-2847		A vulnerability, which was classified as critical, has been found in Codezips Gym Management System 1.0.	6.3
2025-03-25	CVE-2025-2756		A vulnerability classified as critical has been found in Open Asset Import Library Assimp 5.4.3.	6.3
2025-03-25	CVE-2025-2757		A vulnerability classified as critical was found in Open Asset Import Library Assimp 5.4.3.	6.3
2025-03-25	CVE-2025-2753		A vulnerability was found in Open Asset Import Library Assimp 5.4.3.	6.3
2025-03-25	CVE-2025-2754		A vulnerability was found in Open Asset Import Library Assimp 5.4.3.	6.3
2025-03-25	CVE-2025-2755		A vulnerability was found in Open Asset Import Library Assimp 5.4.3.	6.3
2025-03-25	CVE-2025-2750		A vulnerability, which was classified as critical, was found in Open Asset Import Library Assimp 5.4.3.	6.3
2025-03-25	CVE-2025-2733		A vulnerability classified as critical has been found in mannaandpoem OpenManus up to 2025.3.13.	6.3
2025-03-24	CVE-2025-2706		A vulnerability classified as critical was found in Digiwin ERP 5.0.1.	6.3
2025-03-24	CVE-2025-2702		A vulnerability, which was classified as critical, has been found in Softwin WMX3 3.1.	6.3
2025-03-24	CVE-2025-2701		A vulnerability classified as critical was found in AMTT Hotel Broadband Operation System 1.0.	6.3
2025-03-27	CVE-2025-31176		A flaw was found in gnuplot.	6.2
2025-03-27	CVE-2025-31178		A flaw was found in gnuplot.	6.2
2025-03-27	CVE-2025-31179		A flaw was found in gnuplot.	6.2
2025-03-27	CVE-2025-31180		A flaw was found in gnuplot.	6.2
2025-03-27	CVE-2025-31181		A flaw was found in gnuplot.	6.2
2025-03-28	CVE-2025-1705		The tagDiv Composer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.3.	6.1
2025-03-28	CVE-2025-2804		The tagDiv Composer plugin for WordPress, used by the Newspaper theme, is vulnerable to Reflected Cross-Site Scripting via the 'account_id' and 'account_username' parameters in all versions up to, and including, 5.3 due to insufficient input sanitization and output escaping.	6.1
2025-03-27	CVE-2025-2481		The MediaView plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘id' parameter in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping.	6.1
2025-03-26	CVE-2025-1490		The Smart Maintenance Mode plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘setstatus’ parameter in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping.	6.1
2025-03-26	CVE-2025-2165		The SH Email Alert plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'mid' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping.	6.1
2025-03-25	CVE-2025-2635		The Digital License Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg() function without appropriate escaping on the URL in all versions up to, and including, 1.7.3.	6.1
2025-03-27	CVE-2023-38272		IBM Cloud Pak System 2.3.3.0, 2.3.3.3, 2.3.3.3 iFix1, 2.3.3.4, 2.3.3.5, 2.3.3.6, 2.3.36 iFix1, 2.3.3.6 iFix2, 2.3.3.7, 2.3.3.7 iFix1, 2.3.4.0, and 2.3.4.1 could allow a user with access to the network to obtain sensitive information from CLI arguments.	5.9
2025-03-25	CVE-2024-31896		IBM SPSS Statistics 26.0, 27.0.1, 28.0.1, and 29.0.2 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.	5.9
2025-03-25	CVE-2025-2109		The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.30.15 via the init() function.	5.8
2025-03-26	CVE-2025-20226		In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8 and Splunk Cloud Platform versions below 9.3.2408.107, 9.2.2406.111, and 9.1.2308.214, a low-privileged user that does not hold the "admin" or "power" Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands on the "/services/streams/search" endpoint through its "q" parameter.	5.7
2025-03-26	CVE-2025-20232		In Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8 and Splunk Cloud Platform versions below 9.3.2408.103, 9.2.2406.108, 9.2.2403.113, 9.1.2312.208 and 9.1.2308.212, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands on the “/app/search/search“ endpoint through its “s“ parameter.	5.7
2025-03-26	CVE-2025-2228		The Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.8 the 'register_user' function.	5.7
2025-03-27	CVE-2025-1998		IBM UrbanCode Deploy (UCD) through 7.1.2.21, 7.2 through 7.2.3.14, and 7.3 through 7.3.2.0 / IBM DevOps Deploy 8.0 through 8.0.1.4 and 8.1 through 8.1 stores potentially sensitive authentication token information in log files that could be read by a local user.	5.5
