CVE-2025-3257 - Xujiangfei Admintwo Cross-Site Request Forgery Vulnerability
CVE ID : CVE-2025-3257
Published : April 4, 2025, 5:15 p.m. | 3 hours, 47 minutes ago
Description : A vulnerability classified as problematic has been found in xujiangfei admintwo 1.0. This affects an unknown part of the file /user/updateSet. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-3257
Published : April 4, 2025, 5:15 p.m. | 3 hours, 47 minutes ago
Description : A vulnerability classified as problematic has been found in xujiangfei admintwo 1.0. This affects an unknown part of the file /user/updateSet. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-3258 - PHPGurukul Old Age Home Management System SQL Injection Vulnerability
CVE ID : CVE-2025-3258
Published : April 4, 2025, 5:15 p.m. | 3 hours, 47 minutes ago
Description : A vulnerability classified as critical was found in PHPGurukul Old Age Home Management System 1.0. This vulnerability affects unknown code of the file /search.php. The manipulation of the argument searchdata leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-3258
Published : April 4, 2025, 5:15 p.m. | 3 hours, 47 minutes ago
Description : A vulnerability classified as critical was found in PHPGurukul Old Age Home Management System 1.0. This vulnerability affects unknown code of the file /search.php. The manipulation of the argument searchdata leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-11235 - Apache PHP Use-After-Free Remote Code Execution Vulnerability
CVE ID : CVE-2024-11235
Published : April 4, 2025, 6:15 p.m. | 2 hours, 47 minutes ago
Description : In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??= operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-11235
Published : April 4, 2025, 6:15 p.m. | 2 hours, 47 minutes ago
Description : In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??= operator and exceptions can lead to a use-after-free vulnerability. If the third party can control the memory layout leading to this, for example by supplying specially crafted inputs to the script, it could lead to remote code execution.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-29476 - OSS-Fuzz c-blosc2 Buffer Overflow
CVE ID : CVE-2025-29476
Published : April 4, 2025, 6:15 p.m. | 2 hours, 47 minutes ago
Description : Buffer Overflow vulnerability in compress_chunk_fuzzer with oss-fuzz on commit 16450518afddcb3139de627157208e49bfef6987 in c-blosc2 v.2.17.0 and before.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-29476
Published : April 4, 2025, 6:15 p.m. | 2 hours, 47 minutes ago
Description : Buffer Overflow vulnerability in compress_chunk_fuzzer with oss-fuzz on commit 16450518afddcb3139de627157208e49bfef6987 in c-blosc2 v.2.17.0 and before.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-29477 - Fluent-Bit Denial of Service Vulnerability
CVE ID : CVE-2025-29477
Published : April 4, 2025, 6:15 p.m. | 2 hours, 47 minutes ago
Description : An issue in fluent-bit v.3.7.2 allows a local attacker to cause a denial of service via the function consume_event.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-29477
Published : April 4, 2025, 6:15 p.m. | 2 hours, 47 minutes ago
Description : An issue in fluent-bit v.3.7.2 allows a local attacker to cause a denial of service via the function consume_event.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-3259 - Tenda RX3 Stack-Based Buffer Overflow Vulnerability
CVE ID : CVE-2025-3259
Published : April 4, 2025, 6:15 p.m. | 2 hours, 47 minutes ago
Description : A vulnerability, which was classified as critical, has been found in Tenda RX3 16.03.13.11. This issue affects the function formSetDeviceName of the file /goform/SetOnlineDevName. The manipulation of the argument devName leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-3259
Published : April 4, 2025, 6:15 p.m. | 2 hours, 47 minutes ago
Description : A vulnerability, which was classified as critical, has been found in Tenda RX3 16.03.13.11. This issue affects the function formSetDeviceName of the file /goform/SetOnlineDevName. The manipulation of the argument devName leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-3265 - PHPGurukul e-Diary Management System SQL Injection
CVE ID : CVE-2025-3265
Published : April 4, 2025, 8:15 p.m. | 48 minutes ago
Description : A vulnerability classified as critical was found in PHPGurukul e-Diary Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /add-category.php. The manipulation of the argument Category leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-3265
Published : April 4, 2025, 8:15 p.m. | 48 minutes ago
Description : A vulnerability classified as critical was found in PHPGurukul e-Diary Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /add-category.php. The manipulation of the argument Category leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-3266 - Qinguoyi TinyWebServer Stack-Based Buffer Overflow
CVE ID : CVE-2025-3266
Published : April 4, 2025, 8:15 p.m. | 48 minutes ago
Description : A vulnerability, which was classified as critical, has been found in qinguoyi TinyWebServer up to 1.0. Affected by this issue is some unknown functionality of the file /http/http_conn.cpp. The manipulation of the argument name/password leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-3266
