{
"Source": "CVE FEED",
"Title": "CVE-2025-64496 - Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events",
"Content": "CVE ID : CVE-2025-64496
Published : Nov. 8, 2025, 2:15 a.m. | 1 hour, 15 minutes ago
Description : Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.6.224 and prior contain a code injection vulnerability in the Direct Connections feature that allows malicious external model servers to execute arbitrary JavaScript in victim browsers via Server-Sent Event (SSE) execute events. This leads to authentication token theft, complete account takeover, and when chained with the Functions API, enables remote code execution on the backend server. The attack requires the victim to enable Direct Connections (disabled by default) and add the attacker's malicious model URL, achievable through social engineering of the admin and subsequent users. This issue is fixed in version 0.6.35.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-64496 - Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events",
"Content": "CVE ID : CVE-2025-64496
Published : Nov. 8, 2025, 2:15 a.m. | 1 hour, 15 minutes ago
Description : Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Versions 0.6.224 and prior contain a code injection vulnerability in the Direct Connections feature that allows malicious external model servers to execute arbitrary JavaScript in victim browsers via Server-Sent Event (SSE) execute events. This leads to authentication token theft, complete account takeover, and when chained with the Functions API, enables remote code execution on the backend server. The attack requires the victim to enable Direct Connections (disabled by default) and add the attacker's malicious model URL, achievable through social engineering of the admin and subsequent users. This issue is fixed in version 0.6.35.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-64492 - SuiteCRM is Vulnerable to Authenticated Time Based Blind SQL Injection",
"Content": "CVE ID : CVE-2025-64492
Published : Nov. 8, 2025, 2:15 a.m. | 1 hour, 15 minutes ago
Description : SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 8.9.0 and below contain a time-based blind SQL Injection vulnerability. This vulnerability allows an authenticated attacker to infer data from the database by measuring response times, potentially leading to the extraction of sensitive information. It is possible for an attacker to enumerate database, table, and column names, extract sensitive data, or escalate privileges. This is fixed in version 8.9.1.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-64492 - SuiteCRM is Vulnerable to Authenticated Time Based Blind SQL Injection",
"Content": "CVE ID : CVE-2025-64492
Published : Nov. 8, 2025, 2:15 a.m. | 1 hour, 15 minutes ago
Description : SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 8.9.0 and below contain a time-based blind SQL Injection vulnerability. This vulnerability allows an authenticated attacker to infer data from the database by measuring response times, potentially leading to the extraction of sensitive information. It is possible for an attacker to enumerate database, table, and column names, extract sensitive data, or escalate privileges. This is fixed in version 8.9.1.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-64493 - SuiteCRM is Vulnerable to Authenticated Blind SQL Injection via GraphQL",
"Content": "CVE ID : CVE-2025-64493
Published : Nov. 8, 2025, 2:15 a.m. | 1 hour, 15 minutes ago
Description : SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 8.6.0 through 8.9.0, there is an authenticated, blind (time-based) SQL-injection inside the appMetadata-operation of the GraphQL-API. This allows extraction of arbitrary data from the database, and does not require administrative access. This issue is fixed in version 8.9.1.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-64493 - SuiteCRM is Vulnerable to Authenticated Blind SQL Injection via GraphQL",
"Content": "CVE ID : CVE-2025-64493
Published : Nov. 8, 2025, 2:15 a.m. | 1 hour, 15 minutes ago
Description : SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 8.6.0 through 8.9.0, there is an authenticated, blind (time-based) SQL-injection inside the appMetadata-operation of the GraphQL-API. This allows extraction of arbitrary data from the database, and does not require administrative access. This issue is fixed in version 8.9.1.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-12177 - Download Manager <= 3.3.30 - unauthenticated cron trigger due to hardcoded cron key",
"Content": "CVE ID : CVE-2025-12177
Published : Nov. 8, 2025, 4:15 a.m. | 1 hour, 16 minutes ago
Description : The Download Manager plugin for WordPress is vulnerable to unauthorized access due to a hardcoded Cron key used in the deleteExpired() and clearTempDataCPCron() functions in all versions up to, and including, 3.3.30. This makes it possible for unauthenticated attackers to trigger these cron jobs leading to deletion of expired posts and clearing cache.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-12177 - Download Manager <= 3.3.30 - unauthenticated cron trigger due to hardcoded cron key",
"Content": "CVE ID : CVE-2025-12177
Published : Nov. 8, 2025, 4:15 a.m. | 1 hour, 16 minutes ago
Description : The Download Manager plugin for WordPress is vulnerable to unauthorized access due to a hardcoded Cron key used in the deleteExpired() and clearTempDataCPCron() functions in all versions up to, and including, 3.3.30. This makes it possible for unauthenticated attackers to trigger these cron jobs leading to deletion of expired posts and clearing cache.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-12193 - Mang Board WP <= 2.3.1 - reflected cross-site scripting",
