PT-2025-48005

Name of the Vulnerable Software and Affected Versions ProjectList versions prior to 0.3.1 Description The ProjectList plugin for WordPress is susceptible to unauthorized file uploads because of inadequate file type validation. This allows attackers with Editor-level access or higher to upload...

CVE-2025-11456

The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ehcrmnewticketpost function in all versions up to, and including, 3.3.1. This makes it possible for unauthenticated attackers to upload...

CVE-2025-12973

The S2B AI Assistant – ChatBot, ChatGPT, OpenAI, Content & Image Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the storeFile function in all versions up to, and including, 1.7.8. This makes it possible for authenticated attackers, wi...

CVE-2025-40548

A missing validation process exists in Serv U when abused, could give a malicious actor with access to admin privileges the ability to execute code. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under...

CVE-2025-12974

The Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the legacy chunked upload mechanism in all versions up to, and including, 2.9.21.1. This is due to the extension blacklist not including .phar files, which can be uploaded through...

CVE-2025-40548

A missing validation process exists in Serv U when abused, could give a malicious actor with access to admin privileges the ability to execute code. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under...

CVE-2025-40548

SolarWinds Serv-U is affected by a set of flaws (CVE-2025-40547, -40548, -40549) stemming from a missing validation that could allow an attacker with admin privileges to execute code. Several connected sources indicate Serv-U versions prior to 15.5.3 (and specifically 15.5.2 and earlier per PT-20...

CVE-2025-40548 SolarWinds Serv-U Broken Access Control - Remote Code Execution Vulnerability

A missing validation process exists in Serv U when abused, could give a malicious actor with access to admin privileges the ability to execute code. This issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under...

PT-2025-47321

Name of the Vulnerable Software and Affected Versions Avahi versions up to and including 0.9-rc2 Description Avahi is a system that enables service discovery on a local network using the mDNS/DNS-SD protocol suite. The simple protocol server does not enforce the documented client limit, accepting...

CVE-2025-63800

The password change endpoint in Open Source Point of Sale 3.4.1 allows users to set their account password to an empty string due to missing server-side validation. When an authenticated user omits or leaves the password and repeatpassword parameters empty in the password change request, the...

EUVD-2025-198040

The password change endpoint in Open Source Point of Sale 3.4.1 allows users to set their account password to an empty string due to missing server-side validation. When an authenticated user omits or leaves the password and repeatpassword parameters empty in the password change request, the...

PT-2025-47268

Name of the Vulnerable Software and Affected Versions Serv-U versions 15.5.2 and prior Description A flaw exists in Serv-U due to a missing validation process. This can allow an attacker with administrative privileges to execute code on a vulnerable system. The risk is considered medium on Window...

CVE-2025-63800

The password change endpoint in Open Source Point of Sale 3.4.1 allows users to set their account password to an empty string due to missing server-side validation. When an authenticated user omits or leaves the password and repeatpassword parameters empty in the password change request, the...

SolarWinds Serv-U 15.5.3 Multiple Vulnerabilities

The version of SolarWinds Serv-U installed on the remote host is prior to 15.5.3. It is, therefore, affected by multiple vulnerabilities as referenced in the solarwindsserv-u1553 advisory. - A Path Restriction Bypass vulnerability exists in Serv-U that when abused, could give a malicious actor wi...

CVE-2025-12366 Page Builder: Pagelayer – Drag and Drop website builder <= 2.0.5 - Authenticated (Author+) Insecure Direct Object Reference

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.5 via the pagelayerreplacepage function due to missing validation on a user controlled key. This makes it possible for...

CVE-2025-12833

The CVE-2025-12833 issue affects the GeoDirectory – WP Business Directory Plugin and Classified Listings Directory for WordPress (versions up to 2.8.139). Root cause: Insecure Direct Object Reference via the post_attachment_upload function due to missing validation on a user-controlled key. Impac...

CVE-2025-40816

A vulnerability has been identified in LOGO! 12/24RCE 6ED1052-1MD08-0BA2 All versions, LOGO! 12/24RCEo 6ED1052-2MD08-0BA2 All versions, LOGO! 230RCE 6ED1052-1FB08-0BA2 All versions, LOGO! 230RCEo 6ED1052-2FB08-0BA2 All versions, LOGO! 24CE 6ED1052-1CC08-0BA2 All versions, LOGO! 24CEo...

CVE-2025-11170

The WP移行専用プラグイン for CPI plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the CpiwmImportController::import function in all versions up to, and including, 1.0.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the...

CVE-2025-12161

The Smart Auto Upload Images plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the auto-image creation functionality in all versions up to, and including, 1.2.0. This makes it possible for authenticated attackers, with Contributor-level access and...

EUVD-2025-38354

The Smart Auto Upload Images plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the auto-image creation functionality in all versions up to, and including, 1.2.0. This makes it possible for authenticated attackers, with Contributor-level access and...