Published : April 4, 2025, 8:15 p.m. | 48 minutes ago
Description : A vulnerability, which was classified as critical, has been found in qinguoyi TinyWebServer up to 1.0. Affected by this issue is some unknown functionality of the file /http/http_conn.cpp. The manipulation of the argument name/password leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-3267 - TinyWebServer SQL Injection Vulnerability
CVE ID : CVE-2025-3267
Published : April 4, 2025, 8:15 p.m. | 48 minutes ago
Description : A vulnerability, which was classified as critical, was found in qinguoyi TinyWebServer up to 1.0. This affects an unknown part of the file /http/http_conn.cpp. The manipulation of the argument name/password leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-3267
Published : April 4, 2025, 8:15 p.m. | 48 minutes ago
Description : A vulnerability, which was classified as critical, was found in qinguoyi TinyWebServer up to 1.0. This affects an unknown part of the file /http/http_conn.cpp. The manipulation of the argument name/password leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-3268 - TinyWebServer qinguoyi Remote Authentication Bypass
CVE ID : CVE-2025-3268
Published : April 4, 2025, 9:15 p.m. | 3 hours, 47 minutes ago
Description : A vulnerability has been found in qinguoyi TinyWebServer up to 1.0 and classified as critical. This vulnerability affects unknown code of the file http/http_conn.cpp. The manipulation of the argument m_url_real leads to improper authentication. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-3268
Published : April 4, 2025, 9:15 p.m. | 3 hours, 47 minutes ago
Description : A vulnerability has been found in qinguoyi TinyWebServer up to 1.0 and classified as critical. This vulnerability affects unknown code of the file http/http_conn.cpp. The manipulation of the argument m_url_real leads to improper authentication. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-2889 - WordPress Link Library Stored Cross-Site Scripting Vulnerability
CVE ID : CVE-2025-2889
Published : April 5, 2025, 12:15 a.m. | 48 minutes ago
Description : The Link Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Link Additional Parameters in all versions up to, and including, 7.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-2889
Published : April 5, 2025, 12:15 a.m. | 48 minutes ago
Description : The Link Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Link Additional Parameters in all versions up to, and including, 7.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-1500 - IBM Maximo Application Suite File Upload Privilege Escalation Vulnerability
CVE ID : CVE-2025-1500
Published : April 5, 2025, 1:15 a.m. | 3 hours, 47 minutes ago
Description : IBM Maximo Application Suite 9.0 could allow an authenticated user to upload a file with dangerous types that could be executed by another user if opened.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-1500
Published : April 5, 2025, 1:15 a.m. | 3 hours, 47 minutes ago
Description : IBM Maximo Application Suite 9.0 could allow an authenticated user to upload a file with dangerous types that could be executed by another user if opened.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-13604 - KB Support WordPress Sensitive Information Exposure Vulnerability
CVE ID : CVE-2024-13604
Published : April 5, 2025, 2:15 a.m. | 2 hours, 48 minutes ago
Description : The KB Support – Customer Support Ticket & Helpdesk Plugin, Knowledge Base Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.4 via the 'kbs' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/kbs directory which can contain file attachments included in support tickets. The vulnerability was partially patched in version 1.7.3.2.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-13604
Published : April 5, 2025, 2:15 a.m. | 2 hours, 48 minutes ago
Description : The KB Support – Customer Support Ticket & Helpdesk Plugin, Knowledge Base Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.4 via the 'kbs' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/kbs directory which can contain file attachments included in support tickets. The vulnerability was partially patched in version 1.7.3.2.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-0810 - WordPress Read More & Accordion CSRF
CVE ID : CVE-2025-0810
Published : April 5, 2025, 2:15 a.m. | 2 hours, 48 minutes ago
Description : The Read More & Accordion plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.5. This is due to missing or incorrect nonce validation on the addNewButtons() function. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-0810
Published : April 5, 2025, 2:15 a.m. | 2 hours, 48 minutes ago
Description : The Read More & Accordion plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.5. This is due to missing or incorrect nonce validation on the addNewButtons() function. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-2544 - WordPress AI Content Pipelines Stored Cross-Site Scripting
CVE ID : CVE-2025-2544
Published : April 5, 2025, 2:15 a.m. | 2 hours, 48 minutes ago
