Weekly Vulnerabilities Reports > April 21 to 27, 2025

Overview

178 new vulnerabilities reported during this period, including 28 critical vulnerabilities and 61 high severity vulnerabilities. This weekly summary report vulnerabilities in 59 products from 54 vendors including ZTE, Phpgurukul, Withstars, Totolink, and Osrg. Vulnerabilities are notably categorized as "Cross-site Scripting", "Missing Authorization", "Injection", "SQL Injection", and "Cross-Site Request Forgery (CSRF)".

  • 162 reported vulnerabilities are remotely exploitables.
  • 70 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 92 reported vulnerabilities are exploitable by an anonymous user.
  • ZTE has the most reported vulnerabilities, with 7 reported vulnerabilities.
  • Phpgurukul has the most reported critical vulnerabilities, with 5 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

28 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2025-04-25 CVE-2025-32432 Craftcms Unspecified vulnerability in Craftcms Craft CMS

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond.
10.0
2025-04-22 CVE-2025-34028 Commvault Missing Authentication for Critical Function vulnerability in Commvault

The Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files that represent install packages that, when expanded by the target server, are vulnerable to path traversal vulnerability that can result in Remote Code Execution via malicious JSP. This issue affects Command Center Innovation Release: 11.38.
10.0
2025-04-27 CVE-2025-2866 Libreoffice Improper Verification of Cryptographic Signature vulnerability in Libreoffice

Improper Verification of Cryptographic Signature vulnerability in LibreOffice allows PDF Signature Spoofing by Improper Validation. In the affected versions of LibreOffice a flaw in the verification code for adbe.pkcs7.sha1 signatures could cause invalid signatures to be accepted as valid This issue affects LibreOffice: from 24.8 before < 24.8.6, from 25.2 before < 25.2.2.
9.8
2025-04-27 CVE-2025-3976 Phpgurukul Injection vulnerability in PHPgurukul Covid19 Testing Management System 1.0

A vulnerability was found in PHPGurukul COVID19 Testing Management System 1.0.
9.8
2025-04-27 CVE-2025-3973 Phpgurukul Injection vulnerability in PHPgurukul Covid19 Testing Management System 1.0

A vulnerability, which was classified as critical, was found in PHPGurukul COVID19 Testing Management System 1.0.
9.8
2025-04-27 CVE-2025-3974 Phpgurukul Injection vulnerability in PHPgurukul Covid19 Testing Management System 1.0

A vulnerability has been found in PHPGurukul COVID19 Testing Management System 1.0 and classified as critical.
9.8
2025-04-27 CVE-2025-3971 Phpgurukul Injection vulnerability in PHPgurukul Covid19 Testing Management System 1.0

A vulnerability classified as critical was found in PHPGurukul COVID19 Testing Management System 1.0.
9.8
2025-04-27 CVE-2025-3972 Phpgurukul Injection vulnerability in PHPgurukul Covid19 Testing Management System 1.0

A vulnerability, which was classified as critical, has been found in PHPGurukul COVID19 Testing Management System 1.0.
9.8
2025-04-27 CVE-2025-3969 Code Projects Unrestricted Upload of File with Dangerous Type vulnerability in Code-Projects News Publishing Site Dashboard 1.0

A vulnerability was found in codeprojects News Publishing Site Dashboard 1.0.
9.8
2025-04-27 CVE-2025-3963 Withstars Missing Authorization vulnerability in Withstars Books-Management-System 1.0

A vulnerability, which was classified as critical, has been found in withstars Books-Management-System 1.0.
9.8
2025-04-27 CVE-2025-3960 Withstars Missing Authorization vulnerability in Withstars Books-Management-System 1.0

A vulnerability was found in withstars Books-Management-System 1.0.
9.8
2025-04-27 CVE-2025-3956 Xxyopen Injection vulnerability in Xxyopen Novel-Cloud 1.4.0

A vulnerability has been found in 201206030 novel-cloud 1.4.0 and classified as critical.
9.8
2025-04-27 CVE-2025-3957 Opplus SQL Injection vulnerability in Opplus Springboot-Admin 1.0

A vulnerability was found in opplus springboot-admin 1.0 and classified as critical.
9.8
2025-04-25 CVE-2025-2470 The Service Finder Bookings plugin for WordPress, used by the Service Finder - Directory and Job Board WordPress Theme, is vulnerable to privilege escalation in all versions up to, and including, 5.1.
9.8
2025-04-24 CVE-2025-31324 SAP Unspecified vulnerability in SAP Netweaver 7.50

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system.
9.8
2025-04-24 CVE-2025-3603 The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0.
9.8
2025-04-24 CVE-2025-3604 The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0.
9.8
2025-04-23 CVE-2025-32969 Xwiki SQL Injection vulnerability in Xwiki

