CVE-2025-2230 - Windows AuthContext Token Replay Attack and Authentication Bypass Vulnerability
CVE ID : CVE-2025-2230
Published : March 13, 2025, 7:15 p.m. | 3 hours, 36 minutes ago
Description : A flaw exists in the Windows login flow where an AuthContext token can be exploited for replay attacks and authentication bypass.
Severity: 7.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-2230
Published : March 13, 2025, 7:15 p.m. | 3 hours, 36 minutes ago
Description : A flaw exists in the Windows login flow where an AuthContext token can be exploited for replay attacks and authentication bypass.
Severity: 7.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-55060 - Rafed CMS XSS
CVE ID : CVE-2024-55060
Published : March 13, 2025, 9:15 p.m. | 1 hour, 36 minutes ago
Description : A cross-site scripting (XSS) vulnerability in the component index.php of Rafed CMS Website v1.44 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-55060
Published : March 13, 2025, 9:15 p.m. | 1 hour, 36 minutes ago
Description : A cross-site scripting (XSS) vulnerability in the component index.php of Rafed CMS Website v1.44 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-1266 - CVE-2022-29420: Apache Struts Remote Code Execution Vulnerability
CVE ID : CVE-2025-1266
Published : March 13, 2025, 10:15 p.m. | 36 minutes ago
Description : Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-1266
Published : March 13, 2025, 10:15 p.m. | 36 minutes ago
Description : Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-55549 - Libxslt XSLT Use-After-Free Vulnerability
CVE ID : CVE-2024-55549
Published : March 14, 2025, 2:15 a.m. | 36 minutes ago
Description : xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-55549
Published : March 14, 2025, 2:15 a.m. | 36 minutes ago
Description : xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-24855 - XSLT/Use-After-Free
CVE ID : CVE-2025-24855
Published : March 14, 2025, 2:15 a.m. | 36 minutes ago
Description : numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-24855
Published : March 14, 2025, 2:15 a.m. | 36 minutes ago
Description : numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-26163 - CM Soluces Informatica Ltda Auto Atendimento SQL Injection Vulnerability
CVE ID : CVE-2025-26163
Published : March 14, 2025, 3:15 a.m. | 3 hours, 36 minutes ago
Description : CM Soluces Informatica Ltda Auto Atendimento 1.x.x was discovered to contain a SQL injection via the CPF parameter.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-26163
Published : March 14, 2025, 3:15 a.m. | 3 hours, 36 minutes ago
Description : CM Soluces Informatica Ltda Auto Atendimento 1.x.x was discovered to contain a SQL injection via the CPF parameter.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-30022 - CM Soluces Informatica Ltda Auto Atendimento SQL Injection Vulnerability
CVE ID : CVE-2025-30022
Published : March 14, 2025, 3:15 a.m. | 3 hours, 36 minutes ago
Description : CM Soluces Informatica Ltda Auto Atendimento 1.x.x was discovered to contain a SQL injection via the DATANASC parameter.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-30022
Published : March 14, 2025, 3:15 a.m. | 3 hours, 36 minutes ago
Description : CM Soluces Informatica Ltda Auto Atendimento 1.x.x was discovered to contain a SQL injection via the DATANASC parameter.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-11283 - WordPress JobHunt Plugin Authentication Bypass Vulnerability
CVE ID : CVE-2024-11283
Published : March 14, 2025, 5:15 a.m. | 1 hour, 36 minutes ago
Description : The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. This is due to wp_ajax_google_api_login_callback function not properly verifying a user's identity prior to authenticating them. This makes it possible for unauthenticated attackers to access arbitrary candidate accounts.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-11283
Published : March 14, 2025, 5:15 a.m. | 1 hour, 36 minutes ago
Description : The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. This is due to wp_ajax_google_api_login_callback function not properly verifying a user's identity prior to authenticating them. This makes it possible for unauthenticated attackers to access arbitrary candidate accounts.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-11284 - WordPress JobHunt Privilege Escalation Vulnerability
CVE ID : CVE-2024-11284
Published : March 14, 2025, 5:15 a.m. | 1 hour, 36 minutes ago
Description : The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.9. This is due to the plugin not properly validating a user's identity prior to updating their password through the account_settings_save_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-11284
Published : March 14, 2025, 5:15 a.m. | 1 hour, 36 minutes ago
Description : The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.9. This is due to the plugin not properly validating a user's identity prior to updating their password through the account_settings_save_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-11285 - "WordPress JobHunt Plugin Privilege Escalation Vulnerability"
