CVE-2024-13787 |
Description: The VEDA - MultiPurpose WordPress Theme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.2 via deserialization of untrusted input in the 'veda_backup_and_restore_action' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
CVSS: CRITICAL (9.8) EPSS Score: 0.12%
March 5th, 2025 (3 months ago)
|
CVE-2025-1307 |
Description: The Newscrunch theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check in the newscrunch_install_and_activate_plugin() function in all versions up to, and including, 1.8.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS: CRITICAL (9.8) EPSS Score: 3.57%
March 4th, 2025 (3 months ago)
|
CVE-2025-0912 |
Description: The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.4 via deserialization of untrusted input from the Donation Form through the 'card_address' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.
CVSS: CRITICAL (9.8) EPSS Score: 1.62%
March 4th, 2025 (3 months ago)
|
CVE-2025-27270 |
Description: Missing Authorization vulnerability in NotFound Residential Address Detection allows Privilege Escalation. This issue affects Residential Address Detection: from n/a through 2.5.4.
CVSS: CRITICAL (9.8) EPSS Score: 0.06%
March 3rd, 2025 (3 months ago)
|
CVE-2025-27268 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in enituretechnology Small Package Quotes – Worldwide Express Edition allows SQL Injection. This issue affects Small Package Quotes – Worldwide Express Edition: from n/a through 5.2.18.
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
March 3rd, 2025 (3 months ago)
|
CVE-2025-26988 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozy Vision SMS Alert Order Notifications – WooCommerce allows SQL Injection. This issue affects SMS Alert Order Notifications – WooCommerce: from n/a through 3.7.8.
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
March 3rd, 2025 (3 months ago)
|
CVE-2025-26970 |
Description: Improper Control of Generation of Code ('Code Injection') vulnerability in NotFound Ark Theme Core allows Code Injection. This issue affects Ark Theme Core: from n/a through 1.70.0.
CVSS: CRITICAL (10.0) EPSS Score: 0.07%
March 3rd, 2025 (3 months ago)
|
CVE-2025-26535 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound Bitcoin / AltCoin Payment Gateway for WooCommerce allows Blind SQL Injection. This issue affects Bitcoin / AltCoin Payment Gateway for WooCommerce: from n/a through 1.7.6.
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
March 3rd, 2025 (3 months ago)
|
CVE-2025-25150 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stylemix uListing allows Blind SQL Injection. This issue affects uListing: from n/a through 2.1.6.
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
March 3rd, 2025 (3 months ago)
|
CVE-2025-1671 |
Description: The Academist Membership plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.6. This is due to the academist_membership_check_facebook_user() function not properly verifying a user's identity prior to authenticating them. This makes it possible for unauthenticated attackers to log in as any user, including site administrators.
CVSS: CRITICAL (9.8) EPSS Score: 0.06%
March 1st, 2025 (3 months ago)
|