Security

CVE ID : CVE-2025-6040

Published : June 14, 2025, 9:15 a.m. | 4 hours, 56 minutes ago

Description : The Easy Flashcards plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1. This is due to missing or incorrect nonce validation on the ‘ef_settings_submenu’ page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Severity: 6.1 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-4216

Published : June 14, 2025, 9:15 a.m. | 4 hours, 56 minutes ago

Description : The DIOT SCADA with MQTT plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘diot’ shortcode in all versions up to, and including, 1.0.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-5336

Published : June 14, 2025, 9:15 a.m. | 4 hours, 56 minutes ago

Description : The Click to Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-no_number’ parameter in all versions up to, and including, 4.22 to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-6061

Published : June 14, 2025, 9:15 a.m. | 4 hours, 56 minutes ago

Description : The kk Youtube Video plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘kkytv’ shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-6055

Published : June 14, 2025, 9:15 a.m. | 4 hours, 56 minutes ago

Description : The Zen Sticky Social plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3. This is due to missing or incorrect nonce validation on the ‘zen-social-sticky/zen-sticky-social.php’ page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Severity: 6.1 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-6063

Published : June 14, 2025, 9:15 a.m. | 4 hours, 56 minutes ago

Description : The XiSearch bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6. This is due to missing or incorrect nonce validation on the ‘xisearch-key-config’ page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Severity: 6.1 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-6064

Published : June 14, 2025, 9:15 a.m. | 4 hours, 56 minutes ago

Description : The WP URL Shortener plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the ‘url_shortener_settings’ page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Severity: 6.1 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-6062

Published : June 14, 2025, 9:15 a.m. | 4 hours, 56 minutes ago

Description : The Yougler Blogger Profile Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, v1.01. This is due to missing or incorrect nonce validation on the ‘yougler-plugin.php’ page. This makes it possible for unauthenticated attackers to update the plugin’s settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Severity: 4.3 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-6070

Published : June 14, 2025, 9:15 a.m. | 4 hours, 56 minutes ago

Description : The Restrict File Access plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.1.2 via the output() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

Severity: 6.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-4667

Published : June 14, 2025, 10:15 a.m. | 3 hours, 56 minutes ago

Description : The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ssa_admin_upcoming_appointments, ssa_admin_upcoming_appointments, and ssa_past_appointments shortcodes in all versions up to, and including, 1.6.8.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-5238

Published : June 14, 2025, 10:15 a.m. | 3 hours, 56 minutes ago

Description : The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-5337

Published : June 14, 2025, 10:15 a.m. | 3 hours, 56 minutes ago

Description : The Slider, Gallery, and Carousel by MetaSlider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘aria-label’ parameter in all versions up to, and including, 3.98.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

A new malware campaign is exploiting a weakness in Discord’s invitation system to deliver an information stealer called Skuld and…

3DMark Arrives Natively on macOS: Unleash & Benchmark Your Apple Silicon Performance

Previously available for iOS devices, the 3DMark performance benchmarking tool has now been officially released for the macOS platform, as announced by UL Solutions. This native macOS version addresse …
Read more

Published Date:
Jun 14, 2025 (3 hours, 48 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2025-4922

Siri 2.0 Delayed? Next-Gen AI Assistant Not Expected Until iOS 26.4 in Spring 2026

During WWDC 2025, Apple’s Senior Vice President of Software Engineering, Craig Federighi, confirmed that the company has abandoned its initial approach of “upgrading” the existing Siri framework. Inst …
Read more

Published Date:
Jun 14, 2025 (3 hours, 45 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2022-32898

macOS 26 Tahoe Unveils Apple Sparse Image Format (ASIF): Boosting VM Performance

In macOS 26 Tahoe, Apple has introduced a new disk image format known as the Apple Sparse Image Format (ASIF), designed to deliver read and write speeds that closely approximate those of native disks. …
Read more

Published Date:
Jun 14, 2025 (3 hours, 33 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2023-26489

Learning Cloud with HTB Business CTF 2025 — A Complete (cloud) Writeup: Part 2 (END)

In the cloud, misconfigurations rain breaches — but knowledge clears the skies.Welcome back to Part 2 of Learning Cloud with HTB Business CTF 2025!In Part 1, we explored the fundamentals, handled the …
Read more

Published Date:
Jun 14, 2025 (2 hours, 26 minutes ago)

Vulnerabilities has been mentioned in this article.

(CVE-2025-33053) New 0-Day in WebDAV Exposes Servers to Remote Code Execution  —  Here’s What You…

What is CVE‑2025‑33053?CVE‑2025‑33053 is a zero-day remote code execution (RCE) vulnerability in Web Distributed Authoring and Versioning (WebDAV) within Windows. It stems from an external control of …
Read more

Published Date:
Jun 14, 2025 (2 hours, 25 minutes ago)

Vulnerabilities has been mentioned in this article.

Reflective Kerberos Relay Attack (CVE-2025-33073): NT AUTHORITYSYSTEM Privilege Escalation

What is the Reflective Kerberos Relay Attack?The Reflective Kerberos Relay Attack is a privilege escalation technique targeting Windows environments. Discovered in early 2025, this method bypasses Mic …
Read more

Published Date:
Jun 14, 2025 (2 hours, 23 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE ID : CVE-2025-4200

Published : June 14, 2025, 9:15 a.m. | 1 hour ago

Description : The Zagg – Electronics & Accessories WooCommerce WordPress Theme theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.1 via the load_view() function that is called via at least three AJAX actions: ‘load_more_post’, ‘load_shop’, and ‘load_more_product. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

Severity: 8.1 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…