CVE ID : CVE-2024-11285
Published : March 14, 2025, 5:15 a.m. | 1 hour, 36 minutes ago
Description : The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 7.1. This is due to the plugin not properly validating a user's identity prior to updating their details like email via the account_settings_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-11285
Published : March 14, 2025, 5:15 a.m. | 1 hour, 36 minutes ago
Description : The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 7.1. This is due to the plugin not properly validating a user's identity prior to updating their details like email via the account_settings_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-11286 - WordPress JobHunt Plugin Authentication Bypass Vulnerability
CVE ID : CVE-2024-11286
Published : March 14, 2025, 5:15 a.m. | 1 hour, 36 minutes ago
Description : The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. This is due to the plugin not properly verifying a user's identity prior to authenticating them through the cs_parse_request() function. This makes it possible for unauthenticated attackers to to log in to any user's account, including administrators.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-11286
Published : March 14, 2025, 5:15 a.m. | 1 hour, 36 minutes ago
Description : The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. This is due to the plugin not properly verifying a user's identity prior to authenticating them through the cs_parse_request() function. This makes it possible for unauthenticated attackers to to log in to any user's account, including administrators.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-0955 - WordPress VidoRev Extensions Unauthorized Video Import Vulnerability
CVE ID : CVE-2025-0955
Published : March 14, 2025, 5:15 a.m. | 1 hour, 36 minutes ago
Description : The VidoRev Extensions plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'vidorev_import_single_video' AJAX action in all versions up to, and including, 2.9.9.9.9.9.5. This makes it possible for unauthenticated attackers to import arbitrary youtube videos.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-0955
Published : March 14, 2025, 5:15 a.m. | 1 hour, 36 minutes ago
Description : The VidoRev Extensions plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'vidorev_import_single_video' AJAX action in all versions up to, and including, 2.9.9.9.9.9.5. This makes it possible for unauthenticated attackers to import arbitrary youtube videos.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-1285 - Resido - Real Estate WordPress Theme Unauthenticated API Key Manipulation
CVE ID : CVE-2025-1285
Published : March 14, 2025, 5:15 a.m. | 1 hour, 36 minutes ago
Description : The Resido - Real Estate WordPress Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the delete_api_key and save_api_key AJAX actions in all versions up to, and including, 3.6. This makes it possible for unauthenticated attackers to issue requests to internal services and update API key details.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-1285
Published : March 14, 2025, 5:15 a.m. | 1 hour, 36 minutes ago
Description : The Resido - Real Estate WordPress Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the delete_api_key and save_api_key AJAX actions in all versions up to, and including, 3.6. This makes it possible for unauthenticated attackers to issue requests to internal services and update API key details.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-1528 - WordPress Search & Filter Pro Unauthenticated Data Access Vulnerability
CVE ID : CVE-2025-1528
Published : March 14, 2025, 5:15 a.m. | 1 hour, 36 minutes ago
Description : The Search & Filter Pro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_meta_values' function in all versions up to, and including, 2.5.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the values of arbitrary post meta.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-1528
Published : March 14, 2025, 5:15 a.m. | 1 hour, 36 minutes ago
Description : The Search & Filter Pro plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_meta_values' function in all versions up to, and including, 2.5.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the values of arbitrary post meta.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-2056 - Hide My WP Ghost WordPress Path Traversal Vulnerability
CVE ID : CVE-2025-2056
Published : March 14, 2025, 5:15 a.m. | 1 hour, 36 minutes ago
Description : The WP Ghost (Hide My WP Ghost) – Security & Firewall plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 5.4.01 via the showFile function. This makes it possible for unauthenticated attackers to read the contents of specific file types on the server, which can contain sensitive information.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-2056
