CyberAlerts

CVE-2025-3114

Description: Code Execution via Malicious Files: Attackers can create specially crafted files with embedded code that may execute without adequate security validation, potentially leading to system compromise. Sandbox Bypass Vulnerability: A flaw in the TERR security mechanism allows attackers to bypass sandbox restrictions, enabling the execution of untrusted code without appropriate controls.

CVSS: CRITICAL (9.4)

EPSS Score: 0.14%

Source: CVE

April 9th, 2025 (10 days ago)

CVE-2025-32695

WordPress Checkout Mestres WP <= 8.7.5 - Privilege Escalation Vulnerability

Description: Incorrect Privilege Assignment vulnerability in Mestres do WP Checkout Mestres WP allows Privilege Escalation. This issue affects Checkout Mestres WP: from n/a through 8.7.5.

CVSS: CRITICAL (9.8)

EPSS Score: 0.05%

Source: CVE

April 9th, 2025 (10 days ago)

CVE-2025-32642

WordPress Vite Coupon plugin <= 1.0.7 - CSRF to Remote Code Execution (RCE) vulnerability

Description: Cross-Site Request Forgery (CSRF) vulnerability in appsbd Vite Coupon allows Remote Code Inclusion. This issue affects Vite Coupon: from n/a through 1.0.7.

CVSS: CRITICAL (10.0)

EPSS Score: 0.03%

Source: CVE

April 9th, 2025 (10 days ago)

CVE-2025-32641

WordPress Anant Addons for Elementor plugin <= 1.1.5 - CSRF to Arbitrary Plugin Installation vulnerability

Description: Cross-Site Request Forgery (CSRF) vulnerability in anantaddons Anant Addons for Elementor allows Cross Site Request Forgery. This issue affects Anant Addons for Elementor: from n/a through 1.1.5.

CVSS: CRITICAL (9.6)

EPSS Score: 0.02%

Source: CVE

April 9th, 2025 (10 days ago)

CVE-2025-32576

WordPress WP shop plugin <= 2.6.0 - CSRF to Arbitrary File Upload vulnerability

Description: Cross-Site Request Forgery (CSRF) vulnerability in Agence web Eoxia - Montpellier WP shop allows Upload a Web Shell to a Web Server. This issue affects WP shop: from n/a through 2.6.0.

CVSS: CRITICAL (9.6)

EPSS Score: 0.02%

Source: CVE

April 9th, 2025 (10 days ago)

CVE-2025-32496

WordPress Ultra Demo Importer plugin <= 1.0.5 - CSRF to RCE vulnerability

Description: Cross-Site Request Forgery (CSRF) vulnerability in Uncodethemes Ultra Demo Importer allows Upload a Web Shell to a Web Server. This issue affects Ultra Demo Importer: from n/a through 1.0.5.

CVSS: CRITICAL (9.6)

EPSS Score: 0.02%

Source: CVE

April 9th, 2025 (10 days ago)

CVE-2025-31033

WordPress Buddypress Humanity plugin <= 1.2 - CSRF to Privilege Escalation vulnerability

Description: Cross-Site Request Forgery (CSRF) vulnerability in Adam Nowak Buddypress Humanity allows Cross Site Request Forgery. This issue affects Buddypress Humanity: from n/a through 1.2.

CVSS: CRITICAL (9.8)

EPSS Score: 0.03%

Source: CVE

April 9th, 2025 (10 days ago)

CVE-2025-31002

WordPress Squeeze plugin <= 1.6 - Arbitrary File Upload vulnerability

Description: Unrestricted Upload of File with Dangerous Type vulnerability in Bogdan Bendziukov Squeeze allows Using Malicious Files. This issue affects Squeeze: from n/a through 1.6.

CVSS: CRITICAL (9.1)

EPSS Score: 0.05%

Source: CVE

April 9th, 2025 (10 days ago)

CVE-2025-32375

Insecure Deserialization leads to RCE in BentoML's runner server

Description: BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.8, there was an insecure deserialization in BentoML's runner server. By setting specific headers and parameters in the POST request, it is possible to execute any unauthorized arbitrary code on the server, which will grant the attackers to have the initial access and information disclosure on the server. This vulnerability is fixed in 1.4.8.

CVSS: CRITICAL (9.8)

EPSS Score: 0.05%

SSVC Exploitation: poc

Source: CVE

April 9th, 2025 (10 days ago)

[crud-query-parser] crud-query-parser SQL Injection vulnerability

Description: Impact Improper neutralization of the order/sort parameter in the TypeORM adapter, which allows SQL injection. You are impacted by this vulnerability if you are using the TypeORM adapter, ordering is enabled and you have not set-up a property filter. Versions 0.0.1, 0.0.2 and 0.0.3 are affected by this vulnerability. Patches This vulnerability has been fixed in version 0.1.0 and newer, which introduces TypeORM field validation (enabled by default). Workarounds Add an allowlist of fields List all valid fields and use the filterProperties function to filter out invalid fields before passing the crudRequest to the TypeOrmQueryAdapter. Here's an example: crudRequest = filterProperties(crudRequest, ['id', 'title', 'category.name']); Disable ordering Cleanup the order field just before passing it to the TypeOrmQueryAdapter. Here's an example: crudRequest.order = []; References https://github.com/Guichaguri/crud-query-parser/security/advisories/GHSA-9r25-rp3p-h2w4 https://nvd.nist.gov/vuln/detail/CVE-2025-32020 https://github.com/advisories/GHSA-9r25-rp3p-h2w4

CVSS: CRITICAL (9.3)

EPSS Score: 0.04%

Source: Github Advisory Database (NPM)

