Development

CVE ID : CVE-2025-3107

Published : May 13, 2025, 7:15 a.m. | 1 hour, 23 minutes ago

Description : The Newsletters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 4.9.9.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Severity: 6.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-4474

Published : May 13, 2025, 7:15 a.m. | 1 hour, 23 minutes ago

Description : The Frontend Dashboard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the fed_admin_setting_form_function() function in versions 1.0 to 2.2.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the plugin’s ‘register’ role setting to make new user registrations default to the administrator role, leading to an elevation of privileges to that of an administrator.

Severity: 8.8 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-4473

Published : May 13, 2025, 7:15 a.m. | 1 hour, 23 minutes ago

Description : The Frontend Dashboard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the ajax_request() function in versions 1.0 to 2.2.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to control where the plugin sends outgoing emails. By pointing SMTP to their own server, attackers could capture password reset emails intended for administrators, and elevate their privileges for full site takeover.

Severity: 8.8 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-4317

Published : May 13, 2025, 7:15 a.m. | 1 hour, 23 minutes ago

Description : The TheGem theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the thegem_get_logo_url() function in all versions up to, and including, 5.10.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible.

Severity: 8.8 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-4339

Published : May 13, 2025, 7:15 a.m. | 1 hour, 23 minutes ago

Description : The TheGem theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxApi() function in all versions up to, and including, 5.10.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary theme options.

Severity: 4.3 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-26662

Published : May 13, 2025, 1:15 a.m. | 1 hour, 49 minutes ago

Description : The Data Services Management Console does not sufficiently encode user-controlled inputs, allowing an attacker to inject malicious script. When a targeted victim, who is already logged in, clicks on the compromised link, the injected script gets executed within the scope of victim�s browser. This potentially leads to an impact on confidentiality and integrity. Availability is not impacted.

Severity: 4.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-30009

Published : May 13, 2025, 1:15 a.m. | 1 hour, 49 minutes ago

Description : he Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to execute malicious script in the victim�s browser. This vulnerability has low impact on confidentiality and integrity within the scope of that victim�s browser, with no effect on availability of the application

Severity: 6.1 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-30010

Published : May 13, 2025, 1:15 a.m. | 1 hour, 49 minutes ago

Description : The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to craft a malicious link, which when clicked by a victim, redirects the browser to a malicious site. On successful exploitation, the attacker could cause low impact on confidentiality and integrity with no impact on the availability of the application.

Severity: 6.1 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-30011

Published : May 13, 2025, 1:15 a.m. | 1 hour, 49 minutes ago

Description : The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM packages which allows an unauthenticated attacker to send an malicious request to the application, which could disclose the internal version details of the affected system. This vulnerability has low impact on confidentiality, with no effect on integrity and availability of the application.

Severity: 5.3 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-30012

Published : May 13, 2025, 1:15 a.m. | 1 hour, 49 minutes ago

Description : The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) uses a deprecated java applet component within the affected SRM stack to accept binary Java objects in specific encoding format. On successful exploitation, an authenticated attacker with high privileges could send malicious payload request and receive an outbound DNS request, resulting in deserialization of data in the application. This vulnerability has low impact on confidentiality, integrity and availability of the application.

Severity: 3.9 | LOW

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-30018

Published : May 13, 2025, 1:15 a.m. | 2 hours, 19 minutes ago

Description : The Live Auction Cockpit in SAP Supplier Relationship Management (SRM) allows an unauthenticated attacker to submit an application servlet request with a crafted XML file which when parsed, enables the attacker to access sensitive files and data. This vulnerability has a high impact on the application’s confidentiality, with no effect on integrity and availability of the application.

Severity: 8.6 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-42997

Published : May 13, 2025, 1:15 a.m. | 1 hour, 49 minutes ago

Description : Under certain conditions, SAP Gateway Client allows a high-privileged user to access restricted information beyond the scope of the application. Due to the possibility of influencing application behavior or performance through misuse of the exposed data, this may potentially lead to low impact on confidentiality, integrity, and availability.

Severity: 6.6 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-42999

Published : May 13, 2025, 1:15 a.m. | 2 hours, 19 minutes ago

Description : SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

Severity: 9.1 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-43000

Published : May 13, 2025, 1:15 a.m. | 1 hour, 49 minutes ago

Description : Under certain conditions Promotion Management Wizard (PMW) allows an attacker to access information which would otherwise be restricted.This has High impact on Confidentiality with Low impact on Integrity and Availability of the application.

Severity: 7.9 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-43002

Published : May 13, 2025, 1:15 a.m. | 1 hour, 49 minutes ago

Description : SAP S4CORE OData meta-data property allows an authenticated attacker to access restricted information due to missing authorization check. This could cause a low impact on confidentiality but integrity and availability of the application are not impacted.

Severity: 4.3 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-43003

Published : May 13, 2025, 1:15 a.m. | 1 hour, 49 minutes ago

Description : SAP S/4 HANA allows an authenticated attacker with user privileges to configure a field not intended for their access and create a custom UI layout displaying this field. On performing this step the attacker could gain access to highly sensitive information. This could cause a high impact on confidentiality and minimal impact on integrity and availability of the application.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-31329

Published : May 13, 2025, 1:15 a.m. | 1 hour, 49 minutes ago

Description : SAP NetWeaver is vulnerable to an Information Disclosure vulnerability caused by the injection of malicious instructions into user configuration settings. An attacker with administrative privileges can craft these instructions so that when accessed by the victim, sensitive information such as user credentials is exposed. These credentials may then be used to gain unauthorized access to local or adjacent systems. This results in high impact to Confidentiality, with no significant effect on Integrity or Availability.

Severity: 6.2 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-43010

Published : May 13, 2025, 1:15 a.m. | 2 hours, 19 minutes ago

Description : SAP S/4HANA Cloud Private Edition or on Premise (SCM Master Data Layer (MDL)) allows an authenticated attacker with SAP standard authorization to execute a certain function module remotely and replace arbitrary ABAP programs, including SAP standard programs. This is due to lack of input validation and no authorization checks. This has low Confidentiality impact but high impact on integrity and availability to the application.

Severity: 8.3 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-43004

Published : May 13, 2025, 1:15 a.m. | 1 hour, 49 minutes ago

Description : Due to a security misconfiguration vulnerability, customers can develop Production Operator Dashboards (PODs) that enable outside users to access customer data when they access these dashboards. Since no mechanisms exist to enforce authentication, malicious unauthenticated users can view non-sensitive customer information. However, this does not affect data integrity or availability.

Severity: 5.3 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-43005

Published : May 13, 2025, 1:15 a.m. | 1 hour, 49 minutes ago

Description : SAP GUI for Windows allows an unauthenticated attacker to exploit insecure obfuscation algorithms used by the GuiXT application to store user credentials. While this issue does not impact the Integrity or Availability of the application, it may have a Low impact on the Confidentiality of data.

Severity: 4.3 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…