XWiki is a generic wiki platform.
9.8
2025-04-22 CVE-2025-3472 Oceanwp Code Injection vulnerability in Oceanwp Ocean Extra

The Ocean Extra plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.4.6.
9.8
2025-04-22 CVE-2025-46244 Multidots Missing Authorization vulnerability in Multidots Advanced Linked Variations for Woocommerce

Missing Authorization vulnerability in Dotstore Advanced Linked Variations for Woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.
9.8
2025-04-22 CVE-2025-46247 Codepeople Missing Authorization vulnerability in Codepeople Appointment Booking Calendar

Missing Authorization vulnerability in codepeople Appointment Booking Calendar allows Accessing Functionality Not Properly Constrained by ACLs.
9.8
2025-04-21 CVE-2025-43973 Osrg Off-by-one Error vulnerability in Osrg Gobgp

An issue was discovered in GoBGP before 3.35.0.
9.8
2025-04-21 CVE-2025-43964 Libraw Improper Validation of Specified Quantity in Input vulnerability in Libraw

In LibRaw before 0.21.4, tag 0x412 processing in phase_one_correct in decoders/load_mfbacks.cpp does not enforce minimum w0 and w1 values.
9.8
2025-04-22 CVE-2025-1950 IBM Hardware Management Console - Power Systems V10.2.1030.0 and V10.3.1050.0 could allow a local user to execute commands locally due to improper validation of libraries of an untrusted source.
9.3
2025-04-24 CVE-2025-3065 The Database Toolset plugin is vulnerable to arbitrary file deletion due to insufficient file path validation in a function in all versions up to, and including, 1.8.4.
9.1
2025-04-21 CVE-2025-43961 Libraw Out-of-bounds Read vulnerability in Libraw

In LibRaw before 0.21.4, metadata/tiff.cpp has an out-of-bounds read in the Fujifilm 0xf00c tag parser.
9.1
2025-04-21 CVE-2025-43962 Libraw Out-of-bounds Read vulnerability in Libraw

In LibRaw before 0.21.4, phase_one_correct in decoders/load_mfbacks.cpp has out-of-bounds reads for tag 0x412 processing, related to large w0 or w1 values or the frac and mult calculations.
9.1
2025-04-21 CVE-2025-43963 Libraw Out-of-bounds Read vulnerability in Libraw

In LibRaw before 0.21.4, phase_one_correct in decoders/load_mfbacks.cpp allows out-of-buffer access because split_col and split_row values are not checked in 0x041f tag processing.
9.1

61 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2025-04-27 CVE-2025-3989 Totolink Classic Buffer Overflow vulnerability in Totolink N150Rt Firmware 3.4.0B20190525

A vulnerability classified as critical was found in TOTOLINK N150RT 3.4.0-B20190525.
8.8
2025-04-27 CVE-2025-3990 Totolink Classic Buffer Overflow vulnerability in Totolink N150Rt Firmware 3.4.0B20190525

A vulnerability, which was classified as critical, has been found in TOTOLINK N150RT 3.4.0-B20190525.
8.8
2025-04-27 CVE-2025-3987 Totolink Injection vulnerability in Totolink N150Rt Firmware 3.4.0B20190525

A vulnerability was found in TOTOLINK N150RT 3.4.0-B20190525.
8.8
2025-04-27 CVE-2025-3988 Totolink Classic Buffer Overflow vulnerability in Totolink N150Rt Firmware 3.4.0B20190525

A vulnerability classified as critical has been found in TOTOLINK N150RT 3.4.0-B20190525.
8.8
2025-04-27 CVE-2025-46690 Ververica Forced Browsing vulnerability in Ververica Platform 2.14.0

Ververica Platform 2.14.0 allows low-privileged users to access SQL connectors via a direct namespaces/default/formats request.
8.8
2025-04-27 CVE-2025-3982 Nortikin Unspecified vulnerability in Nortikin Sverchok 1.3.0

A vulnerability, which was classified as problematic, was found in nortikin Sverchok 1.3.0.
8.8
2025-04-27 CVE-2025-3968 Code Projects SQL Injection vulnerability in Code-Projects News Publishing Site Dashboard 1.0

A vulnerability was found in codeprojects News Publishing Site Dashboard 1.0.
8.8
2025-04-26 CVE-2025-3906 The Integração entre Eduzz e Woocommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wep_opcoes' function in all versions up to, and including, 1.7.5.
8.8
2025-04-26 CVE-2025-3914 Aeropage Unrestricted Upload of File with Dangerous Type vulnerability in Aeropage Sync for Airtable

The Aeropage Sync for Airtable plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'aeropage_media_downloader' function in all versions up to, and including, 3.2.0.
8.8
2025-04-26 CVE-2024-13808 Wpxpro Code Injection vulnerability in Wpxpro Xpro Addons for Elementor

