Astra Linux – Vulnerability found in Linux 6.1, Linux 6.12

In the Linux kernel, the following vulnerability has been resolved: netsched: skbprio: Removal of overly strict queue assertions. In the current implementation, the skbprio enqueue/dequeue operations contain assertions that fail under certain conditions when SKBPRIO is used as a child qdisc under...

WordPress WP2LEADS plugin <= 3.5.0 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by johska in WordPress Plugin WP2LEADS versions = 3.5.0...

WordPress Yougler Blogger Profile Page plugin <= v1.01 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by johska in WordPress Plugin Yougler Blogger Profile Page versions v1.01...

WordPress File Manager Pro – Filester plugin <= 1.8.8 - Authenticated (Administrator+) Arbitrary File Upload vulnerability

Authenticated Administrator+ Arbitrary File Upload vulnerability discovered by TANG Cheuk Hei siunam in WordPress Plugin File Manager Pro versions = 1.8.8...

WordPress Game Review Block plugin <= 4.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via className Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via className Parameter vulnerability discovered by Peter Thaleikis in WordPress Plugin Game Review Block versions = 4.8.1...

WordPress myCred plugin <= 2.9.4.2 - Broken Access Control Vulnerability

Broken Access Control Vulnerability discovered by Marek Mikita in WordPress Plugin myCred versions = 2.9.4.2...

WordPress MapSVG plugin < 8.7.4 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Anhchangmutrang in WordPress Plugin MapSVG versions 8.7.4...

WordPress Workreap plugin <= 3.3.2 - Authenticated (Subscriber+) Arbitrary File Upload via 'workreap_temp_upload_to_media' vulnerability

Authenticated Subscriber+ Arbitrary File Upload via 'workreaptempuploadtomedia' vulnerability discovered by Foxyyy in WordPress Plugin Workreap theme's plugin versions = 3.3.2...

WordPress eForm - WordPress Form Builder < 4.19.1 - Cross Site Scripting (XSS) Vulnerability

WordPress eForm - WordPress Form Builder 4.19.1 - Cross Site Scripting XSS Vulnerability discovered by Dave Jong Patchstack in WordPress Plugin eForm - WordPress Form Builder versions 4.19.1...

WordPress Elite Video Player plugin <= 10.0.5 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Anhchangmutrang in WordPress Plugin Elite Video Player versions = 10.0.5...

WordPress Axle Demo Importer plugin <= 1.0.3 - Author+ Arbitrary File Upload vulnerability

Author+ Arbitrary File Upload vulnerability discovered by Khaled Alenazi Nxploited in WordPress Plugin Axle Demo Importer versions = 1.0.3...

WordPress Premium Addons for Elementor plugin <= 4.11.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Countdown Widget vulnerability discovered by Asaf Mozes in WordPress Plugin Premium Addons for Elementor versions = 4.11.8...

WordPress Ruza Theme <= 1.0.7 is vulnerable to Local File Inclusion

Software Ruza Type Theme Vulnerable versions = 1.0.7 Fixed in 1.0.8 OWASP Top 10 A4: Insecure Design Classification Local File Inclusion CVE CVE-2025-49255 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID 6bd5103cfe41 Credits Phat RiO - BlueRock Required privilege...

WordPress Lasa Theme <= 1.1 is vulnerable to Local File Inclusion

Software Lasa Type Theme Vulnerable versions = 1.1 Fixed in 1.1.1 OWASP Top 10 A4: Insecure Design Classification Local File Inclusion CVE CVE-2025-49253 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID 146f1b55407b Credits Phat RiO - BlueRock Required privilege...

WordPress Maia Theme <= 1.1.15 is vulnerable to Local File Inclusion

Software Maia Type Theme Vulnerable versions = 1.1.15 Fixed in 1.1.16 OWASP Top 10 A4: Insecure Design Classification Local File Inclusion CVE CVE-2025-49258 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID 17919a5d64c7 Credits Phat RiO - BlueRock Required privilege...

WordPress Zota Theme <= 1.3.8 is vulnerable to Local File Inclusion

Software Zota Type Theme Vulnerable versions = 1.3.8 Fixed in 1.3.9 OWASP Top 10 A4: Insecure Design Classification Local File Inclusion CVE CVE-2025-49257 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID 511b31ea918b Credits Phat RiO - BlueRock Required privilege...

WordPress Sapa Theme <= 1.1.14 is vulnerable to Local File Inclusion

Software Sapa Type Theme Vulnerable versions = 1.1.14 Fixed in 1.1.15 OWASP Top 10 A4: Insecure Design Classification Local File Inclusion CVE CVE-2025-49256 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID 8d080f77bafd Credits Phat RiO - BlueRock Required privilege...

WordPress Flozen Theme < 1.5.1 is vulnerable to Arbitrary File Upload

Software Flozen Type Theme Vulnerable versions 1.5.1 Fixed in 1.5.1 OWASP Top 10 A3: Injection Classification Arbitrary File Upload CVE CVE-2025-49071 Patch priority High CVSS severity High 10 Developer Claim ownership PSID b0bba867fa7b Credits Phat RiO - BlueRock Required privilege Unauthenticat...

First-Spammed, First-Served: MEV Extraction on Fast-Finality Blockchains

This research analyzes the economics of spam-based arbitrage strategies on fast-finality blockchains. We begin by theoretically demonstrating that, splitting a profitable MEV opportunity into multiple small transactions is the optimal strategy for CEX-DEX arbitrageurs. We then empirically validat...

WordPress FW Gallery plugin <= 8.0.0 - Arbitrary File Deletion Vulnerability

Arbitrary File Deletion Vulnerability discovered by LVT-tholv2k in WordPress Plugin FW Gallery versions = 8.0.0...