CVE Feeds
CVE News Feed
Updates on the latest vulnerabilities detected.
-
CVE-2025-11086 - Academy LMS Pro ge Escalation via Social Login Addon
CVE ID :CVE-2025-11086
Published : Oct. 22, 2025, 11:25 a.m. | 44 minutes ago
Description :The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.3.7. This is due to the plugin not properly validating a user's role prior to registering a user via the Social Login addon. This makes it possible for unauthenticated attackers to update their role to Administrator when registering on the site.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-6833 - All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier n/Out
CVE ID :CVE-2025-6833
Published : Oct. 22, 2025, 10:15 a.m. | 1 hour, 54 minutes ago
Description :The All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0 via the 'aio_time_clock_lite_js' AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber access and above, to clock other users in and out.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-11915 - HTTP Desynchronisation in Vertex AI for certain third-party models
CVE ID :CVE-2025-11915
Published : Oct. 22, 2025, 10:15 a.m. | 1 hour, 54 minutes ago
Description :Connection desynchronization between an HTTP proxy and the model backend. The fixes were rolled out for all proxies in front of impacted models by 2025-09-28. Users do not need to take any action.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-41110 - Improper Authentication vulnerability in Ghost Robotics' Vision 60
CVE ID :CVE-2025-41110
Published : Oct. 22, 2025, 9:15 a.m. | 2 hours, 54 minutes ago
Description :Encrypted WiFi and SSH credentials were found in the Ghost Robotics Vision 60 v0.27.2 APK. This vulnerability allows an attacker to connect to the robot's WiFi and view all its data, as it runs on ROS 2 without default authentication. In addition, the attacker can connect via SSH and gain full control of the robot, which could cause physical damage to the robot itself or its environment.
Severity: 7.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-41109 - Use of Hard-coded Credentials vulnerability in Ghost Robotics' Vision 60
CVE ID :CVE-2025-41109
Published : Oct. 22, 2025, 9:15 a.m. | 2 hours, 54 minutes ago
Description :Ghost Robotics Vision 60 v0.27.2 includes, among its physical interfaces, three RJ45 connectors and a USB Type-C port. The vulnerability is due to the lack of authentication mechanisms when establishing connections through these ports. Specifically, with regard to network connectivity, the robot's internal router automatically assigns IP addresses to any device physically connected to it. An attacker could connect a WiFi access point under their control to gain access to the robot's network without needing the credentials for the deployed network. Once inside, the attacker can monitor all its data, as the robot runs on ROS 2 without authentication by default.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-41108 - Improper Authentication vulnerability in Ghost Robotics' Vision 60
CVE ID :CVE-2025-41108
Published : Oct. 22, 2025, 9:15 a.m. | 2 hours, 54 minutes ago
Description :The communication protocol implemented in Ghost Robotics Vision 60 v0.27.2 could allow an attacker to send commands to the robot from an external attack station, impersonating the control station (tablet) and gaining unauthorised full control of the robot. The absence of encryption and authentication mechanisms in the communication protocol allows an attacker to capture legitimate traffic between the robot and the controller, replicate it, and send any valid command to the robot from any attacking computer or device. The communication protocol used in this interface is based on MAVLink, a widely documented protocol, which increases the likelihood of attack. There are two methods for connecting to the robot remotely: Wi-Fi and 4G/LTE.