The Xpro Elementor Addons - Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.4.9 via the custom PHP widget.
8.8
2025-04-25 CVE-2025-3928 Commvault Unspecified vulnerability in Commvault

Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker.
8.8
2025-04-25 CVE-2025-1279 The BM Content Builder plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ux_cb_tools_import_item_ajax AJAX action in all versions up to, and including, 3.16.2.1.
8.8
2025-04-25 CVE-2025-2238 The Vikinger theme for WordPress is vulnerable to privilege in all versions up to, and including, 1.9.30.
8.8
2025-04-24 CVE-2025-3058 The Xelion Webchat plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the xwc_save_settings() function in all versions up to, and including, 9.1.0.
8.8
2025-04-24 CVE-2025-3101 The Configurator Theme Core plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.4.7.
8.8
2025-04-24 CVE-2025-3607 The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.7.
8.8
2025-04-24 CVE-2025-3761 The My Tickets – Accessible Event Ticketing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.0.16.
8.8
2025-04-23 CVE-2025-32968 Xwiki SQL Injection vulnerability in Xwiki

XWiki is a generic wiki platform.
8.8
2025-04-22 CVE-2025-46231 Servit Cross-Site Request Forgery (CSRF) vulnerability in Servit Affiliate-Toolkit

Cross-Site Request Forgery (CSRF) vulnerability in SERVIT Software Solutions affiliate-toolkit allows Cross Site Request Forgery.
8.8
2025-04-22 CVE-2025-46232 Alttext Missing Authorization vulnerability in Alttext ALT Text AI

Missing Authorization vulnerability in alttextai Download Alt Text AI allows Exploiting Incorrectly Configured Access Control Security Levels.
8.8
2025-04-22 CVE-2025-46241 Codepeople Cross-Site Request Forgery (CSRF) vulnerability in Codepeople Appointment Booking Calendar

Cross-Site Request Forgery (CSRF) vulnerability in codepeople Appointment Booking Calendar allows SQL Injection.
8.8
2025-04-22 CVE-2025-46243 Sktthemes Cross-Site Request Forgery (CSRF) vulnerability in Sktthemes Recover Abandoned Cart for Woocommerce

Cross-Site Request Forgery (CSRF) vulnerability in sonalsinha21 Recover abandoned cart for WooCommerce allows Cross Site Request Forgery.
8.8
2025-04-22 CVE-2025-46245 Cminds Cross-Site Request Forgery (CSRF) vulnerability in Cminds CM AD Changer

Cross-Site Request Forgery (CSRF) vulnerability in CreativeMindsSolutions CM Ad Changer allows Cross Site Request Forgery.
8.8
2025-04-22 CVE-2025-46246 Cminds Cross-Site Request Forgery (CSRF) vulnerability in Cminds CM Answers

Cross-Site Request Forgery (CSRF) vulnerability in CreativeMindsSolutions CM Answers allows Cross Site Request Forgery.
8.8
2025-04-22 CVE-2025-46249 Migaweb Cross-Site Request Forgery (CSRF) vulnerability in Migaweb Simple Calendar for Elementor

Cross-Site Request Forgery (CSRF) vulnerability in Michael Simple calendar for Elementor allows Cross Site Request Forgery.
8.8
2025-04-22 CVE-2025-46251 E4Jconnect Cross-Site Request Forgery (CSRF) vulnerability in E4Jconnect Vikrestaurants Table Reservations and Take-Away

Cross-Site Request Forgery (CSRF) vulnerability in e4jvikwp VikRestaurants Table Reservations and Take-Away allows Cross Site Request Forgery.
8.8
2025-04-22 CVE-2025-3616 The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the gspb_make_proxy_api_request() function in versions 11.4 to 11.4.5.
8.8
2025-04-22 CVE-2025-1951 IBM Hardware Management Console - Power Systems V10.2.1030.0 and V10.3.1050.0 could allow a local user to execute commands as a privileged user due to execution of commands with unnecessary privileges.
8.4
2025-04-24 CVE-2025-3776 The Verification SMS with TargetSMS plugin for WordPress is vulnerable to limited Remote Code Execution in all versions up to, and including, 1.5 via the 'targetvr_ajax_handler' function.
8.3
2025-04-23 CVE-2025-3529 The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.1.2 via the 'file_url' parameter.
8.2
2025-04-27 CVE-2025-3886 Catonetworks Race Condition vulnerability in Catonetworks Cato Client 5.4.0

An issue in CatoNetworks CatoClient before v.5.8.0 allows attackers to escalate privileges and achieve a race condition (TOCTOU) via the PrivilegedHelperTool component.
8.1
2025-04-26 CVE-2025-2101 The Edumall theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.2.4 via the 'template' parameter of the 'edumall_lazy_load_template' AJAX action.
8.1
2025-04-26 CVE-2025-2105 Artbees Deserialization of Untrusted Data vulnerability in Artbees Jupiter X Core

