CVE ID : CVE-2024-13420

Published : May 2, 2025, 4:15 a.m. | 3 hours, 5 minutes ago

Description : Multiple plugins and/or themes for WordPress are vulnerable to unauthorized access due to a missing capability check on several AJAX actions like ‘gsf_reset_section_options’, ‘gsf_reset_section_options’, ‘gsf_create_preset_options’ and more in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset and modify some of the plugin/theme settings. This issue was escalated to Envato over two months from the date of this disclosure and the issues, while partially patched, are still vulnerable.

Severity: 4.3 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-3510

Published : May 2, 2025, 4:15 a.m. | 3 hours, 5 minutes ago

Description : The tagDiv Composer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-3709

Published : May 2, 2025, 4:15 a.m. | 4 hours, 59 minutes ago

Description : Agentflow from Flowring Technology has an Account Lockout Bypass vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to perform password brute force attack.

Severity: 9.8 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-3708

Published : May 2, 2025, 4:15 a.m. | 4 hours, 59 minutes ago

Description : Le-show medical practice management system from Le-yan has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.

Severity: 9.8 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-3707

Published : May 2, 2025, 4:15 a.m. | 3 hours, 5 minutes ago

Description : The eHDR CTMS from Sunnet has a SQL Injection vulnerability, allowing remote attackers with regular privileges to inject arbitrary SQL command to read database contents.

Severity: 6.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-3748

Published : May 2, 2025, 4:15 a.m. | 3 hours, 5 minutes ago

Description : The Taxonomy Chain Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s pn_chain_menu shortcode in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-3858

Published : May 2, 2025, 4:15 a.m. | 3 hours, 5 minutes ago

Description : The Formality plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘align’ parameter in all versions up to, and including, 1.5.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-3514

Published : May 2, 2025, 6:15 a.m. | 1 hour, 5 minutes ago

Description : The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-3438

Published : May 2, 2025, 6:15 a.m. | 1 hour, 5 minutes ago

Description : The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 4.17.4. This is due to a lack of restriction of role when registering. This makes it possible for unauthenticated attackers to to register with the ‘wcfm_vendor’ role, which is a Store Vendor role in the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress. The vulnerability can only be exploited if the WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin is installed and activated. The vulnerability was partially patched in version 4.17.3.

Severity: 6.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-3488

Published : May 2, 2025, 6:15 a.m. | 1 hour, 5 minutes ago

Description : The WPML plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s wpml_language_switcher shortcode in versions 3.6.0 – 4.7.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-3513

Published : May 2, 2025, 6:15 a.m. | 1 hour, 5 minutes ago

Description : The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-47201

Published : May 2, 2025, 6:15 a.m. | 1 hour, 5 minutes ago

Description : In Intrexx Portal Server before 12.0.4, multiple Velocity-Scripts are susceptible to the execution of unrequested JavaScript code in HTML, aka XSS.

Severity: 4.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

ALT Linux è una storica distribuzione GNU/Linux sviluppata in modo indipendente e particolarmente diffusa nell’area russa. Nata nei primi anni…

str0m is a Sans I/O WebRTC implementation in Rust. The post str0m is a Sans I/O WebRTC implementation appeared first…

Arondite, a UK-based AI startup founded by former British Army officer Will Blyth, has raised $10M to enhance human-machine collaboration…

Sulle pagine di Marco’s Box e nei vari contenuti online viene spesso sottolineata l’importanza della sovranità digitale degli Stati per…

The lights are on here and the roof is intact and I’m grateful. Is anybody home? You decide. Pharm fan…

Huayra is a Linux distribution developed by the Argentine government. It’s based on the Debian architecture. The post Huayra is…

NVIDIA Fixes High-Severity Vulnerability in TensorRT-LLM

NVIDIA has released a security update for its TensorRT-LLM Framework, addressing a high-severity vulnerability that could expose users to serious security risks, including remote code execution, data …
Read more

Published Date:
May 02, 2025 (4 hours, 43 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2025-23245

SonicWall Issues Patch for SSRF Vulnerability in SMA1000 Appliances

SonicWall’s Product Security Incident Response Team (PSIRT) has issued an important update for its SMA1000 series appliances following the discovery of a Server-Side Request Forgery (SSRF) vulnerabili …
Read more

Published Date:
May 02, 2025 (4 hours, 22 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2025-2170

CVE-2025-46619

CVE-2025-23006

CVE-2024-40766