{
"Source": "CVE FEED",
"Title": "CVE-2025-34504 - KodExplorer 4.52 Open Redirect Vulnerability via User Login Endpoint",
"Content": "CVE ID : CVE-2025-34504
Published : Dec. 11, 2025, 10:15 p.m. | 1 hour, 25 minutes ago
Description : KodExplorer 4.52 contains an open redirect vulnerability in the user login page that allows attackers to manipulate the 'link' parameter. Attackers can craft malicious URLs in the link parameter to redirect users to arbitrary external websites after authentication.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-34504 - KodExplorer 4.52 Open Redirect Vulnerability via User Login Endpoint",
"Content": "CVE ID : CVE-2025-34504
Published : Dec. 11, 2025, 10:15 p.m. | 1 hour, 25 minutes ago
Description : KodExplorer 4.52 contains an open redirect vulnerability in the user login page that allows attackers to manipulate the 'link' parameter. Attackers can craft malicious URLs in the link parameter to redirect users to arbitrary external websites after authentication.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2024-58307 - CSZCMS 1.3.0 Authenticated SQL Injection via Members View Endpoint",
"Content": "CVE ID : CVE-2024-58307
Published : Dec. 11, 2025, 10:15 p.m. | 1 hour, 25 minutes ago
Description : CSZCMS 1.3.0 contains an authenticated SQL injection vulnerability in the members view functionality that allows authenticated attackers to manipulate database queries. Attackers can inject malicious SQL code through the view parameter to potentially execute time-based blind SQL injection attacks and extract database information.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2024-58307 - CSZCMS 1.3.0 Authenticated SQL Injection via Members View Endpoint",
"Content": "CVE ID : CVE-2024-58307
Published : Dec. 11, 2025, 10:15 p.m. | 1 hour, 25 minutes ago
Description : CSZCMS 1.3.0 contains an authenticated SQL injection vulnerability in the members view functionality that allows authenticated attackers to manipulate database queries. Attackers can inject malicious SQL code through the view parameter to potentially execute time-based blind SQL injection attacks and extract database information.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2024-58308 - Quick.CMS 6.7 SQL Injection Authentication Bypass via Admin Login",
"Content": "CVE ID : CVE-2024-58308
Published : Dec. 11, 2025, 10:15 p.m. | 1 hour, 25 minutes ago
Description : Quick.CMS 6.7 contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login authentication by manipulating the login form. Attackers can inject specific SQL payloads like ' or '1'='1 to gain unauthorized administrative access to the system.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2024-58308 - Quick.CMS 6.7 SQL Injection Authentication Bypass via Admin Login",
"Content": "CVE ID : CVE-2024-58308
Published : Dec. 11, 2025, 10:15 p.m. | 1 hour, 25 minutes ago
Description : Quick.CMS 6.7 contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login authentication by manipulating the login form. Attackers can inject specific SQL payloads like ' or '1'='1 to gain unauthorized administrative access to the system.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2024-58309 - xbtitFM 4.1.18 Unauthenticated SQL Injection in shoutedit.php",
"Content": "CVE ID : CVE-2024-58309
Published : Dec. 11, 2025, 10:15 p.m. | 1 hour, 25 minutes ago
Description : xbtitFM 4.1.18 contains an unauthenticated SQL injection vulnerability that allows remote attackers to manipulate database queries by injecting malicious SQL code through the msgid parameter. Attackers can send crafted requests to /shoutedit.php with EXTRACTVALUE functions to extract database names, user credentials, and password hashes from the underlying database.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2024-58309 - xbtitFM 4.1.18 Unauthenticated SQL Injection in shoutedit.php",
"Content": "CVE ID : CVE-2024-58309
Published : Dec. 11, 2025, 10:15 p.m. | 1 hour, 25 minutes ago
Description : xbtitFM 4.1.18 contains an unauthenticated SQL injection vulnerability that allows remote attackers to manipulate database queries by injecting malicious SQL code through the msgid parameter. Attackers can send crafted requests to /shoutedit.php with EXTRACTVALUE functions to extract database names, user credentials, and password hashes from the underlying database.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2024-58310 - APC Network Management Card 4 Path Traversal via Directory Traversal",
"Content": "CVE ID : CVE-2024-58310
Published : Dec. 11, 2025, 10:15 p.m. | 1 hour, 25 minutes ago
