CVE ID : CVE-2025-3870

Published : April 25, 2025, 9:15 a.m. | 2 hours, 32 minutes ago

Description : The 1 Decembrie 1918 plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.dec.2012. This is due to missing or incorrect nonce validation on the 1-decembrie-1918/1-decembrie-1918.php page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Severity: 6.1 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-1279

Published : April 25, 2025, 9:15 a.m. | 1 hour, 30 minutes ago

Description : The BM Content Builder plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ux_cb_tools_import_item_ajax AJAX action in all versions up to, and including, 3.16.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Severity: 8.8 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-1565

Published : April 25, 2025, 10:15 a.m. | 1 hour, 32 minutes ago

Description : The Mayosis Core plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.4.1 via the library/wave-audio/peaks/remote_dl.php file. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

Severity: 7.5 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

The DistroWatch news feed is brought to you by TUXEDO COMPUTERS. Aditya Shakya has announced the release of Archcraft 2025.04.24, a lightweight, Arch-based Linux distribution with a choice of two window managers and a selection of lightweight applications. The available window managers are Openbox (a stacking window manager) and bspwm (a tiling window manager which supports tiling, stacking and….

A handpicked collection of standout motion design from around the web to keep you en pair with current trends. Source:…

Neptune is a Linux Distribution for desktops based fully upon Debian Stable. It ships with a modern KDE Plasma Desktop.…

Commodore OS Vision è una distribuzione GNU/Linux, sviluppata dalla comunità e ispirata ai leggendari computer Commodore. Nasce per offrire un’esperienza…

COSMIC, acronimo di “Computer Operating System Main Interface”, rappresenta una svolta rispetto agli ambienti desktop tradizionali come GNOME, KDE, Cinnamon…

DslogdRAT Malware Deployed in Ivanti Connect Secure Zero-Day Campaign

A new wave of attacks targeting Ivanti Connect Secure VPN devices has revealed a stealthy malware strain known as DslogdRAT, deployed alongside a simple but effective Perl web shell.
Security research …
Read more

Published Date:
Apr 24, 2025 (19 hours, 27 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2025-22457

CVE-2025-0282

Perplexity Eyes Chrome as DOJ Pressures Google Over Antitrust

In addition to OpenAI expressing interest in acquiring Google’s Chrome browser business, Perplexity.ai has also signaled its intent to pursue such a deal.
During testimony in the U.S. Department of Ju …
Read more

Published Date:
Apr 25, 2025 (6 hours, 11 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2025-3619

CVE-2024-10488

CVE-2024-10487

Microsoft’s Patch for Symlink Exploit Introduces New Windows Update DoS Flaw

Image: Kevin Beaumont
Previously, in an effort to patch security vulnerability (CVE-2025–21204) within the Windows operating system, Microsoft began creating an empty folder named inetpub in the syste …
Read more

Published Date:
Apr 25, 2025 (6 hours, 3 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2025-31324 (CVSS 10): Zero-Day in SAP NetWeaver Exploited in the Wild to Deploy Webshells and C2 Frameworks

A critical zero-day vulnerability affecting SAP NetWeaver Visual Composer MetadataUploader, now tracked as CVE-2025-31324, is being actively exploited in the wild to compromise enterprise and governme …
Read more

Published Date:
Apr 25, 2025 (5 hours, 44 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2025-31324

CVE-2025-0070

CVE-2025-0066

CVE-2024-47578

Lazarus APT Attacking Organizations by Exploiting One-Day vulnerabilities

Cybersecurity experts have identified a sophisticated campaign by the North Korean state-sponsored Lazarus APT group targeting critical infrastructure and financial organizations worldwide.
The threat …
Read more

Published Date:
Apr 25, 2025 (2 hours, 55 minutes ago)

Vulnerabilities has been mentioned in this article.

SAP NetWeaver 0-day Vulnerability Exploited in the Wild to Deploy Webshells

A wave of targeted cyberattacks has exposed a previously unknown vulnerability in SAP NetWeaver, allowing attackers to deploy malicious JSP webshells and gain unauthorized access to enterprise systems …
Read more

Published Date:
Apr 25, 2025 (1 hour, 59 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2017-9844

CVE ID : CVE-2025-3752

Published : April 25, 2025, 5:15 a.m. | 2 hours, 15 minutes ago

Description : The Able Player, accessible HTML5 media player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘preload’ parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-3775

Published : April 25, 2025, 5:15 a.m. | 2 hours, 15 minutes ago

Description : The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.1.2 via the woolentor_template_proxy function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application, and can be used to query and modify information from internal services.

Severity: 6.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-46599

Published : April 25, 2025, 5:15 a.m. | 2 hours, 15 minutes ago

Description : CNCF K3s 1.32 before 1.32.4-rc1+k3s1 has a Kubernetes kubelet configuration change with the unintended consequence that, in some situations, ReadOnlyPort is set to 10255. For example, the default behavior of a K3s online installation might allow unauthenticated access to this port, exposing credentials.

Severity: 6.8 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-0671

Published : April 25, 2025, 6:15 a.m. | 1 hour, 15 minutes ago

Description : The Icegram Express WordPress plugin before 5.7.50 does not sanitise and escape some of its Template settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-3861

Published : April 25, 2025, 6:15 a.m. | 1 hour, 15 minutes ago

Description : The Prevent Direct Access – Protect WordPress Files plugin for WordPress is vulnerable to unauthorized access and modification of data| due to a misconfigured capability check on the ‘pda_lite_custom_permission_check’ function in versions 2.8.6 to 2.8.8.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to access and change the protection status of media.

Severity: 5.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-2580

Published : April 25, 2025, 6:15 a.m. | 1 hour, 15 minutes ago

Description : The Contact Form by Bit Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.18.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

Severity: 4.9 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…