{
"Source": "CVE FEED",
"Title": "CVE-2025-7441 - StoryChief WordPress Arbitrary File Upload Vulnerability",
"Content": "CVE ID : CVE-2025-7441
Published : Aug. 16, 2025, 4:16 a.m. | 37 minutes ago
Description : The StoryChief plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.0.42. This vulnerability occurs through the /wp-json/storychief/webhook REST-API endpoint that does not have sufficient filetype validation. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-7441 - StoryChief WordPress Arbitrary File Upload Vulnerability",
"Content": "CVE ID : CVE-2025-7441
Published : Aug. 16, 2025, 4:16 a.m. | 37 minutes ago
Description : The StoryChief plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.0.42. This vulnerability occurs through the /wp-json/storychief/webhook REST-API endpoint that does not have sufficient filetype validation. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-7440 - Anber Elementor Addon for WordPress Stored Cross-Site Scripting Vulnerability",
"Content": "CVE ID : CVE-2025-7440
Published : Aug. 16, 2025, 4:16 a.m. | 37 minutes ago
Description : The Anber Elementor Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the $item['button_link']['url'] parameter in all versions up to, and including, 1.0.1 to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-7440 - Anber Elementor Addon for WordPress Stored Cross-Site Scripting Vulnerability",
"Content": "CVE ID : CVE-2025-7440
Published : Aug. 16, 2025, 4:16 a.m. | 37 minutes ago
Description : The Anber Elementor Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the $item['button_link']['url'] parameter in all versions up to, and including, 1.0.1 to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-7439 - Anber Elementor Addon WordPress Stored Cross-Site Scripting",
"Content": "CVE ID : CVE-2025-7439
Published : Aug. 16, 2025, 4:16 a.m. | 37 minutes ago
Description : Anber Elementor Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the $anber_item['button_link']['url']โ parameter in all versions up to, and including, 1.0.1 to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-7439 - Anber Elementor Addon WordPress Stored Cross-Site Scripting",
"Content": "CVE ID : CVE-2025-7439
Published : Aug. 16, 2025, 4:16 a.m. | 37 minutes ago
Description : Anber Elementor Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the $anber_item['button_link']['url']โ parameter in all versions up to, and including, 1.0.1 to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-6221 - Bokun Embed WordPress Stored Cross-Site Scripting Vulnerability",
"Content": "CVE ID : CVE-2025-6221
Published : Aug. 16, 2025, 4:16 a.m. | 37 minutes ago
Description : The Embed Bokun plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the โalignโ parameter in all versions up to, and including, 0.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-6221 - Bokun Embed WordPress Stored Cross-Site Scripting Vulnerability",
"Content": "CVE ID : CVE-2025-6221
Published : Aug. 16, 2025, 4:16 a.m. | 37 minutes ago
Description : The Embed Bokun plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the โalignโ parameter in all versions up to, and including, 0.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-6079 - "WordPress School Management System File Upload Vulnerability"",
"Content": "CVE ID : CVE-2025-6079
Published : Aug. 16, 2025, 4:15 a.m. | 38 minutes ago
Description : The School Management System for Wordpress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the homework.php file in all versions up to, and including, 93.2.0. This makes it possible for authenticated attackers, with Student-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-6079 - "WordPress School Management System File Upload Vulnerability"",
"Content": "CVE ID : CVE-2025-6079
Published : Aug. 16, 2025, 4:15 a.m. | 38 minutes ago
Description : The School Management System for Wordpress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the homework.php file in all versions up to, and including, 93.2.0. This makes it possible for authenticated attackers, with Student-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-6080 - "Wordpress Gym Management System Unauthenticated Admin Account Creation Vulnerability"",
"Content": "CVE ID : CVE-2025-6080
Published : Aug. 16, 2025, 4:15 a.m. | 38 minutes ago
Description : The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to unauthorized admin account creation in all versions up to, and including, 67.7.0. This is due to the plugin not properly validating a user's capabilities prior to adding users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new users, including admins.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-6080 - "Wordpress Gym Management System Unauthenticated Admin Account Creation Vulnerability"",
