CVE-2025-68651 - Apache HTTP Server Cross-Site Request Forgery
CVE ID : CVE-2025-68651
Published : Dec. 23, 2025, 4:15 a.m. | 2 hours, 43 minutes ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68651
Published : Dec. 23, 2025, 4:15 a.m. | 2 hours, 43 minutes ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68652 - VMware SSH Command Injection
CVE ID : CVE-2025-68652
Published : Dec. 23, 2025, 4:15 a.m. | 2 hours, 43 minutes ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68652
Published : Dec. 23, 2025, 4:15 a.m. | 2 hours, 43 minutes ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68653 - Cisco Router Unvalidated User Input
CVE ID : CVE-2025-68653
Published : Dec. 23, 2025, 4:15 a.m. | 2 hours, 43 minutes ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68653
Published : Dec. 23, 2025, 4:15 a.m. | 2 hours, 43 minutes ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68654 - Apache HTTP Server Cross-Site Scripting
CVE ID : CVE-2025-68654
Published : Dec. 23, 2025, 4:15 a.m. | 2 hours, 43 minutes ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68654
Published : Dec. 23, 2025, 4:15 a.m. | 2 hours, 43 minutes ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68655 - Apache Apache Struts Remote Code Execution
CVE ID : CVE-2025-68655
Published : Dec. 23, 2025, 4:15 a.m. | 2 hours, 43 minutes ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68655
Published : Dec. 23, 2025, 4:15 a.m. | 2 hours, 43 minutes ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-12934 - Beaver Builder – WordPress Page Builder <= 2.9.4.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Update
CVE ID : CVE-2025-12934
Published : Dec. 23, 2025, 10:15 a.m. | 43 minutes ago
Description : The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'duplicate_wpml_layout' function in all versions up to, and including, 2.9.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary posts with the content of other existing posts, potentially exposing private and password-protected content and deleting any content that is not saved in revisions or backups. Posts must have been created with Beaver Builder to be copied or updated.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-12934
Published : Dec. 23, 2025, 10:15 a.m. | 43 minutes ago
Description : The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'duplicate_wpml_layout' function in all versions up to, and including, 2.9.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary posts with the content of other existing posts, potentially exposing private and password-protected content and deleting any content that is not saved in revisions or backups. Posts must have been created with Beaver Builder to be copied or updated.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-14155 - Premium Addons for Elementor <= 4.11.53 - Missing Authorization to Unauthenticated Sensitive Information Exposure via 'get_template_content'
CVE ID : CVE-2025-14155
Published : Dec. 23, 2025, 10:15 a.m. | 43 minutes ago
Description : The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_template_content' function in all versions up to, and including, 4.11.53. This makes it possible for unauthenticated attackers to view the content of private, draft, and pending templates.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-14155
Published : Dec. 23, 2025, 10:15 a.m. | 43 minutes ago
Description : The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_template_content' function in all versions up to, and including, 4.11.53. This makes it possible for unauthenticated attackers to view the content of private, draft, and pending templates.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-14163 - Premium Addons for Elementor <= 4.11.53 - Cross-Site Request Forgery via 'insert_inner_template'
CVE ID : CVE-2025-14163
Published : Dec. 23, 2025, 10:15 a.m. | 43 minutes ago
Description : The Premium Addons for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.11.53. This is due to missing nonce validation in the 'insert_inner_template' function. This makes it possible for unauthenticated attackers to create arbitrary Elementor templates via a forged request granted they can trick a site administrator or other user with the edit_posts capability into performing an action such as clicking on a link.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-14163
Published : Dec. 23, 2025, 10:15 a.m. | 43 minutes ago
Description : The Premium Addons for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.11.53. This is due to missing nonce validation in the 'insert_inner_template' function. This makes it possible for unauthenticated attackers to create arbitrary Elementor templates via a forged request granted they can trick a site administrator or other user with the edit_posts capability into performing an action such as clicking on a link.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-14388 - PhastPress <= 3.7 - Unauthenticated Arbitrary File Read via Null Byte Injection
CVE ID : CVE-2025-14388
Published : Dec. 23, 2025, 10:15 a.m. | 43 minutes ago
