CVE Feeds
CVE News Feed
Updates on the latest vulnerabilities detected.
-
CVE-2025-41737 - Improper access control via php endpoint
CVE ID :CVE-2025-41737
Published : Nov. 18, 2025, 11:15 a.m. | 25 minutes ago
Description :Due to webserver misconfiguration an unauthenticated remote attacker is able to read the source of php modules.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-41736 - Possible arbitrary code execution
CVE ID :CVE-2025-41736
Published : Nov. 18, 2025, 11:15 a.m. | 25 minutes ago
Description :A low privileged remote attacker can upload a new or overwrite an existing python script by using a path traversal of the target filename in php resulting in a remote code execution.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-41735 - Possible arbitrary file upload
CVE ID :CVE-2025-41735
Published : Nov. 18, 2025, 11:15 a.m. | 25 minutes ago
Description :A low privileged remote attacker can upload any file to an arbitrary location due to missing file check resulting in remote code execution.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-41734 - Unauthenticated Local File Inclusion in php module
CVE ID :CVE-2025-41734
Published : Nov. 18, 2025, 11:15 a.m. | 25 minutes ago
Description :An unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-41733 - Possible malfunction credential injection
CVE ID :CVE-2025-41733
Published : Nov. 18, 2025, 11:15 a.m. | 25 minutes ago
Description :The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to set root credentials.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-41347 - Stored Cross-Site Scripting (XSS) in WinPlus by Informática del Este
CVE ID :CVE-2025-41347
Published : Nov. 18, 2025, 11:15 a.m. | 25 minutes ago
Description :Unlimited upload vulnerability for dangerous file types in WinPlus v24.11.27 from Informática del Este. This vulnerability allows an attacker to upload a 'webshell' by sending a POST request to '/WinplusPortal/ws/sWinplus.svc/json/uploadfile'.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-11427 - WP Migrate Lite erver-Side Request Forgery
CVE ID :CVE-2025-11427
Published : Nov. 18, 2025, 11:15 a.m. | 25 minutes ago
Description :The WP Migrate Lite – WordPress Migration Made Easy plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.7.6 via the wpmdb_flush AJAX action. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to obtain information about internal services.
Severity: 5.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-4212 - Checkout Files Upload for WooCommerce
CVE ID :CVE-2025-4212
Published : Nov. 18, 2025, 10:15 a.m. | 1 hour, 25 minutes ago
Description :The Checkout Files Upload for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via file uploads in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in image files that will execute whenever a user accesses the injected page.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-41346 - Stored Cross-Site Scripting (XSS) in WinPlus by Informática del Este
CVE ID :CVE-2025-41346
Published : Nov. 18, 2025, 10:15 a.m. | 1 hour, 25 minutes ago
Description :Faulty authorization control in software WinPlus v24.11.27 by Informática del Este that allows another user to be impersonated simply by knowing their 'numerical ID', meaning that an attacker could compromise another user's account, thereby affecting the confidentiality, integrity, and availability of the data stored in the application.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-13196 - Element Pack Addons for Elementor -Site Scripting via Open Street Map widget
CVE ID :CVE-2025-13196
Published : Nov. 18, 2025, 10:15 a.m. | 1 hour, 25 minutes ago
Description :The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Open Street Map widget's marker content parameter in all versions up to, and including, 8.3.4. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the render function. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-13133 - Simple User Import Export ion
CVE ID :CVE-2025-13133
Published : Nov. 18, 2025, 10:15 a.m. | 1 hour, 25 minutes ago
Description :The Simple User Import Export plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.1.7 via the 'Import/export users' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration
Severity: 6.6 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-13069 - Enable SVG, WebP, and ICO Upload pload via ICO Upload Bypass
CVE ID :CVE-2025-13069
Published : Nov. 18, 2025, 10:15 a.m. | 1 hour, 25 minutes ago
Description :The Enable SVG, WebP, and ICO Upload plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 1.1.2. This is due to insufficient file type validation detecting ICO files, allowing double extension files with the appropriate magic bytes to bypass sanitization while being accepted as a valid ICO file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-12955 - Live sales notification for WooCommerce mer Data Exposure
CVE ID :CVE-2025-12955
Published : Nov. 18, 2025, 10:15 a.m. | 1 hour, 25 minutes ago
Description :The Live sales notification for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.3.39. This is due to the "getOrders" function lacking proper authorization and capability checks when the plugin is configured to display recent order information. This makes it possible for unauthenticated attackers to extract sensitive customer information including buyer first names, city, state, country, purchase time and date, and product details.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-12691 - Photonic Gallery & Lightbox for Flickr, SmugMug & Others ion Attribute
CVE ID :CVE-2025-12691
Published : Nov. 18, 2025, 10:15 a.m. | 1 hour, 25 minutes ago
Description :The Photonic Gallery & Lightbox for Flickr, SmugMug & Others plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's lightbox functionality in all versions up to, and including, 3.21 due to insufficient input sanitization and output escaping on user supplied caption attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-12639 - wModes – Catalog Mode, Product Pricing, Enquiry Forms & Promotions | for WooCommerce
CVE ID :CVE-2025-12639
Published : Nov. 18, 2025, 10:15 a.m. | 1 hour, 25 minutes ago
Description :The wModes – Catalog Mode, Product Pricing, Enquiry Forms & Promotions plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.2.2. This is due to the plugin not properly verifying that a user is authorized to access sensitive information via the AJAX endpoint. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract sensitive information including user emails, usernames, roles, capabilities, and WooCommerce data such as products and payment methods.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-12481 - WP Duplicate Page thenticated (Contributor+) Sensitive Information Disclosure
CVE ID :CVE-2025-12481
Published : Nov. 18, 2025, 10:15 a.m. | 1 hour, 25 minutes ago
Description :The WP Duplicate Page plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'saveSettings' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to modify plugin settings that control role capabilities, and subsequently exploit the misconfigured capabilities to duplicate and view password-protected posts containing sensitive information.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-12457 - Enable SVG, WebP, and ICO Upload e Scripting via SVG File Uploads
CVE ID :CVE-2025-12457
Published : Nov. 18, 2025, 10:15 a.m. | 1 hour, 25 minutes ago
Description :The Enable SVG, WebP, and ICO Upload plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-12392 - Cryptocurrency Payment Gateway for WooCommerce tus Update
CVE ID :CVE-2025-12392
Published : Nov. 18, 2025, 10:15 a.m. | 1 hour, 25 minutes ago
Description :The Cryptocurrency Payment Gateway for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_optin_optout' function in all versions up to, and including, 2.0.22. This makes it possible for unauthenticated attackers to opt in and out of tracking.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-12391 - Restrictions for BuddyPress cated Tracking Status Update
CVE ID :CVE-2025-12391
Published : Nov. 18, 2025, 10:15 a.m. | 1 hour, 25 minutes ago
Description :The Restrictions for BuddyPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_optin_optout() function in all versions up to, and including, 1.5.2. This makes it possible for unauthenticated attackers to opt in and out of tracking.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more... -
CVE-2025-12088 - Meta Display Block +) Stored Cross-Site Scripting
CVE ID :CVE-2025-12088
Published : Nov. 18, 2025, 10:15 a.m. | 1 hour, 25 minutes ago
Description :The Meta Display Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Meta Display Block in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
Information
Vortech Consulting is a network security and design consulting firm originally founded in 1997. Over our nearly 30 year history we have provided security services and products for a wide variety of companies around the globe.
Company
Who's Online
We have 590 guests and no members online