"Content": "CVE ID : CVE-2025-6080
Published : Aug. 16, 2025, 4:15 a.m. | 38 minutes ago
Description : The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to unauthorized admin account creation in all versions up to, and including, 67.7.0. This is due to the plugin not properly validating a user's capabilities prior to adding users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new users, including admins.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-3671 - "Wordpress Gym Management System - Local File Inclusion Vulnerability"",
"Content": "CVE ID : CVE-2025-3671
Published : Aug. 16, 2025, 4:15 a.m. | 38 minutes ago
Description : The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 67.7.0 via the 'page' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other โsafeโ file types can be uploaded and included. The Local File Inclusion exploit can be chained to include various dashboard view files in the plugin. One in particular reported by the researcher can be leveraged to update the password of Super Administrator accounts in Multisite environments making privilege escalation possible.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-3671 - "Wordpress Gym Management System - Local File Inclusion Vulnerability"",
"Content": "CVE ID : CVE-2025-3671
Published : Aug. 16, 2025, 4:15 a.m. | 38 minutes ago
Description : The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 67.7.0 via the 'page' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other โsafeโ file types can be uploaded and included. The Local File Inclusion exploit can be chained to include various dashboard view files in the plugin. One in particular reported by the researcher can be leveraged to update the password of Super Administrator accounts in Multisite environments making privilege escalation possible.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2024-8393 - Woolook Woocommerce Blocks WordPress Local File Inclusion Vulnerability",
"Content": "CVE ID : CVE-2024-8393
Published : Aug. 16, 2025, 4:15 a.m. | 38 minutes ago
Description : The Woocommerce Blocks โ Woolook plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.7.0 via the via the 'tab' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other โsafeโ file types can be uploaded and included. Please note that this can also be exploited via CSRF techniques.
Severity: 6.6 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2024-8393 - Woolook Woocommerce Blocks WordPress Local File Inclusion Vulnerability",
"Content": "CVE ID : CVE-2024-8393
Published : Aug. 16, 2025, 4:15 a.m. | 38 minutes ago
Description : The Woocommerce Blocks โ Woolook plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.7.0 via the via the 'tab' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other โsafeโ file types can be uploaded and included. Please note that this can also be exploited via CSRF techniques.
Severity: 6.6 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2024-12612 - "Wordpress School Management System SQL Injection"",
"Content": "CVE ID : CVE-2024-12612
Published : Aug. 16, 2025, 4:15 a.m. | 38 minutes ago
Description : The School Management System for Wordpress plugin for WordPress is vulnerable to SQL Injection via several parameters across multiple AJAX action in all versions up to, and including, 93.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2024-12612 - "Wordpress School Management System SQL Injection"",
"Content": "CVE ID : CVE-2024-12612
Published : Aug. 16, 2025, 4:15 a.m. | 38 minutes ago
Description : The School Management System for Wordpress plugin for WordPress is vulnerable to SQL Injection via several parameters across multiple AJAX action in all versions up to, and including, 93.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2024-12575 - WordPress Poll Maker Basic Information Exposure",
"Content": "CVE ID : CVE-2024-12575
Published : Aug. 16, 2025, 3:15 a.m. | 1 hour, 38 minutes ago
Description : The Poll Maker โ Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to Basic Information Exposure in all versions up to, and including, 5.8.9 via the 'ays_finish_poll' AJAX action. This makes it possible for unauthenticated attackers to retrieve admin email information which is exposed in the poll response.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2024-12575 - WordPress Poll Maker Basic Information Exposure",
"Content": "CVE ID : CVE-2024-12575
Published : Aug. 16, 2025, 3:15 a.m. | 1 hour, 38 minutes ago
Description : The Poll Maker โ Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to Basic Information Exposure in all versions up to, and including, 5.8.9 via the 'ays_finish_poll' AJAX action. This makes it possible for unauthenticated attackers to retrieve admin email information which is exposed in the poll response.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-49895 - PluginBuddy.Com ServerBuddy CSRF Object Injection Vulnerability",