"Content": "CVE ID : CVE-2025-12193
Published : Nov. 8, 2025, 4:15 a.m. | 1 hour, 16 minutes ago
Description : The Mang Board WP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'mp' parameter in all versions up to, and including, 2.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-12193 - Mang Board WP <= 2.3.1 - reflected cross-site scripting",
"Content": "CVE ID : CVE-2025-12193
Published : Nov. 8, 2025, 4:15 a.m. | 1 hour, 16 minutes ago
Description : The Mang Board WP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'mp' parameter in all versions up to, and including, 2.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-12353 - WPFunnels <= 3.6.2 - unauthorized user registration",
"Content": "CVE ID : CVE-2025-12353
Published : Nov. 8, 2025, 4:15 a.m. | 1 hour, 16 minutes ago
Description : The WPFunnels – The Easiest Funnel Builder For WordPress And WooCommerce To Collect Leads And Increase Sales plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 3.6.2. This is due to the plugin relying on a user controlled value 'optin_allow_registration' to determine if user registration is allowed, instead of the site-specific setting. This makes it possible for unauthenticated attackers to register new user accounts, even when user registration is disabled.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-12353 - WPFunnels <= 3.6.2 - unauthorized user registration",
"Content": "CVE ID : CVE-2025-12353
Published : Nov. 8, 2025, 4:15 a.m. | 1 hour, 16 minutes ago
Description : The WPFunnels – The Easiest Funnel Builder For WordPress And WooCommerce To Collect Leads And Increase Sales plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 3.6.2. This is due to the plugin relying on a user controlled value 'optin_allow_registration' to determine if user registration is allowed, instead of the site-specific setting. This makes it possible for unauthenticated attackers to register new user accounts, even when user registration is disabled.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-7663 - Ovatheme Events Manager <= 1.8.6 - missing authorization",
"Content": "CVE ID : CVE-2025-7663
Published : Nov. 8, 2025, 4:15 a.m. | 1 hour, 16 minutes ago
Description : The Ovatheme Events Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the /class-ovaem-ajax.php file in all versions up to, and including, 1.8.6. This makes it possible for unauthenticated attackers to delete ticket files, download tickets, and more.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-7663 - Ovatheme Events Manager <= 1.8.6 - missing authorization",
"Content": "CVE ID : CVE-2025-7663
Published : Nov. 8, 2025, 4:15 a.m. | 1 hour, 16 minutes ago
Description : The Ovatheme Events Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the /class-ovaem-ajax.php file in all versions up to, and including, 1.8.6. This makes it possible for unauthenticated attackers to delete ticket files, download tickets, and more.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-12064 - WP2Social Auto Publish <= 2.4.7 - reflected cross-site scripting via postmessage",
"Content": "CVE ID : CVE-2025-12064
Published : Nov. 8, 2025, 4:15 a.m. | 1 hour, 16 minutes ago
Description : The WP2Social Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 2.4.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-12064 - WP2Social Auto Publish <= 2.4.7 - reflected cross-site scripting via postmessage",
"Content": "CVE ID : CVE-2025-12064
Published : Nov. 8, 2025, 4:15 a.m. | 1 hour, 16 minutes ago
Description : The WP2Social Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 2.4.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-12112 - Insert Headers and Footers Code – HT Script <= 1.1.6 - authenticated (author+) stored cross-site scripting",
"Content": "CVE ID : CVE-2025-12112
Published : Nov. 8, 2025, 4:15 a.m. | 1 hour, 16 minutes ago
Description : The Insert Headers and Footers Code – HT Script plugin for WordPress is vulnerable to Stored Cross-Site Scripting via adding scripts in all versions up to, and including, 1.1.6 due to insufficient capability checks. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-12112 - Insert Headers and Footers Code – HT Script <= 1.1.6 - authenticated (author+) stored cross-site scripting",
"Content": "CVE ID : CVE-2025-12112
Published : Nov. 8, 2025, 4:15 a.m. | 1 hour, 16 minutes ago
Description : The Insert Headers and Footers Code – HT Script plugin for WordPress is vulnerable to Stored Cross-Site Scripting via adding scripts in all versions up to, and including, 1.1.6 due to insufficient capability checks. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-12125 - HTML Forms <= 1.5.5 - authenticated (admin+) stored cross-site scripting",
"Content": "CVE ID : CVE-2025-12125
Published : Nov. 8, 2025, 4:15 a.m. | 1 hour, 16 minutes ago
Description : The HTML Forms – Simple WordPress Forms Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity: 4.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-12125 - HTML Forms <= 1.5.5 - authenticated (admin+) stored cross-site scripting",
"Content": "CVE ID : CVE-2025-12125
Published : Nov. 8, 2025, 4:15 a.m. | 1 hour, 16 minutes ago
Description : The HTML Forms – Simple WordPress Forms Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity: 4.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-12161 - Smart Auto Upload Images <= 1.2.0 - authenticated (contributor+) arbitrary file upload",
"Content": "CVE ID : CVE-2025-12161
Published : Nov. 8, 2025, 4:15 a.m. | 1 hour, 16 minutes ago