The Jupiter X Core plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.8.11 via deserialization of untrusted input from the 'file' parameter of the 'raven_download_file' function.
8.1
2025-04-25 CVE-2024-11917 The JobSearch WP Job Board plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.8.8.
8.1
2025-04-24 CVE-2021-47663 Due to improper JSON Web Tokens implementation an unauthenticated remote attacker can guess a valid session ID and therefore impersonate a user to gain full access.
8.1
2025-04-26 CVE-2025-2851 A vulnerability classified as critical has been found in GL.iNet GL-A1300 Slate Plus, GL-AR300M16 Shadow, GL-AR300M Shadow, GL-AR750 Creta, GL-AR750S-EXT Slate, GL-AX1800 Flint, GL-AXT1800 Slate AX, GL-B1300 Convexa-B, GL-B3000 Marble, GL-BE3600 Slate 7, GL-E750, GL-E750V2 Mudi, GL-MT300N-V2 Mango, GL-MT1300 Beryl, GL-MT2500 Brume 2, GL-MT3000 Beryl AX, GL-MT6000 Flint 2, GL-SFT1200 Opal, GL-X300B Collie, GL-X750 Spitz, GL-X3000 Spitz AX, GL-XE300 Puli and GL-XE3000 Puli AX 4.x.
8.0
2025-04-22 CVE-2025-3854 A vulnerability, which was classified as critical, was found in H3C GR-3000AX up to V100R006.
8.0
2025-04-27 CVE-2025-46579 ZTE Code Injection vulnerability in ZTE Zxcloud Goldendb 7.2.01.01

There is a DDE injection vulnerability in the GoldenDB database product.
7.8
2025-04-27 CVE-2025-3978 Lecms Unspecified vulnerability in Lecms 3.0.3

A vulnerability was found in dazhouda lecms 3.0.3.
7.5
2025-04-27 CVE-2025-46580 ZTE Unspecified vulnerability in ZTE Zxcloud Goldendb

There is a code-related vulnerability in the GoldenDB database product.
7.5
2025-04-27 CVE-2025-46575 ZTE Information Exposure Through an Error Message vulnerability in ZTE Zxcloud Goldendb 6.1.03.09/6.1.03.10/7.2.01.01

There is an information disclosure vulnerability in the GoldenDB database product.
7.5
2025-04-27 CVE-2025-46577 ZTE SQL Injection vulnerability in ZTE Zxcloud Goldendb 7.2.01.01

There is a SQL injection vulnerability in the GoldenDB database product.
7.5
2025-04-27 CVE-2025-46578 ZTE SQL Injection vulnerability in ZTE Zxcloud Goldendb 7.2.01.01

There are SQL injection vulnerabilities in multiple interfaces of the GoldenDB database product.
7.5
2025-04-27 CVE-2025-3955 Code Projects SQL Injection vulnerability in Code-Projects Patient Record Management System 1.0

A vulnerability, which was classified as critical, was found in codeprojects Patient Record Management System 1.0.
7.5
2025-04-25 CVE-2025-1565 The Mayosis Core plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.4.1 via the library/wave-audio/peaks/remote_dl.php file.
7.5
2025-04-24 CVE-2021-47662 Due to missing authorization an unauthenticated remote attacker can cause a DoS attack by connecting via HTTPS and triggering the shutdown button.
7.5
2025-04-23 CVE-2025-3530 The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to product price manipulation in all versions up to, and including, 5.1.2.
7.5
2025-04-22 CVE-2024-11299 Caseproof Information Exposure vulnerability in Caseproof Memberpress

The Memberpress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.11.37 via the WordPress core search feature.
7.5
2025-04-21 CVE-2025-43971 Osrg Off-by-one Error vulnerability in Osrg Gobgp

An issue was discovered in GoBGP before 3.35.0.
7.5
2025-04-21 CVE-2025-43972 Osrg Improper Validation of Specified Quantity in Input vulnerability in Osrg Gobgp

An issue was discovered in GoBGP before 3.35.0.
7.5
2025-04-21 CVE-2025-43966 Struktur NULL Pointer Dereference vulnerability in Struktur Libheif

libheif before 1.19.6 has a NULL pointer dereference in ImageItem_iden in image-items/iden.cc.
7.5
2025-04-21 CVE-2025-43967 Struktur NULL Pointer Dereference vulnerability in Struktur Libheif

libheif before 1.19.6 has a NULL pointer dereference in ImageItem_Grid::get_decoder in image-items/grid.cc because a grid image can reference a nonexistent image item.
7.5
2025-04-26 CVE-2025-2801 The The Create custom forms for WordPress with a smart form plugin for smart businesses plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.4.
7.3
2025-04-21 CVE-2025-3846 A vulnerability was found in markparticle WebServer up to 1.0.
7.3
2025-04-21 CVE-2025-3847 A vulnerability classified as critical has been found in markparticle WebServer up to 1.0.
7.3
2025-04-21 CVE-2025-3845 A vulnerability was found in markparticle WebServer up to 1.0.
7.3
2025-04-27 CVE-2025-3983 Amttgroup Injection vulnerability in Amttgroup Hotel Broadband Operating System 1.0