"Content": "CVE ID : CVE-2025-49895
Published : Aug. 16, 2025, 3:15 a.m. | 1 hour, 38 minutes ago
Description : Cross-Site Request Forgery (CSRF) vulnerability in iThemes ServerBuddy by PluginBuddy.Com allows Object Injection.This issue affects ServerBuddy by PluginBuddy.Com: from n/a through 1.0.5.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-49895 - PluginBuddy.Com ServerBuddy CSRF Object Injection Vulnerability",
"Content": "CVE ID : CVE-2025-49895
Published : Aug. 16, 2025, 3:15 a.m. | 1 hour, 38 minutes ago
Description : Cross-Site Request Forgery (CSRF) vulnerability in iThemes ServerBuddy by PluginBuddy.Com allows Object Injection.This issue affects ServerBuddy by PluginBuddy.Com: from n/a through 1.0.5.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-8113 - Ebook Store WordPress Cross-Site Scripting (XSS)",
"Content": "CVE ID : CVE-2025-8113
Published : Aug. 16, 2025, 6:15 a.m. | 40 minutes ago
Description : The Ebook Store WordPress plugin before 5.8015 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-8113 - Ebook Store WordPress Cross-Site Scripting (XSS)",
"Content": "CVE ID : CVE-2025-8113
Published : Aug. 16, 2025, 6:15 a.m. | 40 minutes ago
Description : The Ebook Store WordPress plugin before 5.8015 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-38501 - KSMBD Connection Flood Denial of Service Vulnerability",
"Content": "CVE ID : CVE-2025-38501
Published : Aug. 16, 2025, 6:15 a.m. | 40 minutes ago
Description : In the Linux kernel, the following vulnerability has been resolved:
ksmbd: limit repeated connections from clients with the same IP
Repeated connections from clients with the same IP address may exhaust
the max connections and prevent other normal client connections.
This patch limit repeated connections from clients with the same IP.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-38501 - KSMBD Connection Flood Denial of Service Vulnerability",
"Content": "CVE ID : CVE-2025-38501
Published : Aug. 16, 2025, 6:15 a.m. | 40 minutes ago
Description : In the Linux kernel, the following vulnerability has been resolved:
ksmbd: limit repeated connections from clients with the same IP
Repeated connections from clients with the same IP address may exhaust
the max connections and prevent other normal client connections.
This patch limit repeated connections from clients with the same IP.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-8464 - WordPress Contact Form 7 Drag and Drop Multiple File Upload Directory Traversal Vulnerability",
"Content": "CVE ID : CVE-2025-8464
Published : Aug. 16, 2025, 8:15 a.m. | 42 minutes ago
Description : The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.3.9.0 via the wpcf7_guest_user_id cookie. This makes it possible for unauthenticated attackers to upload and delete files outside of the originally intended directory. The impact of this vulnerability is limited, as file types are validated and only safe ones can be uploaded, while deletion is limited to the plugin's uploads folder.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-8464 - WordPress Contact Form 7 Drag and Drop Multiple File Upload Directory Traversal Vulnerability",
"Content": "CVE ID : CVE-2025-8464
Published : Aug. 16, 2025, 8:15 a.m. | 42 minutes ago
Description : The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.3.9.0 via the wpcf7_guest_user_id cookie. This makes it possible for unauthenticated attackers to upload and delete files outside of the originally intended directory. The impact of this vulnerability is limited, as file types are validated and only safe ones can be uploaded, while deletion is limited to the plugin's uploads folder.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-7499 - BetterDocs โ Unauthorized Data Access Vulnerability",
"Content": "CVE ID : CVE-2025-7499
Published : Aug. 16, 2025, 8:15 a.m. | 42 minutes ago
Description : The BetterDocs โ Advanced AI-Driven Documentation, FAQ & Knowledge Base Tool for Elementor & Gutenberg with Encyclopedia, AI Support, Instant Answers plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_response function in all versions up to and including 4.1.1. This makes it possible for unauthenticated attackers to retrieve passwords for password-protected documents as well as the metadata of private and draft documents.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-7499 - BetterDocs โ Unauthorized Data Access Vulnerability",
"Content": "CVE ID : CVE-2025-7499
Published : Aug. 16, 2025, 8:15 a.m. | 42 minutes ago
