Common Vulnerabilities and Exposures (CVEs)

CVE-2025-3458 – WordPress Ocean Extra Stored Cross-Site Scripting Vulnerability

CVE ID : CVE-2025-3458

Published : April 22, 2025, 12:15 p.m. | 2 hours, 22 minutes ago

Description : The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ocean_gallery_id’ parameter in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The Classic Editor plugin must be installed and activated to exploit the vulnerability.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2025-3472 – WooCommerce Ocean Extra Plugin Shortcode Injection Vulnerability

CVE ID : CVE-2025-3472

Published : April 22, 2025, 12:15 p.m. | 2 hours, 22 minutes ago

Description : The Ocean Extra plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.4.6. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes when WooCommerce is also installed and activated.

Severity: 6.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2024-40445 – Forkosh Mime Tex Directory Traversal Arbitrary Code Execution

CVE ID : CVE-2024-40445

Published : April 22, 2025, 2:15 p.m. | 22 minutes ago

Description : Directory Traversal vulnerability in forkosh Mime Tex before v.1.77 allows an attacker to execute arbitrary code via a crafted file upload

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2024-40446 – Forkosh Mime Tex Script Injection Vulnerability

CVE ID : CVE-2024-40446

Published : April 22, 2025, 2:15 p.m. | 22 minutes ago

Description : An issue in forkosh Mime Tex before v.1.77 allows an attacker to execute arbitrary code via a crafted script

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2024-46546 – NEXTU FLETA AX1500 WIFI6 Router Stack Overflow Denial of Service

CVE ID : CVE-2024-46546

Published : April 22, 2025, 2:15 p.m. | 22 minutes ago

Description : NEXTU FLETA AX1500 WIFI6 Router v1.0.3 was discovered to contain a stack overflow via the url parameter at /boafrm/formFilter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted POST request.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2025-28032 – TOTOLINK Router Pre-Auth Buffer Overflow Vulnerability

CVE ID : CVE-2025-28032

Published : April 22, 2025, 2:15 p.m. | 22 minutes ago

Description : TOTOLINK A800R V4.1.2cu.5137_B20200730, A810R V4.1.2cu.5182_B20201026, A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, and A3100R V4.1.2cu.5247_B20211129 contain a pre-auth buffer overflow vulnerability in the setNoticeCfg function through the IpForm parameter.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2025-28033 – Totolink Router Pre-Auth Buffer Overflow Vulnerability

CVE ID : CVE-2025-28033

Published : April 22, 2025, 2:15 p.m. | 22 minutes ago

Description : TOTOLINK A800R V4.1.2cu.5137_B20200730, A810R V4.1.2cu.5182_B20201026, A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, and A3100R V4.1.2cu.5247_B20211129 were found to contain a pre-auth buffer overflow vulnerability in the setNoticeCfg function through the IpTo parameter.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2025-28034 – TOTOLINK Router Pre-Auth Remote Command Execution Vulnerability

CVE ID : CVE-2025-28034

Published : April 22, 2025, 2:15 p.m. | 22 minutes ago

Description : TOTOLINK A800R V4.1.2cu.5137_B20200730, A810R V4.1.2cu.5182_B20201026, A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, and A3100R V4.1.2cu.5247_B20211129 were found to contain a pre-auth remote command execution vulnerability in the NTPSyncWithHost function through the hostTime parameter.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2025-39471 – Pantherius Modal Survey SQL Injection Vulnerability

CVE ID : CVE-2025-39471

Published : April 18, 2025, 5:15 a.m. | 4 days, 4 hours ago

Description : Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Pantherius Modal Survey.This issue affects Modal Survey: from n/a through 2.0.2.0.1.

Severity: 9.3 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2025-46227 – Brecht Custom Related Posts Cross-site Scripting (XSS)

CVE ID : CVE-2025-46227

Published : April 22, 2025, 10:15 a.m. | 58 minutes ago

Description : Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Brecht Custom Related Posts allows Stored XSS. This issue affects Custom Related Posts: from n/a through 1.7.4.

Severity: 6.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2025-46228 – Bastien Ho Eventpost DOM-Based Cross-Site Scripting Vulnerability

CVE ID : CVE-2025-46228

Published : April 22, 2025, 10:15 a.m. | 58 minutes ago

Description : Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Bastien Ho Event post allows DOM-Based XSS. This issue affects Event post: from n/a through 5.9.11.

Severity: 6.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2025-46229 – Israpil Textmetrics Cross-site Scripting Vulnerability

CVE ID : CVE-2025-46229

Published : April 22, 2025, 10:15 a.m. | 58 minutes ago

Description : Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Israpil Textmetrics allows Stored XSS. This issue affects Textmetrics: from n/a through 3.6.2.

Severity: 5.9 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2025-46231 – SERVIT Software Solutions Affiliate-Toolkit CSRF Vulnerability

CVE ID : CVE-2025-46231

Published : April 22, 2025, 10:15 a.m. | 58 minutes ago

Description : Cross-Site Request Forgery (CSRF) vulnerability in SERVIT Software Solutions affiliate-toolkit allows Cross Site Request Forgery. This issue affects affiliate-toolkit: from n/a through 3.7.3.

Severity: 5.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2025-46232 – Alt Text AI Missing Authorization

CVE ID : CVE-2025-46232

Published : April 22, 2025, 10:15 a.m. | 58 minutes ago

Description : Missing Authorization vulnerability in alttextai Download Alt Text AI allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Download Alt Text AI: from n/a through 1.9.93.

Severity: 4.3 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2025-46233 – Sirv CDN and Image Hosting Stored Cross-Site Scripting Vulnerability

CVE ID : CVE-2025-46233

Published : April 22, 2025, 10:15 a.m. | 58 minutes ago

Description : Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Sirv CDN and Image Hosting Sirv allows Stored XSS. This issue affects Sirv: from n/a through 7.5.3.

Severity: 6.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2025-46235 – SKT Blocks – Gutenberg based Page Builder Cross-site Scripting

CVE ID : CVE-2025-46235

Published : April 22, 2025, 10:15 a.m. | 58 minutes ago

Description : Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in sonalsinha21 SKT Blocks – Gutenberg based Page Builder allows Stored XSS. This issue affects SKT Blocks – Gutenberg based Page Builder: from n/a through 2.0.

Severity: 6.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2025-46236 – Link Software LLC HTML Forms Stored Cross-site Scripting (XSS)

CVE ID : CVE-2025-46236

Published : April 22, 2025, 10:15 a.m. | 58 minutes ago

Description : Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Link Software LLC HTML Forms allows Stored XSS. This issue affects HTML Forms: from n/a through 1.5.2.

Severity: 6.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2025-46241 – Codepeople Appointment Booking Calendar CSRF-Enabled SQL Injection

CVE ID : CVE-2025-46241

Published : April 22, 2025, 10:15 a.m. | 58 minutes ago

Description : Cross-Site Request Forgery (CSRF) vulnerability in codepeople Appointment Booking Calendar allows SQL Injection. This issue affects Appointment Booking Calendar: from n/a through 1.3.92.

Severity: 8.2 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2025-46238 – Apache RBAER Cross-Site Scripting Vulnerability

CVE ID : CVE-2025-46238

Published : April 22, 2025, 10:15 a.m. | 58 minutes ago

Description : Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in rbaer List Last Changes allows Stored XSS. This issue affects List Last Changes: from n/a through 1.2.1.

Severity: 6.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…