CVE Feeds
CVE News Feed
Updates on the latest vulnerabilities detected.
-
CVE-2025-14637 - itsourcecode Online Pet Shop Management System addcnp.php sql injection
CVE ID :CVE-2025-14637
Published : Dec. 13, 2025, 7:32 p.m. | 36 minutes ago
Description :A weakness has been identified in itsourcecode Online Pet Shop Management System 1.0. This vulnerability affects unknown code of the file /pet1/addcnp.php. This manipulation of the argument cnpname causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-14636 - Tenda AX9 httpd image_check weak hash
CVE ID :CVE-2025-14636
Published : Dec. 13, 2025, 7:15 p.m. | 53 minutes ago
Description :A security flaw has been discovered in Tenda AX9 22.03.01.46. This affects the function image_check of the component httpd. The manipulation results in use of weak hash. It is possible to launch the attack remotely. A high complexity level is associated with this attack. It is indicated that the exploitability is difficult. The exploit has been released to the public and may be exploited.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-14623 - code-projects Student File Management System update_student.php sql injection
CVE ID :CVE-2025-14623
Published : Dec. 13, 2025, 6:15 p.m. | 1 hour, 53 minutes ago
Description :A weakness has been identified in code-projects Student File Management System 1.0. This issue affects some unknown processing of the file /admin/update_student.php. This manipulation of the argument stud_id causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-14622 - code-projects Student File Management System save_user.php sql injection
CVE ID :CVE-2025-14622
Published : Dec. 13, 2025, 6:15 p.m. | 1 hour, 53 minutes ago
Description :A security flaw has been discovered in code-projects Student File Management System 1.0. This vulnerability affects unknown code of the file /admin/save_user.php. The manipulation of the argument firstname results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be exploited.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-14621 - code-projects Student File Management System update_user.php sql injection
CVE ID :CVE-2025-14621
Published : Dec. 13, 2025, 5:15 p.m. | 2 hours, 53 minutes ago
Description :A vulnerability was identified in code-projects Student File Management System 1.0. This affects an unknown part of the file /admin/update_user.php. The manipulation of the argument user_id leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-9873 - a3 Lazy Load ributor+) Stored Cross-Site Scripting
CVE ID :CVE-2025-9873
Published : Dec. 13, 2025, 4:16 p.m. | 3 hours, 52 minutes ago
Description :The a3 Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.7.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-9856 - Popup Builder – Create highly converting, mobile friendly marketing popups.
CVE ID :CVE-2025-9856
Published : Dec. 13, 2025, 4:16 p.m. | 3 hours, 52 minutes ago
Description :The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sg_popup' shortcode in all versions up to, and including, 4.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-9488 - Redux Framework utor+) Stored Cross-Site Scripting via data Parameter
CVE ID :CVE-2025-9488
Published : Dec. 13, 2025, 4:16 p.m. | 3 hours, 52 minutes ago
Description :The Redux Framework plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data’ parameter in all versions up to, and including, 4.5.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-9218 - rtMedia for WordPress, BuddyPress and bbPress 4.7.0 - 4.7.3 - Missing Authorization to Unauthenticated Information Disclosure via handle_rest_pre_dispatch Function
CVE ID :CVE-2025-9218
Published : Dec. 13, 2025, 4:16 p.m. | 3 hours, 52 minutes ago
Description :The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to to Information Disclosure due to missing authorization in the handle_rest_pre_dispatch() function when the Godam plugin is active, in versions 4.7.0 to 4.7.3. This makes it possible for unauthenticated attackers to retrieve media items associated with draft or private posts.
Severity: 3.7 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-9207 - TI WooCommerce Wishlist n
CVE ID :CVE-2025-9207
Published : Dec. 13, 2025, 4:16 p.m. | 3 hours, 52 minutes ago
Description :The TI WooCommerce Wishlist plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 2.10.0. This is due to the plugin accepting hidden fields and not limiting the values or data that can input and is later output. This makes it possible for unauthenticated attackers to inject arbitrary HTML into wishlist items.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-9116 - WPS Visitor Counter Plugin ST_URI']
CVE ID :CVE-2025-9116
Published : Dec. 13, 2025, 4:16 p.m. | 3 hours, 52 minutes ago
Description :The WPS Visitor Counter Plugin WordPress plugin through 1.4.8 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-8780 - Livemesh SiteOrigin Widgets d Cross-Site Scripting via Hero Header and Pricing Table Widgets
CVE ID :CVE-2025-8780
Published : Dec. 13, 2025, 4:16 p.m. | 3 hours, 52 minutes ago
Description :The Livemesh SiteOrigin Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Hero Header and Pricing Table widgets in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-8779 - All-in-One Addons for Elementor – WidgetKit ting via Team and Countdown Widgets
CVE ID :CVE-2025-8779
Published : Dec. 13, 2025, 4:16 p.m. | 3 hours, 52 minutes ago
Description :The All-in-One Addons for Elementor – WidgetKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Team and Countdown widgets in all versions up to, and including, 2.5.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-8687 - Enter Addons ributor+) Stored Cross-Site Scripting via Countdown and Image Comparison Widgets
CVE ID :CVE-2025-8687
Published : Dec. 13, 2025, 4:16 p.m. | 3 hours, 52 minutes ago
Description :The Enter Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown and Image Comparison widgets in all versions up to, and including, 2.2.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-8617 - YITH WooCommerce Quick View d Cross-Site Scripting via yith_quick_view Shortcode
CVE ID :CVE-2025-8617
Published : Dec. 13, 2025, 4:16 p.m. | 3 hours, 52 minutes ago
Description :The YITH WooCommerce Quick View plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's yith_quick_view shortcode in all versions up to, and including, 2.7.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-8199 - MarqueeAddons ibutor+) Stored Cross-Site Scripting via Testimonial Marquee Widget
CVE ID :CVE-2025-8199
Published : Dec. 13, 2025, 4:16 p.m. | 3 hours, 52 minutes ago
Description :The MarqueeAddons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Testimonial Marquee widget in all versions up to, and including, 2.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-8195 - JetWidgets For Elementor tored Cross-Site Scripting via Image Comparison and Subscribe Widgets
CVE ID :CVE-2025-8195
Published : Dec. 13, 2025, 4:16 p.m. | 3 hours, 52 minutes ago
Description :The JetWidgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Comparison and Subscribe widgets in all versions up to, and including, 1.0.20 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-7960 - King Addons for Elementor tored Cross-Site Scripting via Multiple Widgets
CVE ID :CVE-2025-7960
Published : Dec. 13, 2025, 4:16 p.m. | 3 hours, 52 minutes ago
Description :The King Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Pricing Slider, Pricing Calculator, and Image Accordion widgets in all versions up to, and including, 51.1.39 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-7058 - Kingcabs Contributor+) Stored Cross-Site Scripting via progressbarLayout Parameter
CVE ID :CVE-2025-7058
Published : Dec. 13, 2025, 4:16 p.m. | 3 hours, 52 minutes ago
Description :The Kingcabs theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘progressbarLayout’ parameter in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-67871 - Apache HTTP Server Directory Traversal
CVE ID :CVE-2025-67871
Published : Dec. 13, 2025, 4:16 p.m. | 3 hours, 52 minutes ago
Description :Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
Information
Vortech Consulting is a network security and design consulting firm originally founded in 1997. Over our nearly 30 year history we have provided security services and products for a wide variety of companies around the globe.
Company
Who's Online
We have 438 guests and no members online