Exploit for CVE-2025-55182

React2Shell: RCE 0-day in React Server Components CVE-2025-5...

CVE-2025-13515

CVE-2025-13515 refers to the Nouri.sh Newsletter WordPress plugin vulnerability. The issue is a Reflected Cross-Site Scripting via the $_SERVER['PHP_SELF'] parameter in all versions up to and including 1.0.1.3, caused by insufficient input sanitization and output escaping. The Wordfence detail co...

CVE-2025-13515 Nouri.sh Newsletter <= 1.0.1.3 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']

The Nouri.sh Newsletter plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' parameter in all versions up to, and including, 1.0.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

EUVD-2025-201383

The CoSign Single Signon plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' parameter in all versions up to, and including, 0.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

WordPress plugin Time Sheets 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A cross-site request...

CVE-2025-13513 Clik stats <= 0.8 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']

The Clik stats plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' parameter in all versions up to, and including, 0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

📄 Flowise Custom MCP Remote Code Execution

This Metasploit module exploits a remote code execution vulnerability in Flowise versions greater than or equal to 2.2.7-patch.1 and less than 3.0.1. The vulnerability exists in the customMCP endpoint /api/v1/node-load-method/customMCP located in...

CVE-2025-13206

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 4.13.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...

PT-2025-46868

Name of the Vulnerable Software and Affected Versions Linksys E1200 v2 router firmware versions prior to 2.0.11.001 us Description A flaw exists in the validate static route function of the httpd binary. This function does not properly check the size of data when combining CGI parameters – route...

Attackers Actively Exploiting Critical Vulnerability in WP Freeio Plugin

On September 25th, 2025, we received a submission for a Privilege Escalation vulnerability in WP Freeio, a WordPress plugin bundled in the Freeio premium theme with more than 1,700 sales. This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative...

CVE-2025-62716

Plane is open-source project management software. Prior to version 1.1.0, an open redirect vulnerability in the ?nextpath query parameter allows attackers to supply arbitrary schemes e.g., javascript: that are passed directly to router.push. This results in a cross-site scripting XSS vulnerabilit...

CVE-2025-62716

Plane is an open-source project management tool. A vulnerability in versions prior to 1.1.0 is an open redirect in the ?next_path query parameter that accepts arbitrary schemes (e.g., javascript:) and passes them to router.push, causing cross-site scripting (XSS). The issue can be exploited witho...

CVE-2025-62716 Plane Vulnerable to Cross-Site Scripting via Open Redirect in ?next_path Parameter

Plane is open-source project management software. Prior to version 1.1.0, an open redirect vulnerability in the ?nextpath query parameter allows attackers to supply arbitrary schemes e.g., javascript: that are passed directly to router.push. This results in a cross-site scripting XSS vulnerabilit...

CVE-2025-62716 Plane Vulnerable to Cross-Site Scripting via Open Redirect in ?next_path Parameter

Plane is open-source project management software. Prior to version 1.1.0, an open redirect vulnerability in the ?nextpath query parameter allows attackers to supply arbitrary schemes e.g., javascript: that are passed directly to router.push. This results in a cross-site scripting XSS vulnerabilit...

CVE-2020-36853

The CVE-2020-36853 entry concerns the WordPress plugin 10WebMapBuilder, with a Stored Cross-Site Scripting (XSS) vulnerability affecting versions up to and including 1.0.63. The issue stems from insufficient input sanitization and output escaping and a lack of capability checks in the Plugin Sett...

EUVD-2011-5241

Malware in sbrugna...

EUVD-2025-7045

Malicious code in bioql PyPI...

EUVD-2024-23278

Malicious code in bioql PyPI...

EUVD-2025-7083

Malicious code in bioql PyPI...

Metasploit Wrap-Up 09/12/25

New LightHouse Studio RCE module This week we've added a new module that exploits an unauthenticated template injection vulnerability CVE-2025-34300 in Sawtooth Software’s Lighthouse Studio, allowing arbitrary Perl execution via survey templates in versions prior to 9.16.14. This module has the...