Description : The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. This is due to a discrepancy between the extension validation in `getExtensionForURL()` which operates on URL-decoded paths, and `appendNormalized()` which strips everything after a null byte before constructing the filesystem path. This makes it possible for unauthenticated attackers to read arbitrary files from the webroot, including wp-config.php, by appending a double URL-encoded null byte (%2500) followed by an allowed extension (.txt) to the file path.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-14388
Published : Dec. 23, 2025, 10:15 a.m. | 43 minutes ago
Description : The PhastPress plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read via null byte injection in all versions up to, and including, 3.7. This is due to a discrepancy between the extension validation in `getExtensionForURL()` which operates on URL-decoded paths, and `appendNormalized()` which strips everything after a null byte before constructing the filesystem path. This makes it possible for unauthenticated attackers to read arbitrary files from the webroot, including wp-config.php, by appending a double URL-encoded null byte (%2500) followed by an allowed extension (.txt) to the file path.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-14548 - Calendar <= 1.3.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'event_desc'
CVE ID : CVE-2025-14548
Published : Dec. 23, 2025, 10:15 a.m. | 43 minutes ago
Description : The Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'event_desc' parameter in all versions up to, and including, 1.3.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, granted they can convince an administrator to enable lower privilege users to manage calendar events via the plugin settings.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-14548
Published : Dec. 23, 2025, 10:15 a.m. | 43 minutes ago
Description : The Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'event_desc' parameter in all versions up to, and including, 1.3.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, granted they can convince an administrator to enable lower privilege users to manage calendar events via the plugin settings.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-24844 - WordPress PowerPack Pro for Elementor plugin <= 2.10.6 - Unauthenticated Plugin Settings Reset vulnerability
CVE ID : CVE-2024-24844
Published : Dec. 23, 2025, 12:15 p.m. | 2 hours, 43 minutes ago
Description : Missing Authorization vulnerability in IdeaBox Creations PowerPack Pro for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PowerPack Pro for Elementor: from n/a through 2.10.6.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-24844
Published : Dec. 23, 2025, 12:15 p.m. | 2 hours, 43 minutes ago
Description : Missing Authorization vulnerability in IdeaBox Creations PowerPack Pro for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PowerPack Pro for Elementor: from n/a through 2.10.6.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-14000 - Membership Plugin – Restrict Content <= 3.2.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes
CVE ID : CVE-2025-14000
Published : Dec. 23, 2025, 12:15 p.m. | 2 hours, 43 minutes ago
Description : The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'register_form' and 'restrict' shortcodes in all versions up to, and including, 3.2.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-14000
Published : Dec. 23, 2025, 12:15 p.m. | 2 hours, 43 minutes ago
Description : The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'register_form' and 'restrict' shortcodes in all versions up to, and including, 3.2.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-14635 - Happy Addons for Elementor <= 3.20.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom JS
CVE ID : CVE-2025-14635
Published : Dec. 23, 2025, 12:15 p.m. | 2 hours, 43 minutes ago
Description : The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ha_page_custom_js' parameter in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, despite the intended role restriction of Custom JS to Administrators.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-14635
Published : Dec. 23, 2025, 12:15 p.m. | 2 hours, 43 minutes ago
Description : The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ha_page_custom_js' parameter in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, despite the intended role restriction of Custom JS to Administrators.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59886 - Eaton xComfort ECI Privilege Escalation Vulnerability
CVE ID : CVE-2025-59886
Published : Dec. 23, 2025, 12:15 p.m. | 2 hours, 43 minutes ago
Description : Improper input validation at one of the endpoints of Eaton xComfort ECI's web interface, could lead into an attacker with network access to the device executing privileged user commands. As cybersecurity standards continue to evolve and to meet our requirements today, Eaton has decided to discontinue the product. Upon retirement or end of support, there will be no new security updates, non-security updates, or paid assisted support options, or online technical content updates.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59886
Published : Dec. 23, 2025, 12:15 p.m. | 2 hours, 43 minutes ago