Description : APC Network Management Card 4 contains a path traversal vulnerability that allows unauthenticated attackers to access sensitive system files by manipulating URL parameters. Attackers can exploit directory traversal techniques to read critical system files like /etc/passwd by using encoded path traversal characters in HTTP requests.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2024-58310 - APC Network Management Card 4 Path Traversal via Directory Traversal",
"Content": "CVE ID : CVE-2024-58310
Published : Dec. 11, 2025, 10:15 p.m. | 1 hour, 25 minutes ago
Description : APC Network Management Card 4 contains a path traversal vulnerability that allows unauthenticated attackers to access sensitive system files by manipulating URL parameters. Attackers can exploit directory traversal techniques to read critical system files like /etc/passwd by using encoded path traversal characters in HTTP requests.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2024-58306 - minaliC 2.0.0 Denial of Service Vulnerability via Large GET Request",
"Content": "CVE ID : CVE-2024-58306
Published : Dec. 11, 2025, 10:15 p.m. | 1 hour, 25 minutes ago
Description : minaliC 2.0.0 contains a denial of service vulnerability that allows remote attackers to crash the web server by sending oversized GET requests. Attackers can send crafted HTTP requests with excessive data to overwhelm the server and cause service interruption.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2024-58306 - minaliC 2.0.0 Denial of Service Vulnerability via Large GET Request",
"Content": "CVE ID : CVE-2024-58306
Published : Dec. 11, 2025, 10:15 p.m. | 1 hour, 25 minutes ago
Description : minaliC 2.0.0 contains a denial of service vulnerability that allows remote attackers to crash the web server by sending oversized GET requests. Attackers can send crafted HTTP requests with excessive data to overwhelm the server and cause service interruption.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2024-58313 - xbtitFM 4.1.18 Insecure File Upload in file_hosting Feature",
"Content": "CVE ID : CVE-2024-58313
Published : Dec. 11, 2025, 10:15 p.m. | 1 hour, 25 minutes ago
Description : xbtitFM 4.1.18 contains an insecure file upload vulnerability that allows authenticated attackers with administrative privileges to upload and execute arbitrary PHP code through the file_hosting feature. Attackers can bypass file type restrictions by modifying the Content-Type header to image/gif, adding GIF89a magic bytes, and using alternate PHP tags to upload web shells that execute system commands.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2024-58313 - xbtitFM 4.1.18 Insecure File Upload in file_hosting Feature",
"Content": "CVE ID : CVE-2024-58313
Published : Dec. 11, 2025, 10:15 p.m. | 1 hour, 25 minutes ago
Description : xbtitFM 4.1.18 contains an insecure file upload vulnerability that allows authenticated attackers with administrative privileges to upload and execute arbitrary PHP code through the file_hosting feature. Attackers can bypass file type restrictions by modifying the Content-Type header to image/gif, adding GIF89a magic bytes, and using alternate PHP tags to upload web shells that execute system commands.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2024-58312 - xbtitFM 4.1.18 Unauthenticated Path Traversal in nfogen.php",
"Content": "CVE ID : CVE-2024-58312
Published : Dec. 11, 2025, 10:15 p.m. | 1 hour, 25 minutes ago
Description : xbtitFM 4.1.18 contains a path traversal vulnerability that allows unauthenticated attackers to access sensitive system files by manipulating URL parameters. Attackers can exploit directory traversal techniques to read critical system files like using encoded path traversal characters in HTTP requests.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2024-58312 - xbtitFM 4.1.18 Unauthenticated Path Traversal in nfogen.php",
"Content": "CVE ID : CVE-2024-58312
Published : Dec. 11, 2025, 10:15 p.m. | 1 hour, 25 minutes ago
Description : xbtitFM 4.1.18 contains a path traversal vulnerability that allows unauthenticated attackers to access sensitive system files by manipulating URL parameters. Attackers can exploit directory traversal techniques to read critical system files like using encoded path traversal characters in HTTP requests.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2024-58298 - Compuware iStrobe Web 20.13 Pre-Auth Remote Code Execution via File Upload",
"Content": "CVE ID : CVE-2024-58298
Published : Dec. 11, 2025, 10:15 p.m. | 1 hour, 25 minutes ago
Description : Compuware iStrobe Web 20.13 contains a pre-authentication remote code execution vulnerability that allows unauthenticated attackers to upload malicious JSP files through a path traversal in the file upload form. Attackers can exploit the 'fileName' parameter to upload a web shell and execute arbitrary commands by sending POST requests to the uploaded JSP endpoint.
