CyberAlerts

Description: In February 2025, the spyware service Spyzie suffered a data breach along with sibling spyware services, Spyic and Cocospy. The Spyzie breach alone exposed almost 519k customer email addresses which were provided to HIBP, and reportedly also enabled unauthorised access to captured messages, photos, call logs, and more. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".

Source: HaveIBeenPwnedLatestBreaches

February 28th, 2025 (4 months ago)

CVE-2025-25729

An information disclosure vulnerability in Bosscomm IF740 Firmware versions:11001.7078 & v11001.0000 and System versions: 6.25 & 6.00 allows...

Description: An information disclosure vulnerability in Bosscomm IF740 Firmware versions:11001.7078 & v11001.0000 and System versions: 6.25 & 6.00 allows attackers to obtain hardcoded cleartext credentials via the update or boot process.

EPSS Score: 0.04%

Source: CVE

February 28th, 2025 (4 months ago)

CVE-2025-25728

Bosscomm IF740 Firmware versions:11001.7078 & v11001.0000 and System versions: 6.25 & 6.00 were discovered to send communications to the update API...

Description: Bosscomm IF740 Firmware versions:11001.7078 & v11001.0000 and System versions: 6.25 & 6.00 were discovered to send communications to the update API in plaintext, allowing attackers to access sensitive information via a man-in-the-middle attack.

EPSS Score: 0.01%

Source: CVE

February 28th, 2025 (4 months ago)

CVE-2025-25727

Bosscomm IF740 Firmware versions:11001.7078 & v11001.0000 and System versions: 6.25 & 6.00 were discovered to store passwords in cleartext.

Description: Bosscomm IF740 Firmware versions:11001.7078 & v11001.0000 and System versions: 6.25 & 6.00 were discovered to store passwords in cleartext.

EPSS Score: 0.02%

Source: CVE

February 28th, 2025 (4 months ago)

CVE-2025-25477

A host header injection vulnerability in SysPass 3.2x allows an attacker to load malicious JS files from an arbitrary domain which would be...

Description: A host header injection vulnerability in SysPass 3.2x allows an attacker to load malicious JS files from an arbitrary domain which would be executed in the victim's browser.

EPSS Score: 0.03%

Source: CVE

February 28th, 2025 (4 months ago)

CVE-2025-24832

Arbitrary file overwrite during home directory recovery due to improper symbolic link handling. The following products are affected: Acronis Backup...

Description: Arbitrary file overwrite during home directory recovery due to improper symbolic link handling. The following products are affected: Acronis Backup plugin for cPanel & WHM (Linux) before build 1.8.4.866, Acronis Backup plugin for cPanel & WHM (Linux) before build 1.9.1.892, Acronis Backup extension for Plesk (Linux) before build 1.8.7.615.

CVSS: MEDIUM (4.4)

EPSS Score: 0.02%

Source: CVE

February 28th, 2025 (4 months ago)

CVE-2025-1687

Cardealer <= 1.6.4 - Cross-Site Request Forgery to User Update via update_user_profile

Description: The Cardealer theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.4. This is due to missing nonce validation on the 'update_user_profile' function. This makes it possible for unauthenticated attackers to update the user email and password via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS: HIGH (8.8)

EPSS Score: 0.02%

Source: CVE

February 28th, 2025 (4 months ago)

CVE-2025-1682

Cardealer <= 1.6.4 - Arbitrary Theme Option Update to Authenticated (Subscriber+) Privilege Escalation

Description: The Cardealer theme for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.4 due to missing capability check on the 'save_settings' function. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the default user role.

CVSS: HIGH (8.8)

EPSS Score: 0.04%

Source: CVE

February 28th, 2025 (4 months ago)

CVE-2025-1681

Cardealer <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Change and Delete JS and CSS Files

Description: The Cardealer theme for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check and missing filename sanitization on the demo theme scheme AJAX functions in versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to change or delete arbitrary css and js files.

CVSS: MEDIUM (5.4)

EPSS Score: 0.04%

Source: CVE

February 28th, 2025 (4 months ago)

CVE-2024-12811

Traveler <= 3.1.8 - Authenticated (Contributor+) Local File Inclusion via Shortcode

Description: The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.8 via the 'hotel_alone_slider' shortcode 'style' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.