A vulnerability has been found in AMTT Hotel Broadband Operation System 1.0 and classified as critical.
7.2
2025-04-26 CVE-2025-3491 The Add custom page template plugin for WordPress is vulnerable to PHP Code Injection leading to Remote Code Execution in all versions up to, and including, 2.0.1 via the 'acpt_validate_setting' function.
7.2
2025-04-24 CVE-2025-1294 The eForm - WordPress Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.18.0 due to insufficient input sanitization and output escaping.
7.2
2025-04-24 CVE-2025-3300 The WPMasterToolKit (WPMTK) – All in one plugin plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.5.2.
7.2
2025-04-22 CVE-2025-46252 Kofimokome SQL Injection vulnerability in Kofimokome Message Filter for Contact Form 7

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kofimokome Message Filter for Contact Form 7 allows SQL Injection.
7.2

83 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2025-04-24 CVE-2025-1976 Broadcom OS Command Injection vulnerability in Broadcom Fabric Operating System

Brocade Fabric OS versions starting with 9.1.0 have root access removed, however, a local user with admin privilege can potentially execute arbitrary code with full root privileges on Fabric OS versions 9.1.0 through 9.1.1d6.
6.7
2025-04-22 CVE-2025-1732 An improper privilege management vulnerability in the recovery function of the USG FLEX H series uOS firmware version V1.31 and earlier could allow an authenticated local attacker with administrator privileges to upload a crafted configuration file and escalate privileges on a vulnerable device.
6.7
2025-04-27 CVE-2025-3979 Lecms Cross-Site Request Forgery (CSRF) vulnerability in Lecms 3.0.3

A vulnerability classified as problematic has been found in dazhouda lecms 3.0.3.
6.5
2025-04-27 CVE-2025-46576 ZTE Unspecified vulnerability in ZTE Zxcloud Goldendb 6.1.03.09/6.1.03.10/7.2.01.01

There is a Permission Management and Access Control vulnerability in the GoldenDB database product.
6.5
2025-04-26 CVE-2024-13812 The The Anps Theme plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.1.1.
6.5
2025-04-25 CVE-2025-3775 The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.1.2 via the woolentor_template_proxy function.
6.5
2025-04-24 CVE-2025-3280 The ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes plugin for WordPress is vulnerable to SQL Injection via the 'attribute_value_filter' parameter in all versions up to, and including, 1.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.
6.5
2025-04-25 CVE-2025-3752 The Able Player, accessible HTML5 media player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘preload’ parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping.
6.4
2025-04-24 CVE-2025-3749 The Breeze Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘cal_size’ parameter in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping.
6.4
2025-04-24 CVE-2025-2543 The Advanced Accordion Gutenberg Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping.
6.4
2025-04-24 CVE-2025-2579 The Lottie Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via File uploads in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping.
6.4
2025-04-24 CVE-2025-3832 The FuseDesk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘successredirect’ parameter in all versions up to, and including, 6.7 due to insufficient input sanitization and output escaping.
6.4
2025-04-23 CVE-2025-1054 The UiCore Elements – Free Elementor widgets and templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the UI Counter, UI Icon Box, UI Testimonial Slider, UI Testimonial Grid, and UI Testimonial Carousel widgets in all versions up to, and including, 1.0.16 due to insufficient input sanitization and output escaping.
6.4
2025-04-22 CVE-2025-2839 The WP Import Export Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpiePreviewData’ function in all versions up to, and including, 3.9.27 due to insufficient input sanitization and output escaping.
6.4
2025-04-22 CVE-2025-3814 The Tax Switch for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class-name’ parameter in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping.
6.4
2025-04-23 CVE-2024-22351 IBM InfoSphere Information 11.7 Server does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.
6.3
2025-04-22 CVE-2025-3856 A vulnerability was found in xxyopen Novel-Plus 5.1.0.
6.3
2025-04-21 CVE-2025-3842 A vulnerability was found in panhainan DS-Java 1.0 and classified as critical.
6.3
2025-04-27 CVE-2025-46689 Ververica Cross-site Scripting vulnerability in Ververica Platform 2.14.0