Severity: 9.2 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2024-58298 - Compuware iStrobe Web 20.13 Pre-Auth Remote Code Execution via File Upload",
"Content": "CVE ID : CVE-2024-58298
Published : Dec. 11, 2025, 10:15 p.m. | 1 hour, 25 minutes ago
Description : Compuware iStrobe Web 20.13 contains a pre-authentication remote code execution vulnerability that allows unauthenticated attackers to upload malicious JSP files through a path traversal in the file upload form. Attackers can exploit the 'fileName' parameter to upload a web shell and execute arbitrary commands by sending POST requests to the uploaded JSP endpoint.
Severity: 9.2 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2024-58300 - Siklu MultiHaul TG Series < 2.0.0 Unauthenticated Credential Disclosure Vulnerability",
"Content": "CVE ID : CVE-2024-58300
Published : Dec. 11, 2025, 10:15 p.m. | 1 hour, 25 minutes ago
Description : Siklu MultiHaul TG series devices before version 2.0.0 contain an unauthenticated vulnerability that allows remote attackers to retrieve randomly generated credentials via a network request. Attackers can send a specific hex-encoded command to port 12777 to obtain username and password, enabling direct SSH access to the device.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2024-58300 - Siklu MultiHaul TG Series < 2.0.0 Unauthenticated Credential Disclosure Vulnerability",
"Content": "CVE ID : CVE-2024-58300
Published : Dec. 11, 2025, 10:15 p.m. | 1 hour, 25 minutes ago
Description : Siklu MultiHaul TG series devices before version 2.0.0 contain an unauthenticated vulnerability that allows remote attackers to retrieve randomly generated credentials via a network request. Attackers can send a specific hex-encoded command to port 12777 to obtain username and password, enabling direct SSH access to the device.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2024-58301 - Purei CMS 1.0 SQL Injection via Multiple Vulnerable Endpoints",
"Content": "CVE ID : CVE-2024-58301
Published : Dec. 11, 2025, 10:15 p.m. | 1 hour, 25 minutes ago
Description : Purei CMS 1.0 contains a time-based blind SQL injection vulnerability that allows attackers to manipulate database queries through unfiltered user input parameters. Attackers can exploit vulnerable endpoints like getAllParks.php and events-ajax.php by injecting crafted SQL payloads to potentially extract or modify database information.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2024-58301 - Purei CMS 1.0 SQL Injection via Multiple Vulnerable Endpoints",
"Content": "CVE ID : CVE-2024-58301
Published : Dec. 11, 2025, 10:15 p.m. | 1 hour, 25 minutes ago
Description : Purei CMS 1.0 contains a time-based blind SQL injection vulnerability that allows attackers to manipulate database queries through unfiltered user input parameters. Attackers can exploit vulnerable endpoints like getAllParks.php and events-ajax.php by injecting crafted SQL payloads to potentially extract or modify database information.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-10451 - H19Int15CallbackSmm: SMM memory corruption vulnerability in combined DXE/SMM (SMRAM write)",
"Content": "CVE ID : CVE-2025-10451
Published : Dec. 12, 2025, 1:15 a.m. | 25 minutes ago
Description : Unchecked output buffer may allowed arbitrary code execution in SMM and potentially result in SMM memory corruption.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-10451 - H19Int15CallbackSmm: SMM memory corruption vulnerability in combined DXE/SMM (SMRAM write)",
"Content": "CVE ID : CVE-2025-10451
Published : Dec. 12, 2025, 1:15 a.m. | 25 minutes ago
Description : Unchecked output buffer may allowed arbitrary code execution in SMM and potentially result in SMM memory corruption.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-67779 - "React Server Components Denial of Service Vulnerability"",
"Content": "CVE ID : CVE-2025-67779
Published : Dec. 12, 2025, 12:15 a.m. | 1 hour, 25 minutes ago
Description : It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-67779 - "React Server Components Denial of Service Vulnerability"",
"Content": "CVE ID : CVE-2025-67779
Published : Dec. 12, 2025, 12:15 a.m. | 1 hour, 25 minutes ago
Description : It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-12650 - Simple post listing <= 0.2 - authenticated (contributor+) stored cross-site scripting via shortcode",
"Content": "CVE ID : CVE-2025-12650
Published : 12 Dec 2025, 3:20 a.m. | 24 minutes ago
