CVE-2025-66294 Grav is vulnerable to RCE via SSTI through Twig Sandbox Bypass

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, a Server-Side Template Injection SSTI vulnerability exists in Grav that allows authenticated attackers with editor permissions to execute arbitrary commands on the server and, under certain conditions, may also be exploited by...

CVE-2025-13376

The ProjectList plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 0.3.0. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's...

CVE-2025-10686

The CVE-2025-10686 has concrete details across multiple sources: Creta Testimonial Showcase WordPress plugin prior to v1.2.4 is vulnerable to Local File Inclusion. Authenticated users with editor-level access or higher can include and execute arbitrary PHP files on the server, enabling code execu...

CVE-2025-10045

CVE-2025-10045 (onOffice for WP-Websites, WordPress) : The plugin is vulnerable to SQL Injection via the string parameter order in all versions up to 5.7 due to insufficient escaping of user input and inadequate query preparation. Exploitation requires authenticated access at Editor+ level, enabl...