Description : The Smart Auto Upload Images plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the auto-image creation functionality in all versions up to, and including, 1.2.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-12161 - Smart Auto Upload Images <= 1.2.0 - authenticated (contributor+) arbitrary file upload",
"Content": "CVE ID : CVE-2025-12161
Published : Nov. 8, 2025, 4:15 a.m. | 1 hour, 16 minutes ago
Description : The Smart Auto Upload Images plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the auto-image creation functionality in all versions up to, and including, 1.2.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-12167 - Contact Form 7 AWeber Extension <= 0.1.42 - missing authorization to authenticated (subscriber+) log reset",
"Content": "CVE ID : CVE-2025-12167
Published : Nov. 8, 2025, 4:15 a.m. | 1 hour, 16 minutes ago
Description : The Contact Form 7 AWeber Extension plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_aweber_logreset' AJAX endpoint in all versions up to, and including, 0.1.42. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the AWeber logs.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-12167 - Contact Form 7 AWeber Extension <= 0.1.42 - missing authorization to authenticated (subscriber+) log reset",
"Content": "CVE ID : CVE-2025-12167
Published : Nov. 8, 2025, 4:15 a.m. | 1 hour, 16 minutes ago
Description : The Contact Form 7 AWeber Extension plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_aweber_logreset' AJAX endpoint in all versions up to, and including, 0.1.42. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the AWeber logs.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-11972 - Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI <= 3.40.0 - authenticated (editor+) sql injection",
"Content": "CVE ID : CVE-2025-11972
Published : Nov. 8, 2025, 4:15 a.m. | 1 hour, 16 minutes ago
Description : The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to SQL Injection via the 'post_types' parameter in all versions up to, and including, 3.40.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-11972 - Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI <= 3.40.0 - authenticated (editor+) sql injection",
"Content": "CVE ID : CVE-2025-11972
Published : Nov. 8, 2025, 4:15 a.m. | 1 hour, 16 minutes ago
Description : The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to SQL Injection via the 'post_types' parameter in all versions up to, and including, 3.40.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-12000 - WPFunnels <= 3.6.2 - authenticated (administrator+) arbitrary file deletion via path traversal",
"Content": "CVE ID : CVE-2025-12000
Published : Nov. 8, 2025, 4:15 a.m. | 1 hour, 16 minutes ago
Description : The WPFunnels plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wpfnl_delete_log() function in all versions up to, and including, 3.6.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-12000 - WPFunnels <= 3.6.2 - authenticated (administrator+) arbitrary file deletion via path traversal",
"Content": "CVE ID : CVE-2025-12000
Published : Nov. 8, 2025, 4:15 a.m. | 1 hour, 16 minutes ago
Description : The WPFunnels plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wpfnl_delete_log() function in all versions up to, and including, 3.6.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-12042 - Course Booking System <= 6.1.5 - missing authorization to unauthenticated booking data export",
"Content": "CVE ID : CVE-2025-12042
Published : Nov. 8, 2025, 4:15 a.m. | 1 hour, 16 minutes ago
Description : The Course Booking System plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check in the csv-export.php file in all versions up to, and including, 6.1.5. This makes it possible for unauthenticated attackers to directly access the file and obtain an export of all booking data.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-12042 - Course Booking System <= 6.1.5 - missing authorization to unauthenticated booking data export",
"Content": "CVE ID : CVE-2025-12042
Published : Nov. 8, 2025, 4:15 a.m. | 1 hour, 16 minutes ago
Description : The Course Booking System plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check in the csv-export.php file in all versions up to, and including, 6.1.5. This makes it possible for unauthenticated attackers to directly access the file and obtain an export of all booking data.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-11748 - Groups <= 6.7.0 - authenticated (subscriber+) insecure direct object reference to arbitrary group join",
"Content": "CVE ID : CVE-2025-11748
Published : Nov. 8, 2025, 4:15 a.m. | 1 hour, 16 minutes ago
Description : The Groups plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.0 via the 'group_id' parameter of the group_join function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to register for groups other than ones set in the shortcode.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-11748 - Groups <= 6.7.0 - authenticated (subscriber+) insecure direct object reference to arbitrary group join",
"Content": "CVE ID : CVE-2025-11748
Published : Nov. 8, 2025, 4:15 a.m. | 1 hour, 16 minutes ago
Description : The Groups plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.0 via the 'group_id' parameter of the group_join function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to register for groups other than ones set in the shortcode.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-12621 - Flexible Refund and Return Order for WooCommerce <= 1.0.42 - incorrect authorization to authenticated (contributor+) refund status update",