Description : The Simple post listing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_name' parameter in the postlist shortcode in all versions up to, and including, 0.2. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via mouse interaction.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-12650 - Simple post listing <= 0.2 - authenticated (contributor+) stored cross-site scripting via shortcode",
"Content": "CVE ID : CVE-2025-12650
Published : 12 Dec 2025, 3:20 a.m. | 24 minutes ago
Description : The Simple post listing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_name' parameter in the postlist shortcode in all versions up to, and including, 0.2. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via mouse interaction.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-12834 - Accept Stripe Payments Using Contact Form 7 <= 3.1 - reflected cross-site scripting via failure_message",
"Content": "CVE ID : CVE-2025-12834
Published : 12 Dec 2025, 3:20 a.m. | 24 minutes ago
Description : The Accept Stripe Payments Using Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'failure_message' parameter in versions up to, and including, 3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-12834 - Accept Stripe Payments Using Contact Form 7 <= 3.1 - reflected cross-site scripting via failure_message",
"Content": "CVE ID : CVE-2025-12834
Published : 12 Dec 2025, 3:20 a.m. | 24 minutes ago
Description : The Accept Stripe Payments Using Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'failure_message' parameter in versions up to, and including, 3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-12830 - Better Elementor Addons <= 1.5.4 - authenticated (contributor+) stored cross-site scripting via slider widget",
"Content": "CVE ID : CVE-2025-12830
Published : 12 Dec 2025, 3:20 a.m. | 24 minutes ago
Description : The Better Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Slider widget in all versions up to, and including, 1.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-12830 - Better Elementor Addons <= 1.5.4 - authenticated (contributor+) stored cross-site scripting via slider widget",
"Content": "CVE ID : CVE-2025-12830
Published : 12 Dec 2025, 3:20 a.m. | 24 minutes ago
Description : The Better Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Slider widget in all versions up to, and including, 1.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-13314 - Product Filtering by Categories, Tags, Price Range for WooCommerce <= 1.1.5 - missing authorization to unauthenticated plugin settings modification",
"Content": "CVE ID : CVE-2025-13314
Published : 12 Dec 2025, 3:20 a.m. | 24 minutes ago
Description : The Product Filtering by Categories, Tags, Price Range for WooCommerce – Filter Plus plugin for WordPress is vulnerable to unauthorized modification of data in all versions up to, and including, 1.1.5 due to a missing capability check on the 'filter_save_settings' and 'add_filter_options' AJAX actions. This makes it possible for unauthenticated attackers to modify the plugin's settings and create arbitrary filter options.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-13314 - Product Filtering by Categories, Tags, Price Range for WooCommerce <= 1.1.5 - missing authorization to unauthenticated plugin settings modification",
"Content": "CVE ID : CVE-2025-13314
Published : 12 Dec 2025, 3:20 a.m. | 24 minutes ago
Description : The Product Filtering by Categories, Tags, Price Range for WooCommerce – Filter Plus plugin for WordPress is vulnerable to unauthorized modification of data in all versions up to, and including, 1.1.5 due to a missing capability check on the 'filter_save_settings' and 'add_filter_options' AJAX actions. This makes it possible for unauthenticated attackers to modify the plugin's settings and create arbitrary filter options.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-12963 - LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart <= 1.2.29 - missing authorization to uanuthenticated privilege escalation",
"Content": "CVE ID : CVE-2025-12963
Published : 12 Dec 2025, 3:20 a.m. | 24 minutes ago
Description : The LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.2.29. This is due to the plugin not properly validating a user's identity via the 'wp-json/lazytasks/api/v1/user/role/edit/' REST API endpoint prior to updating their details like email address. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. It is also possible for attackers to abuse this endpoint to grant users with access to additional roles within the plugin
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-12963 - LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart <= 1.2.29 - missing authorization to uanuthenticated privilege escalation",