Description : The AI Content Pipelines plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-2544
Published : April 5, 2025, 2:15 a.m. | 2 hours, 48 minutes ago
Description : The AI Content Pipelines plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-2933 - "WordPress Email Notifications for Updates Unauthenticated Privilege Escalation"
CVE ID : CVE-2025-2933
Published : April 5, 2025, 2:15 a.m. | 2 hours, 48 minutes ago
Description : The Email Notifications for Updates plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the awun_import_settings() function in all versions up to, and including, 1.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-2933
Published : April 5, 2025, 2:15 a.m. | 2 hours, 48 minutes ago
Description : The Email Notifications for Updates plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the awun_import_settings() function in all versions up to, and including, 1.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2021-47667 - ZendTo OS Command Injection Vulnerability
CVE ID : CVE-2021-47667
Published : April 5, 2025, 5:15 a.m. | 3 hours, 48 minutes ago
Description : An OS command injection vulnerability in lib/NSSDropoff.php in ZendTo 5.24-3 through 6.x before 6.10-7 allows unauthenticated remote attackers to execute arbitrary commands via shell metacharacters in the tmp_name parameter when dropping off a file via a POST /dropoff request.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2021-47667
Published : April 5, 2025, 5:15 a.m. | 3 hours, 48 minutes ago
Description : An OS command injection vulnerability in lib/NSSDropoff.php in ZendTo 5.24-3 through 6.x before 6.10-7 allows unauthenticated remote attackers to execute arbitrary commands via shell metacharacters in the tmp_name parameter when dropping off a file via a POST /dropoff request.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-32352 - ZendTo PHP Authentication Type Confusion Vulnerability
CVE ID : CVE-2025-32352
Published : April 5, 2025, 5:15 a.m. | 3 hours, 48 minutes ago
Description : A type confusion vulnerability in lib/NSSAuthenticator.php in ZendTo before v5.04-7 allows remote attackers to bypass authentication for users with passwords stored as MD5 hashes that can be interpreted as numbers. A solution requires moving from MD5 to bcrypt.
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-32352
Published : April 5, 2025, 5:15 a.m. | 3 hours, 48 minutes ago
Description : A type confusion vulnerability in lib/NSSAuthenticator.php in ZendTo before v5.04-7 allows remote attackers to bypass authentication for users with passwords stored as MD5 hashes that can be interpreted as numbers. A solution requires moving from MD5 to bcrypt.
Severity: 4.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-13776 - "ZoomSounds WordPress Wave Audio Player with Playlist Unauthorized Data Modification Vulnerability"
CVE ID : CVE-2024-13776
Published : April 5, 2025, 6:15 a.m. | 2 hours, 48 minutes ago
Description : The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'dzsap_delete_notice' AJAX action in all versions up to, and including, 6.91. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to 'seen' on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values to true such as registration. There are several other functions also vulnerable to missing authorization.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-13776
Published : April 5, 2025, 6:15 a.m. | 2 hours, 48 minutes ago
Description : The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'dzsap_delete_notice' AJAX action in all versions up to, and including, 6.91. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to 'seen' on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values to true such as registration. There are several other functions also vulnerable to missing authorization.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-0839 - ZoomSounds Stored Cross-Site Scripting Vulnerability
CVE ID : CVE-2025-0839
Published : April 5, 2025, 6:15 a.m. | 2 hours, 48 minutes ago
Description : The ZoomSounds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 6.91 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-0839
Published : April 5, 2025, 6:15 a.m. | 2 hours, 48 minutes ago
Description : The ZoomSounds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 6.91 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-1233 - Lafka Plugin for WordPress Unauthorized Theme Option Update Vulnerability
CVE ID : CVE-2025-1233
Published : April 5, 2025, 6:15 a.m. | 2 hours, 48 minutes ago
Description : The Lafka Plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'lafka_options_upload' AJAX function in all versions up to, and including, 7.1.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update the theme option that overrides the site.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-1233
Published : April 5, 2025, 6:15 a.m. | 2 hours, 48 minutes ago
Description : The Lafka Plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'lafka_options_upload' AJAX function in all versions up to, and including, 7.1.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update the theme option that overrides the site.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...