1395 matches found
CVE-2025-12358
CVE-2025-12358 concerns ShopEngine Elementor WooCommerce Builder Addon for WordPress. Wordfence and related feeds describe a Cross-Site Request Forgery vulnerability in all versions up to 4.8.5, caused by missing nonce validation on the post_add_to_list function and an incorrect permissions callb...
CVE-2025-13606
The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.19. This is due to missing or incorrect nonce validation on the parseData function. This makes it possible for unauthenticated attackers...
CVE-2025-13606
The WordPress plugin WP Ultimate Exporter (Export All Posts, Products, Orders, Refunds & Users) is affected by Cross‑Site Request Forgery up to version 2.19 due to missing or incorrect nonce validation in parseData, enabling unauthenticated attackers to exfiltrate sensitive data (including user d...
Sanitization Bypass
python-ldap is vulnerable to Sanitization Bypass. The vulnerability is due to improper escaping in escapefilterchars when escapemode=1 is used, where crafted list or dict inputs bypass character escaping due to missing type validation, and attackers can exploit this to inject malicious LDAP filte...
CVE-2025-12578
The Reuters Direct plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the the 'class-reuters-direct-settings.php' page. This makes it possible for unauthenticated attackers to reset...
CVE-2025-66255
Unauthenticated Arbitrary File Upload upgradecontents.php in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Missing signature validation allows uploading malicious firmware packages. Th...
PT-2025-48216
The Reuters Direct plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the the 'class-reuters-direct-settings.php' page. This makes it possible for unauthenticated attackers to reset...
EUVD-2025-199677
Unauthenticated Arbitrary File Upload upgradecontents.php in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Missing signature validation allows uploading malicious firmware packages. Th...
CVE-2025-66255 Unauthenticated Arbitrary File Upload (upgrade_contents.php)
Unauthenticated Arbitrary File Upload upgradecontents.php in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform Missing signature validation allows uploading malicious firmware packages. Th...
PT-2025-48129
Name of the Vulnerable Software and Affected Versions versions prior to 2025-9558 Description A potential out-of-bounds write issue exists in the gen prov start function within the pb adv.c file. The issue occurs because the full length of received data is copied into the link.rx.buf receiver...
EUVD-2025-199563
The Peer Publish plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the website management pages. This makes it possible for unauthenticated attackers to add, modify, or delete website configuratio...
CVE-2025-13382 Frontend File Manager Plugin <= 23.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary File Renaming
The Frontend File Manager Plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 23.4. This is due to the plugin not validating file ownership before processing file rename requests in the '/wpfm/v1/file-rename' REST API endpoint. This makes i...
CVE-2025-13382 Frontend File Manager Plugin <= 23.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary File Renaming
The Frontend File Manager Plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 23.4. This is due to the plugin not validating file ownership before processing file rename requests in the '/wpfm/v1/file-rename' REST API endpoint. This makes i...
EUVD-2025-198620
The Guest posting / Frontend Posting / Front Editor WordPress plugin before 5.0.0 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue...
CVE-2025-13142
The Custom Post Type plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the custom post type deletion functionality. This makes it possible for unauthenticated attackers to delete custom post types...
CVE-2025-65092
ESF-IDF (Espressif IoT Development Framework) contains a vulnerability in the ESP32-P4 hardware JPEG decoder where the software JPEG parser lacks validation, allowing an out-of-bounds array access when processing crafted images. Affected versions are 5.5.1, 5.4.3, and 5.3.4; mitigations are fixes...
MLX has Wild Pointer Dereference in load_gguf()
Summary Segmentation fault in mlx::core::loadgguf when loading malicious GGUF files. Untrusted pointer from external gguflib library is dereferenced without validation, causing application crash. Environment: - OS: Ubuntu 20.04.6 LTS - Compiler: Clang 19.1.7 Vulnerability Location: mlx/io/gguf.cp...
CVE-2025-13142
The Custom Post Type plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the custom post type deletion functionality. This makes it possible for unauthenticated attackers to delete custom post types...
CVE-2025-13134
CVE-2025-13134: WordPress AuthorSure plugin (versions
WordPress Community Events plugin SQL Injection Vulnerability
WordPress Community Events plugin is an event management plugin on the WordPress platform , mainly used to create and display the event calendar , support for AJAX dynamic loading and event submission form features . WordPress Community Events plugin suffers from a SQL injection vulnerability tha...