{
"Source": "CVE FEED",
"Title": "CVE-2025-61987 - GroupSession WebSocket Origin Validation Bypass",
"Content": "CVE ID : CVE-2025-61987
Published : Dec. 12, 2025, 5:16 a.m. | 29 minutes ago
Description : GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. do not validate origins in WebSockets. If a user accesses a crafted page, Chat information sent to the user may be exposed.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-61987 - GroupSession WebSocket Origin Validation Bypass",
"Content": "CVE ID : CVE-2025-61987
Published : Dec. 12, 2025, 5:16 a.m. | 29 minutes ago
Description : GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. do not validate origins in WebSockets. If a user accesses a crafted page, Chat information sent to the user may be exposed.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-53523 - GroupSession Stored Cross-Site Scripting Vulnerability",
"Content": "CVE ID : CVE-2025-53523
Published : Dec. 12, 2025, 5:16 a.m. | 30 minutes ago
Description : Stored cross-site scripting vulnerabilities exist in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. A logged-in user can prepare a malicious page or URL, and an arbitrary script may be executed on the web browser when another user accesses it.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-53523 - GroupSession Stored Cross-Site Scripting Vulnerability",
"Content": "CVE ID : CVE-2025-53523
Published : Dec. 12, 2025, 5:16 a.m. | 30 minutes ago
Description : Stored cross-site scripting vulnerabilities exist in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. A logged-in user can prepare a malicious page or URL, and an arbitrary script may be executed on the web browser when another user accesses it.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-14392 - Simple Theme Changer <= 1.0. - missing authorization to plugin settings update via ajax actions",
"Content": "CVE ID : CVE-2025-14392
Published : Dec. 12, 2025, 4:15 a.m. | 1 hour, 30 minutes ago
Description : The Simple Theme Changer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the user_theme_admin, display_method_admin, and set_change_theme_button_name actions actions in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the plugin's settings.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-14392 - Simple Theme Changer <= 1.0. - missing authorization to plugin settings update via ajax actions",
"Content": "CVE ID : CVE-2025-14392
Published : Dec. 12, 2025, 4:15 a.m. | 1 hour, 30 minutes ago
Description : The Simple Theme Changer plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the user_theme_admin, display_method_admin, and set_change_theme_button_name actions actions in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the plugin's settings.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-14393 - Wpik WordPress Basic Ajax Form <= 1.0 - authenticated (contributor+) stored cross-site scripting",
"Content": "CVE ID : CVE-2025-14393
Published : Dec. 12, 2025, 4:15 a.m. | 1 hour, 30 minutes ago
Description : The Wpik WordPress Basic Ajax Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'dname' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-14393 - Wpik WordPress Basic Ajax Form <= 1.0 - authenticated (contributor+) stored cross-site scripting",
"Content": "CVE ID : CVE-2025-14393
Published : Dec. 12, 2025, 4:15 a.m. | 1 hour, 30 minutes ago
Description : The Wpik WordPress Basic Ajax Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'dname' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-14467 - WP Job Portal <= 2.3.9 - authenticated (editor+) stored cross-site scripting via job description field",
"Content": "CVE ID : CVE-2025-14467
Published : Dec. 12, 2025, 4:15 a.m. | 1 hour, 30 minutes ago
Description : The WP Job Portal plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.3.9. This is due to the plugin explicitly whitelisting the `",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-14467 - WP Job Portal <= 2.3.9 - authenticated (editor+) stored cross-site scripting via job description field",
"Content": "CVE ID : CVE-2025-14467
Published : Dec. 12, 2025, 4:15 a.m. | 1 hour, 30 minutes ago
Description : The WP Job Portal plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.3.9. This is due to the plugin explicitly whitelisting the `",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-14165 - Kirim.Email WooCommerce Integration <= 1.2.9 - cross-site request forgery to settings update",
"Content": "CVE ID : CVE-2025-14165
Published : Dec. 12, 2025, 4:15 a.m. | 1 hour, 30 minutes ago
