CVE-2025-12426

The Quiz Maker plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.7.0.80. This is due to the plugin exposing quiz answers through the aysquizcheckanswer AJAX action without proper authorization checks. The endpoint only validates a nonce,...

CVE-2025-12777

The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.10.0. This is due to the plugin not properly verifying that a user is authorized to perform actions on the REST API /wp-json/yith/wishlist/v1/lists endpoint which uses...

PT-2025-47428

The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'directorist prepare listings export file' and 'directorist type slug change' AJAX actions in all versions up to, a...

WordPress plugin WavePlayer 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security vulnerabili...

WordPress plugin SiteSEO 授权问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. An authorizati...

WordPress plugin WSChat 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security...

Hiding in the AI Traffic: Abusing MCP for LLM-Powered Agentic Red Teaming

Generative AI is reshaping offensive cybersecurity by enabling autonomous red team agents that can plan, execute, and adapt during penetration tests. However, existing approaches face trade-offs between generality and specialization, and practical deployments reveal challenges such as...

CVE-2025-13346 SourceCodester Train Station Ticketing System ajax.php sql injection

A vulnerability was detected in SourceCodester Train Station Ticketing System 1.0. This affects an unknown part of the file /ajax.php?action=savestation. Performing manipulation of the argument id/station results in sql injection. The attack may be initiated remotely. The exploit is now public an...

kernel: tls: separate no-async decryption request handling from async

In the Linux kernel, the following vulnerability has been resolved: tls: separate no-async decryption request handling from async If we're not doing async, the handling is much simpler. There's no reference counting, we just need to wait for the completion to wake us up and return its result. We...

CVE-2025-12961 Download Panel <= 1.3.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Modification

The Download Panel plugin for WordPress is vulnerable to unauthorized settings modification due to a missing capability check on the 'wpajaxsavesettings' AJAX action in all versions up to, and including, 1.3.3. This is due to the absence of any capability verification in the dlpnsavesettings...

PT-2025-47040

Name of the Vulnerable Software and Affected Versions The Image Gallery – Photo Grid & Video Gallery versions prior to 2.12.29 Description The Image Gallery – Photo Grid & Video Gallery plugin for WordPress has a flaw that allows for the deletion of arbitrary files. This is due to inadequate...

CVE-2025-40171

In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: move lsop put work to nvmetfclsreqop It’s possible for more than one async command to be in flight from nvmetfcsendlsreq. For each command, a tgtport reference is taken. In the current code, only one put work item is...

tls: wait for pending async decryptions if tls_strp_msg_hold fails

...

CVE-2025-12891

The CVE-2025-12891 entry concerns the WordPress Survey Maker plugin, where a missing capability check on the ays_survey_show_results AJAX endpoint allows unauthorized access to survey submissions. Affected versions are up to and including 5.1.9.4. The vulnerability enables unauthenticated attacke...

Malicious code in sandbox-interface-async-awk-proxy (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d605d85b24fa0acd2475a66a7a1eba0ee7f360ee3d825df216f0136d6f853d35 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-177408

Malicious code in orchestrate-process-cache-data-async npm...

EUVD-2025-178369

Malicious code in interpret-deploy-omega-async-fire npm...

EUVD-2025-179013

Malicious code in europa-loglevel-levels-async npm...

EUVD-2025-178893

Malicious code in firebase-ganymede-registry-async npm...

WordPress plugin Comment Edit Core – Simple Comment Editing 信息泄露漏洞

WordPress is a blogging platform developed using the PHP language. The platform has the ability to set up a personal blog site on a PHP and MySQL based server.WordPress plugin is an application plugin. WordPress plugin Comment Edit Core - Simple Comment Editing has an information disclosure...