Description : Improper input validation at one of the endpoints of Eaton xComfort ECI's web interface, could lead into an attacker with network access to the device executing privileged user commands. As cybersecurity standards continue to evolve and to meet our requirements today, Eaton has decided to discontinue the product. Upon retirement or end of support, there will be no new security updates, non-security updates, or paid assisted support options, or online technical content updates.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68544 - WordPress Diza theme <= 1.3.15 - Local File Inclusion vulnerability
CVE ID : CVE-2025-68544
Published : Dec. 23, 2025, 12:15 p.m. | 2 hours, 43 minutes ago
Description : Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Thembay Diza allows PHP Local File Inclusion.This issue affects Diza: from n/a through 1.3.15.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68544
Published : Dec. 23, 2025, 12:15 p.m. | 2 hours, 43 minutes ago
Description : Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Thembay Diza allows PHP Local File Inclusion.This issue affects Diza: from n/a through 1.3.15.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68546 - WordPress Nika theme <= 1.2.14 - Local File Inclusion vulnerability
CVE ID : CVE-2025-68546
Published : Dec. 23, 2025, 12:15 p.m. | 2 hours, 43 minutes ago
Description : Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Thembay Nika allows PHP Local File Inclusion.This issue affects Nika: from n/a through 1.2.14.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68546
Published : Dec. 23, 2025, 12:15 p.m. | 2 hours, 43 minutes ago
Description : Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Thembay Nika allows PHP Local File Inclusion.This issue affects Nika: from n/a through 1.2.14.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68548 - WordPress Responsive Posts Carousel Pro plugin <= 15.2 - Cross Site Scripting (XSS) vulnerability
CVE ID : CVE-2025-68548
Published : Dec. 23, 2025, 12:15 p.m. | 2 hours, 43 minutes ago
Description : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebCodingPlace Responsive Posts Carousel Pro allows Stored XSS.This issue affects Responsive Posts Carousel Pro: from n/a through 15.2.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68548
Published : Dec. 23, 2025, 12:15 p.m. | 2 hours, 43 minutes ago
Description : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebCodingPlace Responsive Posts Carousel Pro allows Stored XSS.This issue affects Responsive Posts Carousel Pro: from n/a through 15.2.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68550 - WordPress WPBulky plugin <= 1.1.13 - SQL Injection vulnerability
CVE ID : CVE-2025-68550
Published : Dec. 23, 2025, 12:15 p.m. | 2 hours, 43 minutes ago
Description : Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VillaTheme WPBulky allows Blind SQL Injection.This issue affects WPBulky: from n/a through 1.1.13.
Severity: 7.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68550
Published : Dec. 23, 2025, 12:15 p.m. | 2 hours, 43 minutes ago
Description : Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VillaTheme WPBulky allows Blind SQL Injection.This issue affects WPBulky: from n/a through 1.1.13.
Severity: 7.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68551 - WordPress VPSUForm plugin <= 3.2.24 - Sensitive Data Exposure vulnerability
CVE ID : CVE-2025-68551
Published : Dec. 23, 2025, 12:15 p.m. | 2 hours, 43 minutes ago
Description : Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Vikas Ratudi VPSUForm allows Retrieve Embedded Sensitive Data.This issue affects VPSUForm: from n/a through 3.2.24.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68551
Published : Dec. 23, 2025, 12:15 p.m. | 2 hours, 43 minutes ago
Description : Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Vikas Ratudi VPSUForm allows Retrieve Embedded Sensitive Data.This issue affects VPSUForm: from n/a through 3.2.24.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68556 - WordPress HAPPY plugin <= 1.0.9 - Broken Access Control vulnerability
CVE ID : CVE-2025-68556
Published : Dec. 23, 2025, 12:15 p.m. | 2 hours, 43 minutes ago
Description : Missing Authorization vulnerability in VillaTheme HAPPY allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HAPPY: from n/a through 1.0.9.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68556
Published : Dec. 23, 2025, 12:15 p.m. | 2 hours, 43 minutes ago
Description : Missing Authorization vulnerability in VillaTheme HAPPY allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HAPPY: from n/a through 1.0.9.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68557 - WordPress Chakra test plugin <= 1.0.1 - Broken Access Control vulnerability
CVE ID : CVE-2025-68557
Published : Dec. 23, 2025, 12:15 p.m. | 2 hours, 43 minutes ago
Description : Missing Authorization vulnerability in Vikas Ratudi Chakra test allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Chakra test: from n/a through 1.0.1.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68557
Published : Dec. 23, 2025, 12:15 p.m. | 2 hours, 43 minutes ago
Description : Missing Authorization vulnerability in Vikas Ratudi Chakra test allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Chakra test: from n/a through 1.0.1.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...