"Content": "CVE ID : CVE-2025-12621
Published : Nov. 8, 2025, 7:26 a.m. | 15 minutes ago
Description : The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on the 'create_refund' function in all versions up to, and including, 1.0.42. This makes it possible for authenticated attackers, with Contributor-level access and above, to update the status of refund requests, including approving and refusing refunds.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-12621 - Flexible Refund and Return Order for WooCommerce <= 1.0.42 - incorrect authorization to authenticated (contributor+) refund status update",
"Content": "CVE ID : CVE-2025-12621
Published : Nov. 8, 2025, 7:26 a.m. | 15 minutes ago
Description : The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on the 'create_refund' function in all versions up to, and including, 1.0.42. This makes it possible for authenticated attackers, with Contributor-level access and above, to update the status of refund requests, including approving and refusing refunds.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-12498 - EventPrime – Events Calendar, Bookings and Tickets <= 4.2.0.0 - missing authorization to authenticated (subscriber+) booking note creation",
"Content": "CVE ID : CVE-2025-12498
Published : Nov. 8, 2025, 7:15 a.m. | 26 minutes ago
Description : The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized booking note creation due to a missing capability check on the 'booking_add_notes' function in all versions up to, and including, 4.2.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add a note to the backend view of any booking.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-12498 - EventPrime – Events Calendar, Bookings and Tickets <= 4.2.0.0 - missing authorization to authenticated (subscriber+) booking note creation",
"Content": "CVE ID : CVE-2025-12498
Published : Nov. 8, 2025, 7:15 a.m. | 26 minutes ago
Description : The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized booking note creation due to a missing capability check on the 'booking_add_notes' function in all versions up to, and including, 4.2.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add a note to the backend view of any booking.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-9334 - Better Find and Replace <= 1.7.7 - authenticated (subscriber+) limited code injection",
"Content": "CVE ID : CVE-2025-9334
Published : Nov. 8, 2025, 6:15 a.m. | 1 hour, 25 minutes ago
Description : The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to Limited Code Injection in all versions up to, and including, 1.7.7. This is due to insufficient input validation and restriction on the 'rtafar_ajax' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to call arbitrary plugin functions and execute code within those functions.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-9334 - Better Find and Replace <= 1.7.7 - authenticated (subscriber+) limited code injection",
"Content": "CVE ID : CVE-2025-9334
Published : Nov. 8, 2025, 6:15 a.m. | 1 hour, 25 minutes ago
Description : The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to Limited Code Injection in all versions up to, and including, 1.7.7. This is due to insufficient input validation and restriction on the 'rtafar_ajax' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to call arbitrary plugin functions and execute code within those functions.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-11448 - Gallery Plugin for WordPress – Envira Photo Gallery <= 1.11.0 - missing authorization to authenticated (contributor+) gallery conversion",
"Content": "CVE ID : CVE-2025-11448
Published : Nov. 8, 2025, 9:28 a.m. | 14 minutes ago
Description : The Gallery Plugin for WordPress – Envira Photo Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/envira-convert/v1/bulk-convert' REST API endpoint in all versions up to, and including, 1.11.0. This makes it possible for authenticated attackers, with contributor-level access and above, to convert galleries to Envira galleries.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-11448 - Gallery Plugin for WordPress – Envira Photo Gallery <= 1.11.0 - missing authorization to authenticated (contributor+) gallery conversion",
"Content": "CVE ID : CVE-2025-11448
Published : Nov. 8, 2025, 9:28 a.m. | 14 minutes ago
Description : The Gallery Plugin for WordPress – Envira Photo Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/envira-convert/v1/bulk-convert' REST API endpoint in all versions up to, and including, 1.11.0. This makes it possible for authenticated attackers, with contributor-level access and above, to convert galleries to Envira galleries.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-11967 - Mail Mint <= 1.18.10 - authenticated (admin+) arbitrary file upload",
"Content": "CVE ID : CVE-2025-11967
Published : Nov. 8, 2025, 9:28 a.m. | 14 minutes ago
Description : The Mail Mint plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the process_contact_attribute_import function in all versions up to, and including, 1.18.10. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-11967 - Mail Mint <= 1.18.10 - authenticated (admin+) arbitrary file upload",
"Content": "CVE ID : CVE-2025-11967
Published : Nov. 8, 2025, 9:28 a.m. | 14 minutes ago
Description : The Mail Mint plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the process_contact_attribute_import function in all versions up to, and including, 1.18.10. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "08 Nov 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