Severity: 9.2 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-11952 - Stored Cross-Site Scripting (XSS) in Oct8ne Chatbot
CVE ID :CVE-2025-11952
Published : Oct. 22, 2025, 9:15 a.m. | 2 hours, 54 minutes ago
Description :Stored Cross-site Scripting (XSS) in Oct8ne Chatbot v2.3. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by injecting a malicious payload through the creation of a transcript that is sent by email. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user, through /Records/SendSummaryMail.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-11883 - Responsive Progress Bar ed Cross-Site Scripting
CVE ID :CVE-2025-11883
Published : Oct. 22, 2025, 9:15 a.m. | 2 hours, 54 minutes ago
Description :The Responsive Progress Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's rprogress shortcode in versions less than, or equal to, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-11880 - SM CountDown Widget Stored Cross-Site Scripting
CVE ID :CVE-2025-11880
Published : Oct. 22, 2025, 9:15 a.m. | 2 hours, 54 minutes ago
Description :The SM CountDown Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's smcountdown shortcode in versions less than, or equal to, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-11878 - ST Categories Widget Stored Cross-Site Scripting
CVE ID :CVE-2025-11878
Published : Oct. 22, 2025, 9:15 a.m. | 2 hours, 54 minutes ago
Description :The ST Categories Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's st-categories shortcode in versions less than, or equal to, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-11872 - Material Design Iconic Font Integration pting
CVE ID :CVE-2025-11872
Published : Oct. 22, 2025, 9:15 a.m. | 2 hours, 54 minutes ago
Description :The Material Design Iconic Font Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mdiconic' shortcode in all versions up to, and including, 2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-11870 - Simple Business Data Stored Cross-Site Scripting
CVE ID :CVE-2025-11870
Published : Oct. 22, 2025, 9:15 a.m. | 2 hours, 54 minutes ago
Description :The Simple Business Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'simple_business_data' shortcode attributes in all versions up to, and including, 1.0.1. This is due to the plugin not properly sanitizing user input or escaping output when embedding the `type` attribute into the `class` attribute in rendered HTML. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-11867 - Bg Book Publisher +) Stored Cross-Site Scripting
CVE ID :CVE-2025-11867
Published : Oct. 22, 2025, 9:15 a.m. | 2 hours, 54 minutes ago
Description :The Bg Book Publisher plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `book_author` post meta, rendered through the `[book_author]` shortcode, in all versions up to, and including, 1.25. This is due to the plugin not properly escaping the meta value before output. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-11866 - Photographers galleries ored Cross-Site Scripting
CVE ID :CVE-2025-11866
Published : Oct. 22, 2025, 9:15 a.m. | 2 hours, 54 minutes ago
Description :The Photographers galleries plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcode attributes (`w`, `h`, `raw_css`, `look`, etc.) in all versions up to, and including, 1.1.8. This is due to the plugin not properly sanitizing user input or escaping output when inserting these values into HTML attributes and inline styles. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-11834 - WP AD Gallery tor+) Stored Cross-Site Scripting
CVE ID :CVE-2025-11834
Published : Oct. 22, 2025, 9:15 a.m. | 2 hours, 54 minutes ago
Description :The WP AD Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'startindex' parameter of the ad-gallery shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-11830 - WP Restaurant Listings tored Cross-Site Scripting
CVE ID :CVE-2025-11830
Published : Oct. 22, 2025, 9:15 a.m. | 2 hours, 54 minutes ago
Description :The WP Restaurant Listings plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'align' parameter of the restaurant_summary shortcode in all versions up to, and including, 1.0.2. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-11827 - Oboxmedia Ads butor+) Stored Cross-Site Scripting
CVE ID :CVE-2025-11827
Published : Oct. 22, 2025, 9:15 a.m. | 2 hours, 54 minutes ago
Description :The Oboxmedia Ads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before_widget' and 'after_widget' parameters of the oboxads-ad-widget shortcode in all versions up to, and including, 1.9.8. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-11825 - Playerzbr ributor+) Stored Cross-Site Scripting via URL Meta Field
CVE ID :CVE-2025-11825
Published : Oct. 22, 2025, 9:15 a.m. | 2 hours, 54 minutes ago
Description :The Playerzbr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'urlmeta' post meta field in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-11824 - Cinza Grid tributor+) Stored Cross-Site Scripting via Skin Content Field
CVE ID :CVE-2025-11824
Published : Oct. 22, 2025, 9:15 a.m. | 2 hours, 54 minutes ago
Description :The Cinza Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cgrid_skin_content' post meta field in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-11819 - WP-Thumbnail utor+) Stored Cross-Site Scripting via Shortcode
CVE ID :CVE-2025-11819
Published : Oct. 22, 2025, 9:15 a.m. | 2 hours, 54 minutes ago
Description :The WP-Thumbnail plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'roboshot' shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
Information
Vortech Consulting is a network security and design consulting firm originally founded in 1997. Over our nearly 30 year history we have provided security services and products for a wide variety of companies around the globe.
Company
Who's Online
We have 432 guests and no members online