Description : The Kirim.Email WooCommerce Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9. This is due to missing nonce validation on the plugin's settings page. This makes it possible for unauthenticated attackers to modify the plugin's API credentials and integration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-14165 - Kirim.Email WooCommerce Integration <= 1.2.9 - cross-site request forgery to settings update",
"Content": "CVE ID : CVE-2025-14165
Published : Dec. 12, 2025, 4:15 a.m. | 1 hour, 30 minutes ago
Description : The Kirim.Email WooCommerce Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9. This is due to missing nonce validation on the plugin's settings page. This makes it possible for unauthenticated attackers to modify the plugin's API credentials and integration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-14166 - WPMasterToolKit (WPMTK) <= 2.13.0 - authenticated (contributor+) code injection",
"Content": "CVE ID : CVE-2025-14166
Published : Dec. 12, 2025, 4:15 a.m. | 1 hour, 30 minutes ago
Description : The WPMasterToolKit plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 2.13.0. This is due to the plugin allowing Author-level users to create and execute arbitrary PHP code through the Code Snippets feature without proper capability checks. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP code on the server, leading to remote code execution, privilege escalation, and complete site compromise.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-14166 - WPMasterToolKit (WPMTK) <= 2.13.0 - authenticated (contributor+) code injection",
"Content": "CVE ID : CVE-2025-14166
Published : Dec. 12, 2025, 4:15 a.m. | 1 hour, 30 minutes ago
Description : The WPMasterToolKit plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 2.13.0. This is due to the plugin allowing Author-level users to create and execute arbitrary PHP code through the Code Snippets feature without proper capability checks. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP code on the server, leading to remote code execution, privilege escalation, and complete site compromise.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-14170 - Vimeo SimpleGallery <= 0.2 - missing authorization to authenticated (subscriber+) arbitrary plugin settings modification",
"Content": "CVE ID : CVE-2025-14170
Published : Dec. 12, 2025, 4:15 a.m. | 1 hour, 30 minutes ago
Description : The Vimeo SimpleGallery plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 0.2. This is due to missing authorization checks on the `vimeogallery_admin` function hooked to `admin_menu`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary plugin settings via the `action` parameter.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-14170 - Vimeo SimpleGallery <= 0.2 - missing authorization to authenticated (subscriber+) arbitrary plugin settings modification",
"Content": "CVE ID : CVE-2025-14170
Published : Dec. 12, 2025, 4:15 a.m. | 1 hour, 30 minutes ago
Description : The Vimeo SimpleGallery plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 0.2. This is due to missing authorization checks on the `vimeogallery_admin` function hooked to `admin_menu`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary plugin settings via the `action` parameter.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-14344 - Multi Uploader for Gravity Forms <= 1.1.7 - unauthenticated arbitrary file deletion",
"Content": "CVE ID : CVE-2025-14344
Published : Dec. 12, 2025, 4:15 a.m. | 1 hour, 30 minutes ago
Description : The Multi Uploader for Gravity Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'plupload_ajax_delete_file' function in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-14344 - Multi Uploader for Gravity Forms <= 1.1.7 - unauthenticated arbitrary file deletion",
"Content": "CVE ID : CVE-2025-14344
Published : Dec. 12, 2025, 4:15 a.m. | 1 hour, 30 minutes ago
Description : The Multi Uploader for Gravity Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'plupload_ajax_delete_file' function in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-67730 - Frappe authenticated users can execute XSS through form description fields",
"Content": "CVE ID : CVE-2025-67730
Published : Dec. 12, 2025, 7:23 a.m. | 24 minutes ago
Description : Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allow authenticated users to add malicious HTML and JavaScript through description fields in the Job, Course and Batch forms. This issue is fixed in version 2.42.0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-67730 - Frappe authenticated users can execute XSS through form description fields",
"Content": "CVE ID : CVE-2025-67730
Published : Dec. 12, 2025, 7:23 a.m. | 24 minutes ago
Description : Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allow authenticated users to add malicious HTML and JavaScript through description fields in the Job, Course and Batch forms. This issue is fixed in version 2.42.0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-14169 - FunnelKit – Funnel Builder for WooCommerce Checkout <= 3.13.1.5 - unauthenticated sql injection",