Ververica Platform 2.14.0 contain an Reflected XSS vulnerability via a namespaces/default/formats URI.
6.1
2025-04-27 CVE-2025-46657 Karaz Cross-site Scripting vulnerability in Karaz Karazal

Karaz Karazal through 2025-04-14 allows reflected XSS via the lang parameter to the default URI.
6.1
2025-04-25 CVE-2025-3870 The 1 Decembrie 1918 plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.dec.2012.
6.1
2025-04-25 CVE-2025-3866 The Add Google +1 (Plus one) social share Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0.
6.1
2025-04-25 CVE-2025-3867 The Ajax Comment Form CST plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.
6.1
2025-04-25 CVE-2025-3868 The Custom Admin-Bar Favorites plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'menuObject' parameter in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping.
6.1
2025-04-25 CVE-2025-2986 IBM Maximo Asset Management 7.6.1.3 is vulnerable to stored cross-site scripting.
5.5
2025-04-27 CVE-2025-3970 Jsite Cross-site Scripting vulnerability in Jsite

A vulnerability classified as problematic has been found in baseweb JSite up to 1.0.
5.4
2025-04-27 CVE-2025-3965 Itwanger Cross-site Scripting vulnerability in Itwanger Paicoding 1.0.3

A vulnerability has been found in itwanger paicoding 1.0.3 and classified as problematic.
5.4
2025-04-26 CVE-2025-1458 Bdthemes Cross-site Scripting vulnerability in Bdthemes Element Pack

The Element Pack Addons for Elementor – Free Templates and Widgets for Your WordPress Websites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets like Dual Button, Creative Button, Image Stack and more in all versions up to, and including, 5.10.29 due to insufficient input sanitization and output escaping.
5.4
2025-04-25 CVE-2025-3861 The Prevent Direct Access – Protect WordPress Files plugin for WordPress is vulnerable to unauthorized access and modification of data| due to a misconfigured capability check on the 'pda_lite_custom_permission_check' function in versions 2.8.6 to 2.8.8.2.
5.4
2025-04-22 CVE-2025-3457 Oceanwp Cross-site Scripting vulnerability in Oceanwp Ocean Extra

The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'oceanwp_icon' shortcode in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping on user supplied attributes.
5.4
2025-04-22 CVE-2025-3458 Oceanwp Cross-site Scripting vulnerability in Oceanwp Ocean Extra

The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ocean_gallery_id’ parameter in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping.
5.4
2025-04-22 CVE-2025-46225 Migaweb Cross-site Scripting vulnerability in Migaweb Post in Page for Elementor

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michael Post in page for Elementor allows DOM-Based XSS.
5.4
2025-04-22 CVE-2025-46226 MPL Publisher Cross-site Scripting vulnerability in Mpl-Publisher

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ferranfg MPL-Publisher allows Stored XSS.
5.4
2025-04-22 CVE-2025-46227 Brechtvds Cross-site Scripting vulnerability in Brechtvds Custom Related Posts

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brecht Custom Related Posts allows Stored XSS.
5.4
2025-04-22 CVE-2025-46228 Avecnous Cross-site Scripting vulnerability in Avecnous Event Post

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bastien Ho Event post allows DOM-Based XSS.
5.4
2025-04-22 CVE-2025-46233 Sirv Cross-site Scripting vulnerability in Sirv

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sirv CDN and Image Hosting Sirv allows Stored XSS.
5.4
2025-04-22 CVE-2025-46235 Sktthemes Cross-site Scripting vulnerability in Sktthemes SKT Blocks

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Blocks – Gutenberg based Page Builder allows Stored XSS.
5.4
2025-04-22 CVE-2025-46236 Ibericode Cross-site Scripting vulnerability in Ibericode Html Forms

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Link Software LLC HTML Forms allows Stored XSS.
5.4
2025-04-22 CVE-2025-46237 Ylefebvre Cross-site Scripting vulnerability in Ylefebvre Link Library

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Yannick Lefebvre Link Library allows Stored XSS.
5.4
2025-04-22 CVE-2025-46238 Rolandbaer Cross-site Scripting vulnerability in Rolandbaer List Last Changes

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rbaer List Last Changes allows Stored XSS.
5.4
2025-04-22 CVE-2025-46239 Plugin Planet Cross-site Scripting vulnerability in Plugin-Planet Theme Switcha

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeff Starr Theme Switcha allows Stored XSS.
5.4
2025-04-22 CVE-2025-46240 Plugin Planet Cross-site Scripting vulnerability in Plugin-Planet Simple Download Counter

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jeff Starr Simple Download Counter allows Stored XSS.
5.4
2025-04-22 CVE-2025-46253 Wpmet Cross-site Scripting vulnerability in Wpmet Gutenkit