Description : The BetterDocs โ Advanced AI-Driven Documentation, FAQ & Knowledge Base Tool for Elementor & Gutenberg with Encyclopedia, AI Support, Instant Answers plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_response function in all versions up to and including 4.1.1. This makes it possible for unauthenticated attackers to retrieve passwords for password-protected documents as well as the metadata of private and draft documents.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-8898 - WordPress E-cab Plugin Privilege Escalation Vulnerability",
"Content": "CVE ID : CVE-2025-8898
Published : Aug. 16, 2025, 7:15 a.m. | 1 hour, 42 minutes ago
Description : The Taxi Booking Manager for Woocommerce | E-cab plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.0. This is due to the plugin not properly validating a user's capabilities prior to updating a plugin setting or their identity prior to updating their details like email address. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-8898 - WordPress E-cab Plugin Privilege Escalation Vulnerability",
"Content": "CVE ID : CVE-2025-8898
Published : Aug. 16, 2025, 7:15 a.m. | 1 hour, 42 minutes ago
Description : The Taxi Booking Manager for Woocommerce | E-cab plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.0. This is due to the plugin not properly validating a user's capabilities prior to updating a plugin setting or their identity prior to updating their details like email address. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-8089 - WordPress Advanced iFrame Stored Cross-Site Scripting Vulnerability",
"Content": "CVE ID : CVE-2025-8089
Published : Aug. 16, 2025, 7:15 a.m. | 1 hour, 42 minutes ago
Description : The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'additional' parameter in version less than, or equal to, 2025.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-8089 - WordPress Advanced iFrame Stored Cross-Site Scripting Vulnerability",
"Content": "CVE ID : CVE-2025-8089
Published : Aug. 16, 2025, 7:15 a.m. | 1 hour, 42 minutes ago
Description : The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'additional' parameter in version less than, or equal to, 2025.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-8896 - WordPress User Profile Builder Stored Cross-Site Scripting Vulnerability",
"Content": "CVE ID : CVE-2025-8896
Published : Aug. 16, 2025, 7:15 a.m. | 1 hour, 42 minutes ago
Description : The User Profile Builder โ Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gdpr_communication_preferences[]' parameter in all versions up to, and including, 3.14.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is only exploitable when the GDPR Communication Preferences module is enabled and at least one GDPR Communication Preferences field has been added to the edit profile form.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-8896 - WordPress User Profile Builder Stored Cross-Site Scripting Vulnerability",
"Content": "CVE ID : CVE-2025-8896
Published : Aug. 16, 2025, 7:15 a.m. | 1 hour, 42 minutes ago
Description : The User Profile Builder โ Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gdpr_communication_preferences[]' parameter in all versions up to, and including, 3.14.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is only exploitable when the GDPR Communication Preferences module is enabled and at least one GDPR Communication Preferences field has been added to the edit profile form.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-38502 - Linux Kernel BPF Cgroup Local Storage Out-of-Bounds Access",
"Content": "CVE ID : CVE-2025-38502
Published : Aug. 16, 2025, 10:15 a.m. | 46 minutes ago
Description : In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix oob access in cgroup local storage
Lonial reported that an out-of-bounds access in cgroup local storage
can be crafted via tail calls. Given two programs each utilizing a
cgroup local storage with a different value size, and one program
doing a tail call into the other. The verifier will validate each of
the indivial programs just fine. However, in the runtime context
the bpf_cg_run_ctx holds an bpf_prog_array_item which contains the
BPF program as well as any cgroup local storage flavor the program
uses. Helpers such as bpf_get_local_storage() pick this up from the
runtime context:
ctx = container_of(current->bpf_ctx, struct bpf_cg_run_ctx, run_ctx);
storage = ctx->prog_item->cgroup_storage[stype];
if (stype == BPF_CGROUP_STORAGE_SHARED)
ptr = &READ_ONCE(storage->buf)->data[0];
else
ptr = this_cpu_ptr(storage->percpu_buf);
For the second program which was called from the originally attached
one, this means bpf_get_local_storage() will pick up the former
program's map, not its own. With mismatching sizes, this can result
in an unintended out-of-bounds access.