2025-03-25	CVE-2025-2510		The Frndzk Expandable Bottom Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'text' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping.	5.5
2025-03-27	CVE-2025-1997		IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.25, 7.1 through 7.1.2.21, 7.2 through 7.2.3.14, and 7.3 through 7.3.2.0 / IBM DevOps Deploy 8.0 through 8.0.1.4 and 8.1 through 8.1 could allow unauthorized access to other services or potential exposure of sensitive data due to missing authentication in its Agent Relay service.	5.4
2025-03-26	CVE-2025-2167		The Event post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'events_list' shortcodes in all versions up to, and including, 5.9.9 due to insufficient input sanitization and output escaping on user supplied attributes.	5.4
2025-03-25	CVE-2025-2744		A vulnerability, which was classified as critical, was found in zhijiantianya ruoyi-vue-pro 2.4.1.	5.4
2025-03-24	CVE-2025-2708		A vulnerability, which was classified as critical, was found in zhijiantianya ruoyi-vue-pro 2.4.1.	5.4
2025-03-24	CVE-2025-2707		A vulnerability, which was classified as critical, has been found in zhijiantianya ruoyi-vue-pro 2.4.1.	5.4
2025-03-24	CVE-2025-2700	Dante Editor	Code Injection vulnerability in Dante-Editor Dante3 A vulnerability classified as problematic has been found in michelson Dante Editor up to 0.4.4.	5.4
2025-03-24	CVE-2025-2699	Getcontenttools	Code Injection vulnerability in Getcontenttools Contenttools A vulnerability was found in GetmeUK ContentTools up to 1.6.16.	5.4
2025-03-24	CVE-2025-2673	Fabianros	Code Injection vulnerability in Fabianros Employees Payroll Management System 1.0 A vulnerability classified as problematic has been found in code-projects Payroll Management System 1.0.	5.4
2025-03-30	CVE-2025-2955		A vulnerability has been found in TOTOLINK A3000RU up to 5.9c.5185 and classified as problematic.	5.3
2025-03-29	CVE-2025-2840		The DAP to Autoresponders Email Syncing plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0 through the publicly accessible phpinfo.php script.	5.3
2025-03-29	CVE-2024-43186		IBM InfoSphere Information Server 11.7 could allow an authenticated user to obtain sensitive information that is stored locally under certain conditions.	5.3
2025-03-28	CVE-2025-2074		The Advanced Google reCAPTCHA plugin for WordPress is vulnerable to generic SQL Injection via the ‘sSearch’ parameter in all versions up to, and including, 1.29 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.	5.3
2025-03-28	CVE-2025-2578		The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.2.19 via the 'wpAmeliaApiCall' function.	5.3
2025-03-26	CVE-2025-1440		The Advanced iFrame plugin for WordPress is vulnerable to unauthorized excessive creation of options on the aip_map_url_callback() function in all versions up to, and including, 2024.5 due to insufficient restrictions.	5.3
2025-03-25	CVE-2025-2252		The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.6.1 via the edd_ajax_get_download_title() function.	5.3
2025-03-25	CVE-2025-2224		The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'parse_query' function in all versions up to, and including, 8.2.	5.3
2025-03-25	CVE-2025-2722		A vulnerability was found in GNOME libgsf up to 1.14.53.	5.3
2025-03-25	CVE-2025-2723		A vulnerability was found in GNOME libgsf up to 1.14.53.	5.3
2025-03-25	CVE-2025-2721		A vulnerability was found in GNOME libgsf up to 1.14.53.	5.3
2025-03-26	CVE-2025-1769		The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.5.0 via the download_file() function.	4.9
2025-03-25	CVE-2025-2559		A flaw was found in Keycloak.	4.9
2025-03-27	CVE-2025-2855		A vulnerability, which was classified as problematic, has been found in elunez eladmin up to 2.7.	4.7
2025-03-26	CVE-2022-39163		IBM Cognos Controller 11.0.0 through 11.1.0 is vulnerable to a Client-Side Desync (CSD) attack where an attacker could exploit a desynchronized browser connection that could lead to further cross-site scripting (XSS) attacks.	4.7