April 9th, 2025 (10 days ago)

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2025-3114	Spotfire Code Execution Vulnerability Description: Code Execution via Malicious Files: Attackers can create specially crafted files with embedded code that may execute without adequate security validation, potentially leading to system compromise. Sandbox Bypass Vulnerability: A flaw in the TERR security mechanism allows attackers to bypass sandbox restrictions, enabling the execution of untrusted code without appropriate controls. CVSS: CRITICAL (9.4) EPSS Score: 0.14% Source: CVE April 9th, 2025 (10 days ago)
CVE-2025-32695	WordPress Checkout Mestres WP <= 8.7.5 - Privilege Escalation Vulnerability Description: Incorrect Privilege Assignment vulnerability in Mestres do WP Checkout Mestres WP allows Privilege Escalation. This issue affects Checkout Mestres WP: from n/a through 8.7.5. CVSS: CRITICAL (9.8) EPSS Score: 0.05% Source: CVE April 9th, 2025 (10 days ago)
CVE-2025-32642	WordPress Vite Coupon plugin <= 1.0.7 - CSRF to Remote Code Execution (RCE) vulnerability Description: Cross-Site Request Forgery (CSRF) vulnerability in appsbd Vite Coupon allows Remote Code Inclusion. This issue affects Vite Coupon: from n/a through 1.0.7. CVSS: CRITICAL (10.0) EPSS Score: 0.03% Source: CVE April 9th, 2025 (10 days ago)
CVE-2025-32641	WordPress Anant Addons for Elementor plugin <= 1.1.5 - CSRF to Arbitrary Plugin Installation vulnerability Description: Cross-Site Request Forgery (CSRF) vulnerability in anantaddons Anant Addons for Elementor allows Cross Site Request Forgery. This issue affects Anant Addons for Elementor: from n/a through 1.1.5. CVSS: CRITICAL (9.6) EPSS Score: 0.02% Source: CVE April 9th, 2025 (10 days ago)
CVE-2025-32576	WordPress WP shop plugin <= 2.6.0 - CSRF to Arbitrary File Upload vulnerability Description: Cross-Site Request Forgery (CSRF) vulnerability in Agence web Eoxia - Montpellier WP shop allows Upload a Web Shell to a Web Server. This issue affects WP shop: from n/a through 2.6.0. CVSS: CRITICAL (9.6) EPSS Score: 0.02% Source: CVE April 9th, 2025 (10 days ago)
CVE-2025-32496	WordPress Ultra Demo Importer plugin <= 1.0.5 - CSRF to RCE vulnerability Description: Cross-Site Request Forgery (CSRF) vulnerability in Uncodethemes Ultra Demo Importer allows Upload a Web Shell to a Web Server. This issue affects Ultra Demo Importer: from n/a through 1.0.5. CVSS: CRITICAL (9.6) EPSS Score: 0.02% Source: CVE April 9th, 2025 (10 days ago)
CVE-2025-31033	WordPress Buddypress Humanity plugin <= 1.2 - CSRF to Privilege Escalation vulnerability Description: Cross-Site Request Forgery (CSRF) vulnerability in Adam Nowak Buddypress Humanity allows Cross Site Request Forgery. This issue affects Buddypress Humanity: from n/a through 1.2. CVSS: CRITICAL (9.8) EPSS Score: 0.03% Source: CVE April 9th, 2025 (10 days ago)
CVE-2025-31002	WordPress Squeeze plugin <= 1.6 - Arbitrary File Upload vulnerability Description: Unrestricted Upload of File with Dangerous Type vulnerability in Bogdan Bendziukov Squeeze allows Using Malicious Files. This issue affects Squeeze: from n/a through 1.6. CVSS: CRITICAL (9.1) EPSS Score: 0.05% Source: CVE April 9th, 2025 (10 days ago)
CVE-2025-32375	Insecure Deserialization leads to RCE in BentoML's runner server Description: BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.8, there was an insecure deserialization in BentoML's runner server. By setting specific headers and parameters in the POST request, it is possible to execute any unauthorized arbitrary code on the server, which will grant the attackers to have the initial access and information disclosure on the server. This vulnerability is fixed in 1.4.8. CVSS: CRITICAL (9.8) EPSS Score: 0.05% SSVC Exploitation: poc Source: CVE April 9th, 2025 (10 days ago)
	[crud-query-parser] crud-query-parser SQL Injection vulnerability Description: Impact Improper neutralization of the order/sort parameter in the TypeORM adapter, which allows SQL injection. You are impacted by this vulnerability if you are using the TypeORM adapter, ordering is enabled and you have not set-up a property filter. Versions 0.0.1, 0.0.2 and 0.0.3 are affected by this vulnerability. Patches This vulnerability has been fixed in version 0.1.0 and newer, which introduces TypeORM field validation (enabled by default). Workarounds Add an allowlist of fields List all valid fields and use the filterProperties function to filter out invalid fields before passing the crudRequest to the TypeOrmQueryAdapter. Here's an example: crudRequest = filterProperties(crudRequest, ['id', 'title', 'category.name']); Disable ordering Cleanup the order field just before passing it to the TypeOrmQueryAdapter. Here's an example: crudRequest.order = []; References https://github.com/Guichaguri/crud-query-parser/security/advisories/GHSA-9r25-rp3p-h2w4 https://nvd.nist.gov/vuln/detail/CVE-2025-32020 https://github.com/advisories/GHSA-9r25-rp3p-h2w4 CVSS: CRITICAL (9.3) EPSS Score: 0.04% Source: Github Advisory Database (NPM) April 9th, 2025 (10 days ago)