Published : March 14, 2025, 5:15 a.m. | 1 hour, 36 minutes ago
Description : The WP Ghost (Hide My WP Ghost) – Security & Firewall plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 5.4.01 via the showFile function. This makes it possible for unauthenticated attackers to read the contents of specific file types on the server, which can contain sensitive information.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-2166 - WordPress CM FAQ Plugin Reflected Cross-Site Scripting
CVE ID : CVE-2025-2166
Published : March 14, 2025, 5:15 a.m. | 1 hour, 36 minutes ago
Description : The CM FAQ – Simplify support with an intuitive FAQ management tool plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-2166
Published : March 14, 2025, 5:15 a.m. | 1 hour, 36 minutes ago
Description : The CM FAQ – Simplify support with an intuitive FAQ management tool plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-13376 - WordPress Industrial Theme Privilege Escalation Vulnerability
CVE ID : CVE-2024-13376
Published : March 14, 2025, 6:15 a.m. | 36 minutes ago
Description : The Industrial theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the _ajax_get_total_content_import_items() function in all versions up to, and including, 1.7.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-13376
Published : March 14, 2025, 6:15 a.m. | 36 minutes ago
Description : The Industrial theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the _ajax_get_total_content_import_items() function in all versions up to, and including, 1.7.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-13913 - InstaWP Connect Cross-Site Request Forgery (CSRF) Vulnerability
CVE ID : CVE-2024-13913
Published : March 14, 2025, 6:15 a.m. | 36 minutes ago
Description : The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.0.83. This is due to missing or incorrect nonce validation in the '/migrate/templates/main.php' file. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-13913
Published : March 14, 2025, 6:15 a.m. | 36 minutes ago
Description : The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.0.83. This is due to missing or incorrect nonce validation in the '/migrate/templates/main.php' file. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-0952 - Eco Nature - Environment & Ecology WordPress Theme Unauthenticated Denial of Service
CVE ID : CVE-2025-0952
Published : March 14, 2025, 6:15 a.m. | 36 minutes ago
Description : The Eco Nature - Environment & Ecology WordPress Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'cmsmasters_hide_admin_notice' AJAX action in all versions up to, and including, 2.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to 'hide' on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values to true such as registration.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-0952
Published : March 14, 2025, 6:15 a.m. | 36 minutes ago
Description : The Eco Nature - Environment & Ecology WordPress Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'cmsmasters_hide_admin_notice' AJAX action in all versions up to, and including, 2.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to 'hide' on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values to true such as registration.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-1764 - LoginPress | wp-login Custom Login Page Customizer CSRF
CVE ID : CVE-2025-1764
Published : March 14, 2025, 6:15 a.m. | 36 minutes ago
Description : The LoginPress | wp-login Custom Login Page Customizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.1. This is due to missing or incorrect nonce validation on the 'custom_plugin_set_option' function. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. The 'WPBRIGADE_SDK__DEV_MODE' constant must be set to 'true' to exploit the vulnerability.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-1764
Published : March 14, 2025, 6:15 a.m. | 36 minutes ago
Description : The LoginPress | wp-login Custom Login Page Customizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.1. This is due to missing or incorrect nonce validation on the 'custom_plugin_set_option' function. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. The 'WPBRIGADE_SDK__DEV_MODE' constant must be set to 'true' to exploit the vulnerability.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-2103 - WordPress SoundRise Music Plugin Privilege Escalation Vulnerability
CVE ID : CVE-2025-2103
Published : March 14, 2025, 6:15 a.m. | 36 minutes ago
Description : The SoundRise Music plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on theironMusic_ajax() function in all versions up to, and including, 1.6.11. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-2103
Published : March 14, 2025, 6:15 a.m. | 36 minutes ago
Description : The SoundRise Music plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on theironMusic_ajax() function in all versions up to, and including, 1.6.11. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...