CVSS: HIGH (8.8)

EPSS Score: 0.1%

Source: CVE

February 28th, 2025 (4 months ago)

Threat and Vulnerability Intelligence Database

Example Searches:

	Spyzie - 518,643 breached accounts Description: In February 2025, the spyware service Spyzie suffered a data breach along with sibling spyware services, Spyic and Cocospy. The Spyzie breach alone exposed almost 519k customer email addresses which were provided to HIBP, and reportedly also enabled unauthorised access to captured messages, photos, call logs, and more. The data was provided to HIBP by a source who requested it be attributed to "[email protected]". Source: HaveIBeenPwnedLatestBreaches February 28th, 2025 (4 months ago)
CVE-2025-25729	An information disclosure vulnerability in Bosscomm IF740 Firmware versions:11001.7078 & v11001.0000 and System versions: 6.25 & 6.00 allows... Description: An information disclosure vulnerability in Bosscomm IF740 Firmware versions:11001.7078 & v11001.0000 and System versions: 6.25 & 6.00 allows attackers to obtain hardcoded cleartext credentials via the update or boot process. EPSS Score: 0.04% Source: CVE February 28th, 2025 (4 months ago)
CVE-2025-25728	Bosscomm IF740 Firmware versions:11001.7078 & v11001.0000 and System versions: 6.25 & 6.00 were discovered to send communications to the update API... Description: Bosscomm IF740 Firmware versions:11001.7078 & v11001.0000 and System versions: 6.25 & 6.00 were discovered to send communications to the update API in plaintext, allowing attackers to access sensitive information via a man-in-the-middle attack. EPSS Score: 0.01% Source: CVE February 28th, 2025 (4 months ago)
CVE-2025-25727	Bosscomm IF740 Firmware versions:11001.7078 & v11001.0000 and System versions: 6.25 & 6.00 were discovered to store passwords in cleartext. Description: Bosscomm IF740 Firmware versions:11001.7078 & v11001.0000 and System versions: 6.25 & 6.00 were discovered to store passwords in cleartext. EPSS Score: 0.02% Source: CVE February 28th, 2025 (4 months ago)
CVE-2025-25477	A host header injection vulnerability in SysPass 3.2x allows an attacker to load malicious JS files from an arbitrary domain which would be... Description: A host header injection vulnerability in SysPass 3.2x allows an attacker to load malicious JS files from an arbitrary domain which would be executed in the victim's browser. EPSS Score: 0.03% Source: CVE February 28th, 2025 (4 months ago)
CVE-2025-24832	Arbitrary file overwrite during home directory recovery due to improper symbolic link handling. The following products are affected: Acronis Backup... Description: Arbitrary file overwrite during home directory recovery due to improper symbolic link handling. The following products are affected: Acronis Backup plugin for cPanel & WHM (Linux) before build 1.8.4.866, Acronis Backup plugin for cPanel & WHM (Linux) before build 1.9.1.892, Acronis Backup extension for Plesk (Linux) before build 1.8.7.615. CVSS: MEDIUM (4.4) EPSS Score: 0.02% Source: CVE February 28th, 2025 (4 months ago)
CVE-2025-1687	Cardealer <= 1.6.4 - Cross-Site Request Forgery to User Update via update_user_profile Description: The Cardealer theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.4. This is due to missing nonce validation on the 'update_user_profile' function. This makes it possible for unauthenticated attackers to update the user email and password via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. CVSS: HIGH (8.8) EPSS Score: 0.02% Source: CVE February 28th, 2025 (4 months ago)
CVE-2025-1682	Cardealer <= 1.6.4 - Arbitrary Theme Option Update to Authenticated (Subscriber+) Privilege Escalation Description: The Cardealer theme for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.4 due to missing capability check on the 'save_settings' function. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the default user role. CVSS: HIGH (8.8) EPSS Score: 0.04% Source: CVE February 28th, 2025 (4 months ago)
CVE-2025-1681	Cardealer <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Change and Delete JS and CSS Files Description: The Cardealer theme for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check and missing filename sanitization on the demo theme scheme AJAX functions in versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to change or delete arbitrary css and js files. CVSS: MEDIUM (5.4) EPSS Score: 0.04% Source: CVE February 28th, 2025 (4 months ago)
CVE-2024-12811	Traveler <= 3.1.8 - Authenticated (Contributor+) Local File Inclusion via Shortcode Description: The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.8 via the 'hotel_alone_slider' shortcode 'style' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. CVSS: HIGH (8.8) EPSS Score: 0.1% Source: CVE February 28th, 2025 (4 months ago)