"Content": "CVE ID : CVE-2025-14169
Published : Dec. 12, 2025, 7:20 a.m. | 28 minutes ago
Description : The FunnelKit - Funnel Builder for WooCommerce Checkout plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'opid' parameter in all versions up to, and including, 3.13.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-14169 - FunnelKit – Funnel Builder for WooCommerce Checkout <= 3.13.1.5 - unauthenticated sql injection",
"Content": "CVE ID : CVE-2025-14169
Published : Dec. 12, 2025, 7:20 a.m. | 28 minutes ago
Description : The FunnelKit - Funnel Builder for WooCommerce Checkout plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'opid' parameter in all versions up to, and including, 3.13.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-13891 - Image Gallery – Photo Grid & Video Gallery (Modula) <= 2.13.3 - missing authorization to arbitrary directory listing",
"Content": "CVE ID : CVE-2025-13891
Published : Dec. 12, 2025, 7:20 a.m. | 28 minutes ago
Description : The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.13.3. This is due to the modula_list_folders AJAX endpoint that lacks proper path validation and base directory restrictions. While the endpoint verifies user capabilities (Author+ with upload_files and edit_posts permissions), it fails to validate that user-supplied directory paths reside within safe directories. This makes it possible for authenticated attackers, with Author-level access and above, to enumerate arbitrary directories on the server via the modula_list_folders endpoint.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-13891 - Image Gallery – Photo Grid & Video Gallery (Modula) <= 2.13.3 - missing authorization to arbitrary directory listing",
"Content": "CVE ID : CVE-2025-13891
Published : Dec. 12, 2025, 7:20 a.m. | 28 minutes ago
Description : The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.13.3. This is due to the modula_list_folders AJAX endpoint that lacks proper path validation and base directory restrictions. While the endpoint verifies user capabilities (Author+ with upload_files and edit_posts permissions), it fails to validate that user-supplied directory paths reside within safe directories. This makes it possible for authenticated attackers, with Author-level access and above, to enumerate arbitrary directories on the server via the modula_list_folders endpoint.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-10583 - WP Fastest Cache Premium <= 1.7.4 - missing authorization to authenticated (subscriber+) blind server-side request forgery",
"Content": "CVE ID : CVE-2025-10583
Published : Dec. 12, 2025, 7:20 a.m. | 28 minutes ago
Description : The WP Fastest Cache plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.7.4 via the 'get_server_time_ajax_request' AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-10583 - WP Fastest Cache Premium <= 1.7.4 - missing authorization to authenticated (subscriber+) blind server-side request forgery",
"Content": "CVE ID : CVE-2025-10583
Published : Dec. 12, 2025, 7:20 a.m. | 28 minutes ago
Description : The WP Fastest Cache plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.7.4 via the 'get_server_time_ajax_request' AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-4970 - BSK PDF Manager <= 3.7.1 - authenticated (administrator+) stored cross-site scripting via svg file upload",
"Content": "CVE ID : CVE-2025-4970
Published : Dec. 12, 2025, 7:20 a.m. | 28 minutes ago
Description : The BSK PDF Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-4970 - BSK PDF Manager <= 3.7.1 - authenticated (administrator+) stored cross-site scripting via svg file upload",
"Content": "CVE ID : CVE-2025-4970
Published : Dec. 12, 2025, 7:20 a.m. | 28 minutes ago
Description : The BSK PDF Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-14049 - VikRentItems Flexible Rental Management System <= 1.2.0 - reflected cross-site scripting via 'delto' parameter",
"Content": "CVE ID : CVE-2025-14049
Published : Dec. 12, 2025, 7:20 a.m. | 28 minutes ago
Description : The VikRentItems Flexible Rental Management System plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'delto' parameter in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-14049 - VikRentItems Flexible Rental Management System <= 1.2.0 - reflected cross-site scripting via 'delto' parameter",
"Content": "CVE ID : CVE-2025-14049
Published : Dec. 12, 2025, 7:20 a.m. | 28 minutes ago
Description : The VikRentItems Flexible Rental Management System plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'delto' parameter in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-11876 - Mailgun Subscriptions <= 1.3.1 - authenticated (contributor+) stored cross-site scripting",