To fix this issue, we need to extend bpf_map_owner with an array of
storage_cookie[] to match on i) the exact maps from the original
program if the second program was using bpf_get_local_storage(), or
ii) allow the tail call combination if the second program was not
using any of the cgroup local storage maps.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-38502 - Linux Kernel BPF Cgroup Local Storage Out-of-Bounds Access",
"Content": "CVE ID : CVE-2025-38502
Published : Aug. 16, 2025, 10:15 a.m. | 46 minutes ago
Description : In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix oob access in cgroup local storage
Lonial reported that an out-of-bounds access in cgroup local storage
can be crafted via tail calls. Given two programs each utilizing a
cgroup local storage with a different value size, and one program
doing a tail call into the other. The verifier will validate each of
the indivial programs just fine. However, in the runtime context
the bpf_cg_run_ctx holds an bpf_prog_array_item which contains the
BPF program as well as any cgroup local storage flavor the program
uses. Helpers such as bpf_get_local_storage() pick this up from the
runtime context:
ctx = container_of(current->bpf_ctx, struct bpf_cg_run_ctx, run_ctx);
storage = ctx->prog_item->cgroup_storage[stype];
if (stype == BPF_CGROUP_STORAGE_SHARED)
ptr = &READ_ONCE(storage->buf)->data[0];
else
ptr = this_cpu_ptr(storage->percpu_buf);
For the second program which was called from the originally attached
one, this means bpf_get_local_storage() will pick up the former
program's map, not its own. With mismatching sizes, this can result
in an unintended out-of-bounds access.
To fix this issue, we need to extend bpf_map_owner with an array of
storage_cookie[] to match on i) the exact maps from the original
program if the second program was using bpf_get_local_storage(), or
ii) allow the tail call combination if the second program was not
using any of the cgroup local storage maps.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-8719 - WordPress gTranslate Stored Cross-Site Scripting Vulnerability",
"Content": "CVE ID : CVE-2025-8719
Published : Aug. 16, 2025, 9:15 a.m. | 1 hour, 46 minutes ago
Description : The Translate This gTranslate Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the โbase_langโ parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-8719 - WordPress gTranslate Stored Cross-Site Scripting Vulnerability",
"Content": "CVE ID : CVE-2025-8719
Published : Aug. 16, 2025, 9:15 a.m. | 1 hour, 46 minutes ago
Description : The Translate This gTranslate Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the โbase_langโ parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
{
"Source": "CVE FEED",
"Title": "CVE-2025-8878 - ProfilePress WordPress Arbitrary Shortcode Execution Vulnerability",
"Content": "CVE ID : CVE-2025-8878
Published : Aug. 16, 2025, 12:15 p.m. | 46 minutes ago
Description : The The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content โ ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น
"Source": "CVE FEED",
"Title": "CVE-2025-8878 - ProfilePress WordPress Arbitrary Shortcode Execution Vulnerability",
"Content": "CVE ID : CVE-2025-8878
Published : Aug. 16, 2025, 12:15 p.m. | 46 minutes ago
Description : The The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content โ ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "16 Aug 2025",
"Type": "Vulnerability"
}
๐น t.me/cvedetector ๐น