CISA Warns of SonicWall SMA100 OS Command Injection Vulnerability Exploited in Wild
CISA has added the SonicWall SMA100 OS Command Injection Vulnerability, tracked as CVE-2023-44221, to its Known Exploited Vulnerabilities (KEV) catalog.
According to CISA’s May 1, 2025 advisory, this …
Read more
Published Date:
May 02, 2025 (2 hours, 32 minutes ago)
Vulnerabilities has been mentioned in this article.
CVE-2024-38475
CVE-2023-44221
Redis Reintroduces Open-Source AGPL Alongside SSPL Licensing
In March 2024, the widely adopted database caching solution Redis announced its transition to the Server Side Public License (SSPL)—a license that, while offering source code access, is not recognized …
Read more
Published Date:
May 02, 2025 (1 hour, 44 minutes ago)
Vulnerabilities has been mentioned in this article.
CVE-2024-31449
CVE-2023-41056
CVE-2022-35951
Apple Revises U.S. App Store Rules After Court Ruling in Epic Games Case
Following a court ruling that found Apple had willfully violated antitrust regulations—and the subsequent approval of Epic Games’ motion to enforce an injunction—Apple has now amended its App Store gu …
Read more
Published Date:
May 02, 2025 (1 hour, 38 minutes ago)
Vulnerabilities has been mentioned in this article.
CVE-2024-54527
Microsoft Authenticator to Drop Password Manager Features by August 2025
In 2020, Microsoft updated its Authenticator app to introduce password-saving and autofill capabilities, effectively transforming Microsoft Authenticator into a password manager with support for autof …
Read more
Published Date:
May 02, 2025 (45 minutes ago)
Vulnerabilities has been mentioned in this article.
CVE-2024-49112
CVE-2022-2385
CVE ID : CVE-2024-13858
Published : May 2, 2025, 7:15 a.m. | 2 hours, 4 minutes ago
Description : The Buddyboss Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘invitee_name’ parameter in all versions up to, and including, 2.8.50 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.8.41.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2024-13860
Published : May 2, 2025, 7:15 a.m. | 2 hours, 4 minutes ago
Description : The Buddyboss Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘bbp_topic_title’ parameter in all versions up to, and including, 2.8.50 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.8.41.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2024-13859
Published : May 2, 2025, 7:15 a.m. | 2 hours, 4 minutes ago
Description : The Buddyboss Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘bp_nouveau_ajax_media_save’ function in all versions up to, and including, 2.8.50 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.8.41.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2024-11142
Published : May 2, 2025, 8:15 a.m. | 1 hour, 5 minutes ago
Description : Cross-Site Request Forgery (CSRF) vulnerability in Gosoft Software Proticaret E-Commerce allows Cross Site Request Forgery.This issue affects Proticaret E-Commerce: before v6.0
NOTE: According to the vendor, fixing process is still ongoing for v4.05.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-2880
Published : May 2, 2025, 3:15 a.m. | 4 hours, 5 minutes ago
Description : The Yame | Link In Bio plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 0.9.0 through the publicly accessible phpinfo.php script. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed file.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-3670
Published : May 2, 2025, 3:15 a.m. | 4 hours, 5 minutes ago
Description : The KiwiChat NextClient plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-4177
Published : May 2, 2025, 3:15 a.m. | 4 hours, 5 minutes ago
Description : The Flynax Bridge plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the deleteUser() function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to delete arbitrary users.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-4131
Published : May 2, 2025, 3:15 a.m. | 4 hours, 5 minutes ago
Description : The GmapsMania plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s gmap shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-4179
Published : May 2, 2025, 3:15 a.m. | 4 hours, 5 minutes ago
Description : The Flynax Bridge plugin for WordPress is vulnerable to limited Privilege Escalation due to a missing capability check on the registerUser() function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to register new user accounts as authors.
Severity: 7.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2024-12023
Published : May 2, 2025, 4:15 a.m. | 3 hours, 5 minutes ago
Description : The FULL – Cliente plugin for WordPress is vulnerable to SQL Injection via the ‘formId’ parameter in all versions 3.1.5 to 3.1.25 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is only exploitable when the PRO version of the plugin is activated, along with Elementor Pro and Elementor CRM.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2024-13322
Published : May 2, 2025, 4:15 a.m. | 3 hours, 5 minutes ago
Description : The Ads Pro Plugin – Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to SQL Injection via the ‘a_id’ parameter in all versions up to, and including, 4.88 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2024-13344
Published : May 2, 2025, 4:15 a.m. | 3 hours, 5 minutes ago
Description : The Advance Seat Reservation Management for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the ‘profileId’ parameter in all versions up to, and including, 3.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2024-13418
Published : May 2, 2025, 4:15 a.m. | 3 hours, 5 minutes ago
Description : Multiple plugins and/or themes for WordPress are vulnerable to Arbitrary File Uploads due to a missing capability check on the ajaxUploadFonts() function in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files that can make remote code execution possible. This issue was escalated to Envato over two months from the date of this disclosure and the issue, while partially patched, is still vulnerable.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2024-13419
Published : May 2, 2025, 4:15 a.m. | 3 hours, 5 minutes ago
Description : Multiple plugins and/or themes for WordPress using Smart Framework are vulnerable to Stored Cross-Site Scripting due to a missing capability check on the saveOptions() and importThemeOptions() functions in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin’s settings which includes custom JavaScript that is enabled site-wide. This issue was escalated to Envato over two months from the date of this disclosure and the issue is still vulnerable.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-1327
Published : May 2, 2025, 4:15 a.m. | 3 hours, 5 minutes ago
Description : The Homey theme for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.4 via the ‘homey_delete_user_account’ action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete other user’s accounts.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
CVE ID : CVE-2025-1326
Published : May 2, 2025, 4:15 a.m. | 3 hours, 5 minutes ago
Description : The Homey theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the homey_reservation_del() function in all versions up to, and including, 2.4.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary reservations and posts.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more…