"Content": "CVE ID : CVE-2025-11876
Published : Dec. 12, 2025, 7:20 a.m. | 28 minutes ago
Description : The Mailgun Subscriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mailgun_subscription_form' shortcode in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-11876 - Mailgun Subscriptions <= 1.3.1 - authenticated (contributor+) stored cross-site scripting",
"Content": "CVE ID : CVE-2025-11876
Published : Dec. 12, 2025, 7:20 a.m. | 28 minutes ago
Description : The Mailgun Subscriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mailgun_subscription_form' shortcode in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-67727 - Parse Server GitHub CI workflow vulnerable to RCE through Improper Privilege Management",
"Content": "CVE ID : CVE-2025-67727
Published : Dec. 12, 2025, 7:15 a.m. | 32 minutes ago
Description : Parse Server is an open source backend that can be deployed to any infrastructure that runs Node.js. In versions prior to 8.6.0-alpha.2, a GitHub CI workflow is triggered in a way that grants the GitHub Actions workflow elevated permissions, giving it access to GitHub secrets and write permissions which are defined in the workflow. Code from a fork or lifecycle scripts is potentially included. Only the repository's CI/CD infrastructure is affected, including any public GitHub forks with GitHub Actions enabled. This issue is fixed version 8.6.0-alpha.2 and commits 6b9f896 and e3d27fe.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-67727 - Parse Server GitHub CI workflow vulnerable to RCE through Improper Privilege Management",
"Content": "CVE ID : CVE-2025-67727
Published : Dec. 12, 2025, 7:15 a.m. | 32 minutes ago
Description : Parse Server is an open source backend that can be deployed to any infrastructure that runs Node.js. In versions prior to 8.6.0-alpha.2, a GitHub CI workflow is triggered in a way that grants the GitHub Actions workflow elevated permissions, giving it access to GitHub secrets and write permissions which are defined in the workflow. Code from a fork or lifecycle scripts is potentially included. Only the repository's CI/CD infrastructure is affected, including any public GitHub forks with GitHub Actions enabled. This issue is fixed version 8.6.0-alpha.2 and commits 6b9f896 and e3d27fe.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-67728 - Fireshare Public Uploads feature is vulnerable to OS Command Injection (RCE)",
"Content": "CVE ID : CVE-2025-67728
Published : Dec. 12, 2025, 7:15 a.m. | 32 minutes ago
Description : Fireshare facilitates self-hosted media and link sharing. Versions 1.2.30 and below allow an authenticated user, or unauthenticated user if the Public Uploads setting is enabled, to craft a malicious filename when uploading a video file. The malicious filename is then concatenated directly into a shell command, which can be used for uploading files to arbitrary directories via path traversal, or executing system commands for Remote Code Execution (RCE). This issue is fixed in version 1.3.0.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-67728 - Fireshare Public Uploads feature is vulnerable to OS Command Injection (RCE)",
"Content": "CVE ID : CVE-2025-67728
Published : Dec. 12, 2025, 7:15 a.m. | 32 minutes ago
Description : Fireshare facilitates self-hosted media and link sharing. Versions 1.2.30 and below allow an authenticated user, or unauthenticated user if the Public Uploads setting is enabled, to craft a malicious filename when uploading a video file. The malicious filename is then concatenated directly into a shell command, which can be used for uploading files to arbitrary directories via path traversal, or executing system commands for Remote Code Execution (RCE). This issue is fixed in version 1.3.0.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-67737 - AzuraCast Vulnerable to Pre-Auth File Deletion & Admin RCE",
"Content": "CVE ID : CVE-2025-67737
Published : Dec. 12, 2025, 7:15 a.m. | 32 minutes ago
Description : AzuraCast is a self-hosted, all-in-one web radio management suite. Versions 0.23.1 mistakenly include an API endpoint that is intended for internal use by the SFTP software sftpgo, exposing it to the public-facing HTTP API for AzuraCast installations. A user with specific internal knowledge of a station's operations can craft a custom HTTP request that would affect the contents of a station's database, without revealing any internal information about the station. In order to carry out an attack, a malicious user would need to know a valid SFTP station username and the coordinating internal filesystem structure. This issue is fixed in version 0.23.2.
