Lucene search
K

1395 matches found

Zero Day Initiative
Zero Day Initiative
added 2025/12/09 12:0 a.m.6 views

Microsoft Windows win32kfull Out-Of-Bounds Write Local Privilege Escalation Vulnerability

This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the win32kfull...

8.8CVSS7.3AI score0.00638EPSS
Exploits0References1
PyPA
PyPA
added 2025/12/08 7:15 p.m.10 views

PYSEC-2025-89

NUT-14 allows cashu tokens to be created with a preimage hash. However, nutshell cashubtc/nuts before 0.18.0 do not validate the size of preimage when the token is spent. The preimage is stored by the mint and attacker can exploit this vulnerability to fill the mint's db nd disk with arbitrary da...

9.1CVSS5.9AI score0.00358EPSS
Exploits1References6Affected Software1
Japan Vulnerability Notes
Japan Vulnerability Notes
added 2025/12/08 8:48 a.m.9 views

Multiple vulnerabilities in GroupSession

Overview GroupSession provided by Japan Total System Co.,Ltd. contains multiple vulnerabilities listed below. Stored cross-site scripting CWE-79 - CVE-2025-53523 Stored cross-site scripting CWE-79 - CVE-2025-54407 Reflected cross-site scripting CWE-79 - CVE-2025-57883 Cross-site request forgery...

6.9CVSS5.9AI score0.00186EPSS
Exploits0References17
NVD
NVD
added 2025/12/06 10:16 a.m.5 views

CVE-2025-12966

The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the resolveimportdirectory function in versions 4.5.4 to 4.5.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload...

8.8CVSS0.00446EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2025/12/06 5:54 a.m.4 views

CVE-2025-10055

The Time Sheets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.3. This is due to missing or incorrect nonce validation on several endpoints. This makes it possible for unauthenticated attackers to perform a variety of actions via a forge...

4.3CVSS5.3AI score0.00102EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/12/06 5:54 a.m.5 views

CVE-2025-13144

The ContentStudio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.7. This is due to missing or insufficient nonce validation on the addcstusettings function. This makes it possible for unauthenticated attackers to modify plugin settings v...

4.3CVSS5.2AI score0.00128EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/12/06 5:49 a.m.2 views

CVE-2025-13629 WP Landing Page <= 0.9.3 - Cross-Site Request Forgery to Arbitrary Post Meta Update

The WP Landing Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.3. This is due to missing nonce validation on the 'wplpapiupdatetext' function. This makes it possible for unauthenticated attackers to update arbitrary post meta via a...

4.3CVSS5AI score0.00126EPSS
Exploits0References3
Cvelist
Cvelist
added 2025/12/06 5:49 a.m.26 views

CVE-2025-12673 Flex QR Code Generator <= 1.2.7 - Unauthenticated Arbitrary File Upload

The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the updateqrcode function in all versions up to, and including, 1.2.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site...

9.8CVSS0.00631EPSS
Exploits1References5
CNNVD
CNNVD
added 2025/12/06 12:0 a.m.4 views

WordPress plugin Fluent Forms 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security vulnerabili...

5.3CVSS6.5AI score0.0025EPSS
Exploits0References3
EUVD
EUVD
added 2025/12/05 9:27 a.m.7 views

EUVD-2025-201400

The User Generator and Importer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.2.2. This is due to missing nonce validation in the "Import Using CSV File" function. This makes it possible for unauthenticated attackers to elevate user privileges ...

8.8CVSS5.2AI score0.00154EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2025/12/05 7:26 a.m.3 views

CVE-2025-13684 ARK Related Posts <= 2.19 - Cross-Site Request Forgery to Settings Update

The ARK Related Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 2.19. This is due to missing or incorrect nonce validation on the arkrpoptionspage function. This makes it possible for unauthenticated attackers to modify the plugin's configuration settings via a...

4.3CVSS5.3AI score0.00128EPSS
Exploits0References3
NVD
NVD
added 2025/12/05 6:16 a.m.9 views

CVE-2025-13144

The ContentStudio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.7. This is due to missing or insufficient nonce validation on the addcstusettings function. This makes it possible for unauthenticated attackers to modify plugin settings v...

4.3CVSS0.00128EPSS
Exploits0References4
CVE
CVE
added 2025/12/05 5:31 a.m.14 views

CVE-2025-12154

CVE-2025-12154 (Auto Thumbnailer, WordPress) The vulnerability is an authenticated arbitrary file upload flaw in the Auto Thumbnailer plugin, affecting versions up to 1.0. The uploadThumb() function lacks proper file-type validation, enabling attackers with Contributor+ privileges to upload arbit...

8.8CVSS7AI score0.00446EPSS
Exploits0References2
CVE
CVE
added 2025/12/05 5:31 a.m.16 views

CVE-2025-12190

CVE-2025-12190 affects the WordPress plugin Image Optimizer by wps.sk (versions ≤ 1.2.0) with CSRF due to missing nonce validation in imagopby_ajax_optimize_gallery(). Multiple connected sources confirm the CSRF flaw and impacted plugin/version; however, no patch/version remediation is detailed i...

4.3CVSS4.9AI score0.00124EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2025/12/05 5:31 a.m.4 views

CVE-2025-12189 Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents <= 7.11.1374 - Cross-Site Request Forgery to Arbitrary File Upload

The Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.11.1374. This is due to missing or incorrect nonce validation on the uploadImage function...

4.3CVSS6.5AI score0.00268EPSS
Exploits2References5
EUVD
EUVD
added 2025/12/05 5:31 a.m.5 views

EUVD-2025-201385

The ContentStudio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.7. This is due to missing or insufficient nonce validation on the addcstusettings function. This makes it possible for unauthenticated attackers to modify plugin settings v...

4.3CVSS4.8AI score0.00128EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2025/12/05 12:0 a.m.9 views

PT-2025-49207

Name of the Vulnerable Software and Affected Versions Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents plugin for WordPress versions prior to 7.10.1322 Description The software is susceptible to a Cross-Site Request Forgery issue. This is due to...

8.8CVSS7.6AI score0.00268EPSS
Exploits2References11
OSV
OSV
added 2025/12/04 10:3 p.m.6 views

GHSA-C6XV-RCVW-V685 Open WebUI vulnerable to Server-Side Request Forgery (SSRF) via Arbitrary URL Processing in /api/v1/retrieval/process/web

Summary A Server-Side Request Forgery SSRF vulnerability in Open WebUI allows any authenticated user to force the server to make HTTP requests to arbitrary URLs. This can be exploited to access cloud metadata endpoints AWS/GCP/Azure, scan internal networks, access internal services behind...

8.5CVSS7AI score0.03965EPSS
Exploits1References4
NVD
NVD
added 2025/12/03 1:16 p.m.4 views

CVE-2025-12358

The ShopEngine Elementor WooCommerce Builder Addon plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.8.5. This is due to missing nonce validation on the "postaddtolist" function as well as an incorrect permissions callback in the "Api/init"...

4.3CVSS0.00104EPSS
Exploits0References2
Cvelist
Cvelist
added 2025/12/03 12:29 p.m.16 views

CVE-2025-13109 HUSKY – Products Filter Professional for WooCommerce <= 1.3.7.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'woof_add_query/woof_remove_query'

The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.2 via the "woofaddquery" and "woofremovequery" functions due to missing validation on a user controlled key. This makes it...

4.3CVSS0.00215EPSS
Exploits0References2
Rows per page
Query Builder