CVE-2025-11368 LearnPress – WordPress LMS Plugin <= 4.2.9.4 - Missing Authorization to Unauthenticated Arbitrary Callback Execution to Information Exposure

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 4.2.9.4. This is due to missing capability checks in the REST endpoint /wp-json/lp/v1/loadcontentviaajax which allows arbitrary callback execution of...

CVE-2025-11368

The CWE/CVE entry CVE-2025-11368 maps to the LearnPress WordPress LMS Plugin. Affected versions are up to 4.2.9.4 (and versions prior to 4.2.9.5 as per PT-2025-47660). The root cause is missing capability checks in the REST endpoint /wp-json/lp/v1/load_content_via_ajax, enabling arbitrary callbac...

PT-2025-47703

Name of the Vulnerable Software and Affected Versions WP AUDIO GALLERY plugin for WordPress versions prior to 2.1 Description The WP AUDIO GALLERY plugin for WordPress is susceptible to arbitrary file deletion. This is caused by inadequate file path validation within the wpag uploadaudio callback...

CVE-2025-48593

In btahfclientcbinit of btahfclientmain.cc, there is a possible remote code execution due to a use after free. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation...

SUSE-SU-2025:4111-1 Security update for the Linux Kernel

The SUSE Linux Enterprise 15 SP4 kernel was updated to fix various security issues The following security issues were fixed: - CVE-2022-50327: ACPI: processor: idle: Check acpifetchacpidev return value bsc1249859. - CVE-2022-50334: hugetlbfs: fix null-ptr-deref in hugetlbfsparseparam bsc1249857. ...

Cosmos: Economic DoS (Griefing) on IBC Relayers via `memo` Callback Gas Exploitation

Summary of Impact This vulnerability allows an attacker to bypass the relayer's simulation defense and force permissionless relayers to execute computationally expensive, but 'successful', transactions via the memo callback feature. This creates an asymmetric economic attack where the relayer's...

SUSE CVE-2025-40132

In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: sofsdw: Prevent jump to NULL addsidecar callback In createsdwdailink check that sofend-codecinfo-addsidecar is not NULL before calling it. The original code assumed that if includesidecar is true, the codec on that...

EUVD-2025-179594

Malicious code in configstore-quark-sync-callback npm...

Malicious code in warp-boson-callback-supercluster (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c95312546c36f2f246c3a72e1074b30f6d60280d986fd0cd2fc73fee683e7972 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in stop-callback-wezen-quark (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 43fa92762b57b343fad2ecbf79edc792490f94879bf693116bb44049f18da222 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-179905

Malicious code in callback-kastra-wolf-abiogenesis npm...

EUVD-2025-176205

Malicious code in stop-callback-wezen-quark npm...

EUVD-2025-179939

Malicious code in bunyan-callback-pipe-mysql npm...

MAL-2025-185984 Malicious code in callback-zephyr-semantic-ui-carpo (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cc3ae303ee981c1075c7fce2279b092cf996dc5af84dcd3a3fbe2c0c2f2810e4 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-190219 Malicious code in warp-boson-callback-supercluster (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c95312546c36f2f246c3a72e1074b30f6d60280d986fd0cd2fc73fee683e7972 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-176847

Malicious code in quasar-backend-altair-callback npm...

Malicious code in soap-callback-convict-middleware (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1b4922425b583d08a372e377d0b2ee372ad8912aa2da5902301f4c5ec520af10 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in callback-fomalhaut-slidev-library (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6530e7d524ba18030b212aec51ecb2bc02efc16da675b6d3b84232396518dcf2 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-179898

Malicious code in callback-zephyr-semantic-ui-carpo npm...

Malicious code in bunyan-callback-pipe-mysql (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a6c6a30fabd9762255234275520307cd432fbd98a02b188eba9e94d2334be6b0 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...