Severity: 3.1 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-67737 - AzuraCast Vulnerable to Pre-Auth File Deletion & Admin RCE",
"Content": "CVE ID : CVE-2025-67737
Published : Dec. 12, 2025, 7:15 a.m. | 32 minutes ago
Description : AzuraCast is a self-hosted, all-in-one web radio management suite. Versions 0.23.1 mistakenly include an API endpoint that is intended for internal use by the SFTP software sftpgo, exposing it to the public-facing HTTP API for AzuraCast installations. A user with specific internal knowledge of a station's operations can craft a custom HTTP request that would affect the contents of a station's database, without revealing any internal information about the station. In order to carry out an attack, a malicious user would need to know a valid SFTP station username and the coordinating internal filesystem structure. This issue is fixed in version 0.23.2.
Severity: 3.1 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-13660 - Guest Support <= 1.2.3 - unauthenticated user email disclosure in guest_support_handler ajax endpoint",
"Content": "CVE ID : CVE-2025-13660
Published : Dec. 12, 2025, 7:15 a.m. | 32 minutes ago
Description : The Guest Support plugin for WordPress is vulnerable to User Email Disclosure in versions up to, and including, 1.2.3. This is due to the plugin exposing a public AJAX endpoint that allows anyone to search for and retrieve user email addresses without any authentication or capability checks. This makes it possible for unauthenticated attackers to enumerate user accounts and extract email addresses via the guest_support_handler=ajax endpoint with the request=get_users parameter.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-13660 - Guest Support <= 1.2.3 - unauthenticated user email disclosure in guest_support_handler ajax endpoint",
"Content": "CVE ID : CVE-2025-13660
Published : Dec. 12, 2025, 7:15 a.m. | 32 minutes ago
Description : The Guest Support plugin for WordPress is vulnerable to User Email Disclosure in versions up to, and including, 1.2.3. This is due to the plugin exposing a public AJAX endpoint that allows anyone to search for and retrieve user email addresses without any authentication or capability checks. This makes it possible for unauthenticated attackers to enumerate user accounts and extract email addresses via the guest_support_handler=ajax endpoint with the request=get_users parameter.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-14356 - Ultra Addons for Contact Form 7 <= 3.5.33 - missing authorization to authenticated (subscriber+) to generate form submission pdf",
"Content": "CVE ID : CVE-2025-14356
Published : Dec. 12, 2025, 7:15 a.m. | 32 minutes ago
Description : The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'uacf7_get_generated_pdf' function in all versions up to, and including, 3.5.33. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate and get form submission PDF, when the "PDF Generator" and the "Database" addons are enabled (disabled by default).
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-14356 - Ultra Addons for Contact Form 7 <= 3.5.33 - missing authorization to authenticated (subscriber+) to generate form submission pdf",
"Content": "CVE ID : CVE-2025-14356
Published : Dec. 12, 2025, 7:15 a.m. | 32 minutes ago
Description : The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'uacf7_get_generated_pdf' function in all versions up to, and including, 3.5.33. This makes it possible for authenticated attackers, with Subscriber-level access and above, to generate and get form submission PDF, when the "PDF Generator" and the "Database" addons are enabled (disabled by default).
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "12 Dec 2025",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
❤1