"Content": "CVE ID : CVE-2025-12963
Published : 12 Dec 2025, 3:20 a.m. | 24 minutes ago
Description : The LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.2.29. This is due to the plugin not properly validating a user's identity via the 'wp-json/lazytasks/api/v1/user/role/edit/' REST API endpoint prior to updating their details like email address. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. It is also possible for attackers to abuse this endpoint to grant users with access to additional roles within the plugin
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-13320 - WP User Manager <= 2.9.12 - authenticated (subscriber+) arbitrary file deletion via 'current_user_avatar' parameter",
"Content": "CVE ID : CVE-2025-13320
Published : 12 Dec 2025, 3:20 a.m. | 24 minutes ago
Description : The WP User Manager plugin for WordPress is vulnerable to Arbitrary File Deletion in all versions up to, and including, 2.9.12. This is due to insufficient validation of user-supplied file paths in the profile update functionality combined with improper handling of array inputs by PHP's filter_input() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server via the 'current_user_avatar' parameter in a two-stage attack which can make remote code execution possible. This only affects sites with the custom avatar setting enabled.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-13320 - WP User Manager <= 2.9.12 - authenticated (subscriber+) arbitrary file deletion via 'current_user_avatar' parameter",
"Content": "CVE ID : CVE-2025-13320
Published : 12 Dec 2025, 3:20 a.m. | 24 minutes ago
Description : The WP User Manager plugin for WordPress is vulnerable to Arbitrary File Deletion in all versions up to, and including, 2.9.12. This is due to insufficient validation of user-supplied file paths in the profile update functionality combined with improper handling of array inputs by PHP's filter_input() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server via the 'current_user_avatar' parameter in a two-stage attack which can make remote code execution possible. This only affects sites with the custom avatar setting enabled.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-12783 - Premmerce Brands for WooCommerce <= 1.2.13 - missing authorization to authenticated (subscriber+) brand permalink settings update",
"Content": "CVE ID : CVE-2025-12783
Published : 12 Dec 2025, 3:20 a.m. | 24 minutes ago
Description : The Premmerce Brands for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveBrandsSettings function in all versions up to, and including, 1.2.13. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify brand permalink settings.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-12783 - Premmerce Brands for WooCommerce <= 1.2.13 - missing authorization to authenticated (subscriber+) brand permalink settings update",
"Content": "CVE ID : CVE-2025-12783
Published : 12 Dec 2025, 3:20 a.m. | 24 minutes ago
Description : The Premmerce Brands for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveBrandsSettings function in all versions up to, and including, 1.2.13. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify brand permalink settings.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-12824 - Player Leaderboard 1.0.0 - 1.0.2 - Authenticated (Contributor+) Local File Inclusion",
"Content": "CVE ID : CVE-2025-12824
Published : 12 Dec 2025, 3:20 a.m. | 24 minutes ago
Description : The Player Leaderboard plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0.2 via the 'player_leaderboard' shortcode. This is due to the plugin using an unsanitized user-supplied value from the shortcode's 'mode' attribute in a call to include() without proper path validation. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve full remote code execution if combined with file upload capabilities.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-12824 - Player Leaderboard 1.0.0 - 1.0.2 - Authenticated (Contributor+) Local File Inclusion",
"Content": "CVE ID : CVE-2025-12824
Published : 12 Dec 2025, 3:20 a.m. | 24 minutes ago
Description : The Player Leaderboard plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0.2 via the 'player_leaderboard' shortcode. This is due to the plugin using an unsanitized user-supplied value from the shortcode's 'mode' attribute in a call to include() without proper path validation. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve full remote code execution if combined with file upload capabilities.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