2025-03-28	CVE-2025-2901		A flaw was found in the JBoss EAP Management Console, where a stored Cross-site scripting vulnerability occurs when an application improperly sanitizes user input before storing it in a data store.	4.6
2025-03-28	CVE-2025-0986		IBM PowerVM Hypervisor FW1050.00 through FW1050.30 and FW1060.00 through FW1060.20 could allow a local user, under certain Linux processor combability mode configurations, to cause undetected data loss or errors when performing gzip compression using HW acceleration.	4.5
2025-03-29	CVE-2024-7577		IBM InfoSphere Information Server 11.7 could disclose sensitive user credentials from log files during new installation of the product.	4.4
2025-03-30	CVE-2025-2961		A vulnerability classified as problematic was found in opensolon up to 3.1.0.	4.3
2025-03-29	CVE-2024-51477		IBM InfoSphere Information Server 11.7 could allow an authenticated to obtain sensitive username information due to an observable response discrepancy.	4.3
2025-03-28	CVE-2025-2917		A vulnerability, which was classified as problematic, was found in ChestnutCMS up to 1.5.3.	4.3
2025-03-26	CVE-2025-20230		In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and versions below 3.8.38 and 3.7.23 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could edit and delete other user data in App Key Value Store (KVStore) collections that the Splunk Secure Gateway app created.	4.3
2025-03-26	CVE-2025-20227		In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and Splunk Cloud Platform versions below 9.3.2408.107, 9.2.2406.112, 9.2.2403.115, 9.1.2312.208 and 9.1.2308.214, a low-privileged user that does not hold the "admin" or "power" Splunk roles could bypass the external content warning modal dialog box in Dashboard Studio dashboards which could lead to an information disclosure.	4.3
2025-03-26	CVE-2025-2276		The Ultimate Dashboard – Custom WordPress Dashboard plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_module_actions function in all versions up to, and including, 3.8.7.	4.3
2025-03-25	CVE-2024-13710		The Estatebud – Properties & Listings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.5.0.	4.3
2025-03-25	CVE-2025-2751		A vulnerability has been found in Open Asset Import Library Assimp 5.4.3 and classified as problematic.	4.3
2025-03-25	CVE-2025-2752		A vulnerability was found in Open Asset Import Library Assimp 5.4.3 and classified as problematic.	4.3
2025-03-25	CVE-2025-1320		The teachPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.0.9.	4.3
2025-03-24	CVE-2025-2688		A vulnerability classified as problematic was found in TOTOLINK A3000RU up to 5.9c.5185.	4.3

Expand/Hide

14 Low Vulnerabilities

DATE	CVE	VULNERABILITY	CVSS
2025-03-28	CVE-2025-2924	A vulnerability, which was classified as problematic, was found in HDF5 up to 1.14.6.	3.3
2025-03-28	CVE-2025-2923	A vulnerability, which was classified as problematic, has been found in HDF5 up to 1.14.6.	3.3
2025-03-28	CVE-2025-2913	A vulnerability was found in HDF5 up to 1.14.6.	3.3
2025-03-28	CVE-2025-2914	A vulnerability classified as problematic has been found in HDF5 up to 1.14.6.	3.3
2025-03-28	CVE-2025-2912	A vulnerability was found in HDF5 up to 1.14.6.	3.3
2025-03-27	CVE-2025-2849	A vulnerability, which was classified as problematic, was found in UPX up to 5.0.0.	3.3
2025-03-25	CVE-2025-2724	A vulnerability classified as problematic has been found in GNOME libgsf up to 1.14.53.	3.3
2025-03-25	CVE-2025-2720	A vulnerability was found in GNOME libgsf up to 1.14.53 and classified as problematic.	3.3
2025-03-29	CVE-2024-55895	IBM InfoSphere Information Server 11.7 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser.	2.7
2025-03-26	CVE-2025-1911	The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.5.0.	2.7
2025-03-26	CVE-2025-20233	In the Splunk App for Lookup File Editing versions below 4.0.5, a script in the app used the `chmod` and `makedirs` Python functions in a way that resulted in overly broad read and execute permissions.	2.5
2025-03-27	CVE-2025-2878	A vulnerability was found in Kentico CMS up to 13.0.178.	2.4
2025-03-28	CVE-2025-2922	A vulnerability classified as problematic was found in Netis WF-2404 1.1.124EN.	2.0
2025-03-28	CVE-2025-2920	A vulnerability was found in Netis WF-2404 1.1.124EN.	2.0