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ataur R GutenKit allows Stored XSS.
5.4
2025-04-22 CVE-2025-46254 Visualcomposer Cross-site Scripting vulnerability in Visualcomposer Visual Composer Website Builder

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Visual Composer Visual Composer Website Builder allows Stored XSS.
5.4
2025-04-27 CVE-2025-3981 Wowjoy Missing Authorization vulnerability in Wowjoy Internet Doctor Workstation System 1.0

A vulnerability, which was classified as problematic, has been found in wowjoy ?????????????? Internet Doctor Workstation System 1.0.
5.3
2025-04-27 CVE-2025-3980 Wowjoy Missing Authorization vulnerability in Wowjoy Internet Doctor Workstation System 1.0

A vulnerability classified as problematic was found in wowjoy ?????????????? Internet Doctor Workstation System 1.0.
5.3
2025-04-27 CVE-2025-3966 Itwanger Unspecified vulnerability in Itwanger Paicoding 1.0.3

A vulnerability was found in itwanger paicoding 1.0.3 and classified as problematic.
5.3
2025-04-27 CVE-2025-46574 ZTE Unspecified vulnerability in ZTE Zxcloud Goldendb 7.2.01.01

There is an information disclosure vulnerability in the GoldenDB database product.
5.3
2025-04-25 CVE-2025-3912 The WS Form LITE – Drag & Drop Contact Form Builder for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_config' function in all versions up to, and including, 1.10.35.
5.3
2025-04-25 CVE-2025-3743 The Upsell Funnel Builder for WooCommerce plugin for WordPress is vulnerable to order manipulation in all versions up to, and including, 3.0.0.
5.3
2025-04-25 CVE-2025-3923 The Prevent Direct Access – Protect WordPress Files plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.8 via the 'generate_unique_string' due to insufficient randomness of the generated file name.
5.3
2025-04-24 CVE-2021-47664 Due to improper authentication mechanism an unauthenticated remote attacker can enumerate valid usernames.
5.3
2025-04-24 CVE-2024-13307 The Reales WP - Real Estate WordPress Theme theme for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'reales_delete_file', 'reales_delete_file_plans', 'reales_add_to_favourites', and 'reales_remove_from_favourites' functions in all versions up to, and including, 2.1.2.
5.3
2025-04-23 CVE-2025-2595 An unauthenticated remote attacker can bypass the user management in CODESYS Visualization and read visualization template files or static elements by means of forced browsing.
5.3
2025-04-21 CVE-2025-43970 Osrg Improper Validation of Specified Quantity in Input vulnerability in Osrg Gobgp

An issue was discovered in GoBGP before 3.35.0.
5.3
2025-04-27 CVE-2025-3984 A vulnerability was found in Apereo CAS 5.2.6 and classified as critical.
5.0
2025-04-25 CVE-2025-2068 An open redirect vulnerability was reported in the FileZ client that could allow information disclosure if a crafted url is visited by a local user.
5.0
2025-04-25 CVE-2025-2069 A cross-site scripting vulnerability was reported in the FileZ client that could allow execution of code if a crafted url is visited by a local user.
5.0
2025-04-25 CVE-2025-2070 An improper XML parsing vulnerability was reported in the FileZ client that could allow arbitrary file reads on the system if a crafted url is visited by a local user.
5.0
2025-04-25 CVE-2025-2580 The Contact Form by Bit Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.18.3 due to insufficient input sanitization and output escaping.
4.9
2025-04-22 CVE-2025-46242 Kibokolabs SQL Injection vulnerability in Kibokolabs Watu Quiz

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Bob Watu Quiz allows SQL Injection.
4.9
2025-04-22 CVE-2025-46229 Textmetrics Cross-site Scripting vulnerability in Textmetrics

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Israpil Textmetrics allows Stored XSS.
4.8
2025-04-22 CVE-2025-46250 Vikasratudi Cross-site Scripting vulnerability in Vikasratudi Lifetime Free Drag & Drop Contact Form Builder

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vikas Ratudi VForm allows Stored XSS.
4.8
2025-04-23 CVE-2025-46397 In xfig diagramming tool, a stack-overflow while running fig2dev allows memory corruption via local input manipulation at the bezier_spline function.
4.7
2025-04-23 CVE-2025-46398 In xfig diagramming tool, a stack-overflow while running fig2dev allows memory corruption via local input manipulation via read_objects function.
4.7
2025-04-23 CVE-2025-46399 In xfig diagramming tool, a segmentation fault in fig2dev allows memory corruption via local input manipulation at genge_itp_spline function.
4.7
2025-04-23 CVE-2025-46400 In xfig diagramming tool, a segmentation fault while running fig2dev allows an attacker to availability via local input manipulation via read_arcobject function.
4.7
2025-04-22 CVE-2025-31328 SAP Learning Solution is vulnerable to Cross-Site Request Forgery (CSRF), allowing an attacker to trick authenticated user into sending unintended requests to the server.
4.6
2025-04-24 CVE-2025-3435 The Mang Board WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the board_header and board_footer parameters in all versions up to, and including, 1.8.6 due to insufficient input sanitization and output escaping.
4.4
2025-04-27 CVE-2025-3986 A vulnerability was found in Apereo CAS 5.2.6.
4.3
2025-04-26 CVE-2025-3915 Aeropage Missing Authorization vulnerability in Aeropage Sync for Airtable

The Aeropage Sync for Airtable plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'aeropageDeletePost' function in all versions up to, and including, 3.2.0.
4.3
2025-04-24 CVE-2025-1284 The Woocommerce Automatic Order Printing | ( Formerly WooCommerce Google Cloud Print) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1 via the xc_woo_printer_preview AJAX action due to missing validation on a user controlled key.
4.3
2025-04-23 CVE-2025-25045 IBM InfoSphere Information 11.7 Server authenticated user to obtain sensitive information when a detailed technical error message is returned in a request.
4.3
2025-04-22 CVE-2025-31327 SAP Field Logistics Manage Logistics application OData meta-data property is vulnerable to data tampering, due to which certain fields could be externally modified by an attacker causing low impact on integrity of the application.
4.3
2025-04-22 CVE-2025-3855 A vulnerability was found in CodeCanyon RISE Ultimate Project Manager 3.8.2 and classified as problematic.
4.3
2025-04-22 CVE-2025-3849 A vulnerability classified as problematic was found in YXJ2018 SpringBoot-Vue-OnlineExam 1.0.
4.3
2025-04-21 CVE-2025-3843 A vulnerability was found in panhainan DS-Java 1.0.
4.3
2025-04-27 CVE-2025-46675 Nasa Improper Control of Dynamically-Managed Code Resources vulnerability in Nasa Cryptolib

In NASA CryptoLib before 1.3.2, the key state is not checked before use, potentially leading to spacecraft hijacking.
4.2
2025-04-24 CVE-2025-3793 The Buddypress Force Password Change plugin for WordPress is vulnerable to authenticated account takeover due to the plugin not properly validating a user's identity prior to updating their password through the 'bp_force_password_ajax' function in all versions up to, and including, 0.1.
4.2
2025-04-27 CVE-2025-3961 Withstars Cross-site Scripting vulnerability in Withstars Books-Management-System 1.0

A vulnerability classified as problematic has been found in withstars Books-Management-System 1.0.
4.1
2025-04-27 CVE-2025-3962 Withstars Cross-site Scripting vulnerability in Withstars Books-Management-System 1.0

A vulnerability classified as problematic was found in withstars Books-Management-System 1.0.
4.1
2025-04-27 CVE-2025-3958 Withstars Cross-site Scripting vulnerability in Withstars Books-Management-System 1.0

A vulnerability was found in withstars Books-Management-System 1.0.
4.1
2025-04-22 CVE-2025-27907 IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to server-side request forgery (SSRF).
4.1

6 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2025-04-22 CVE-2025-2987 IBM Maximo Asset Management 7.6.1.3 is vulnerable to server-side request forgery (SSRF).
3.8
2025-04-23 CVE-2025-25046 IBM InfoSphere Information Server 11.7 DataStage Flow Designer  transmits sensitive information via URL or query parameters that could be exposed to an unauthorized actor using man in the middle techniques.
3.7
2025-04-22 CVE-2025-3850 A vulnerability, which was classified as problematic, has been found in YXJ2018 SpringBoot-Vue-OnlineExam 1.0.
3.7
2025-04-26 CVE-2025-2850 A vulnerability was found in GL.iNet GL-A1300 Slate Plus, GL-AR300M16 Shadow, GL-AR300M Shadow, GL-AR750 Creta, GL-AR750S-EXT Slate, GL-AX1800 Flint, GL-AXT1800 Slate AX, GL-B1300 Convexa-B, GL-B3000 Marble, GL-BE3600 Slate 7, GL-E750, GL-E750V2 Mudi, GL-MT300N-V2 Mango, GL-MT1300 Beryl, GL-MT2500 Brume 2, GL-MT3000 Beryl AX, GL-MT6000 Flint 2, GL-SFT1200 Opal, GL-X300B Collie, GL-X750 Spitz, GL-X3000 Spitz AX, GL-XE300 Puli and GL-XE3000 Puli AX 4.x.
3.5
2025-04-21 CVE-2025-3841 A vulnerability, which was classified as problematic, was found in wix-incubator jam up to e87a6fd85cf8fb5ff37b62b2d68f917219d07ae9.
3.3
2025-04-27 CVE-2025-3985 A vulnerability was found in Apereo CAS 5.2.6.
2.7