4534 matches found
CVE-2025-12674
The KiotViet Sync plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the createmedia function in all versions up to, and including, 1.8.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server...
CVE-2025-12677
The KiotViet Sync plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.5 via the registerapiroute function in kiotvietsync/includes/publicactions/WebHookAction.php. This makes it possible for unauthenticated attackers to extract the webhoo...
CVE-2025-12676
The KiotViet Sync plugin for WordPress is vulnerable to authorizarion bypass in all versions up to, and including, 1.8.5. This is due to the plugin using a hardcoded password for authentication in the QueryControllerAdmin::authenticated function. This makes it possible for unauthenticated attacke...
CVE-2025-12675
CVE-2025-12675 concerns the KiotViet Sync WordPress plugin (versions up to and including 1.8.5). The vulnerability arises from a missing capability check in saveConfig(), allowing authenticated attackers with Subscriber-level access or higher to modify the plugin configuration. Multiple sources c...
CVE-2025-12676
CVE-2025-12676 concerns KiotViet Sync for WordPress (versions up to 1.8.5). According to multiple sources, the root cause is a hard-coded password used for authentication inside QueryControllerAdmin::authenticated, enabling unauthenticated attackers to create and sync products. Public details con...
CVE-2025-12676 KiotViet Sync <= 1.8.5 - Use of Hard-coded Password to Authorization Bypass
The KiotViet Sync plugin for WordPress is vulnerable to authorizarion bypass in all versions up to, and including, 1.8.5. This is due to the plugin using a hardcoded password for authentication in the QueryControllerAdmin::authenticated function. This makes it possible for unauthenticated attacke...
CVE-2025-12674
KiotViet Sync plugin for WordPress (versions <= 1.8.5) is vulnerable to unauthenticated arbitrary file uploads due to missing file type validation in create_media(). This can allow uploading arbitrary files to the server and may enable remote code execution. A GitHub exploit exists (CVE-2025-1...
CVE-2025-12674 KiotViet Sync <= 1.8.5 - Unauthenticated Arbitrary File Upload
The KiotViet Sync plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the createmedia function in all versions up to, and including, 1.8.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server...
CVE-2025-12676 KiotViet Sync <= 1.8.5 - Use of Hard-coded Password to Authorization Bypass
The KiotViet Sync plugin for WordPress is vulnerable to authorizarion bypass in all versions up to, and including, 1.8.5. This is due to the plugin using a hardcoded password for authentication in the QueryControllerAdmin::authenticated function. This makes it possible for unauthenticated attacke...
CVE-2025-12675 KiotViet Sync <= 1.8.5 - Missing Authorization to Authenticated (Subscriber+) Settings Update
The KiotViet Sync plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveConfig function in all versions up to, and including, 1.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update...
CVE-2025-12674 KiotViet Sync <= 1.8.5 - Unauthenticated Arbitrary File Upload
The KiotViet Sync plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the createmedia function in all versions up to, and including, 1.8.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server...
CVE-2025-12675 KiotViet Sync <= 1.8.5 - Missing Authorization to Authenticated (Subscriber+) Settings Update
The KiotViet Sync plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the saveConfig function in all versions up to, and including, 1.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update...
CVE-2025-12677
The KiotViet Sync WordPress plugin (versions up to and including 1.8.5) is vulnerable to Sensitive Information Exposure through register_api_route() in kiotvietsync/includes/public_actions/WebHookAction.php. Unauthenticated attackers can extract the webhook token value when configured. Public rep...
CVE-2025-12677 KiotViet Sync <= 1.8.5 - Unauthenticated Webhook Key Exposure
The KiotViet Sync plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.5 via the registerapiroute function in kiotvietsync/includes/publicactions/WebHookAction.php. This makes it possible for unauthenticated attackers to extract the webhoo...
CVE-2025-12677 KiotViet Sync <= 1.8.5 - Unauthenticated Webhook Key Exposure
The KiotViet Sync plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.5 via the registerapiroute function in kiotvietsync/includes/publicactions/WebHookAction.php. This makes it possible for unauthenticated attackers to extract the webhoo...
CVE-2025-64118
node-tar is a Tar for Node.js. In 7.5.1, using .t aka .list with sync: true to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2...
[SECURITY] Fedora 43 Update: openapi-python-client-0.26.2-4.fc43
The openapi-python-client is a powerful tool designed to generate modern Python clients from OpenAPI 3.0+ documents supporting both synchronous and asynchronous HTTP requests. It automates the creation of Python classes and methods that correspond to the endpoints and schema defined in your OpenA...
WordPress KiotViet Sync plugin <= 1.8.5 - Unauthenticated Arbitrary File Upload vulnerability
Unauthenticated Arbitrary File Upload vulnerability discovered by kr0d in WordPress Plugin KiotViet Sync versions = 1.8.5...
WordPress KiotViet Sync plugin <= 1.8.5 - Use of Hard-coded Password to Authorization Bypass vulnerability
Use of Hard-coded Password to Authorization Bypass vulnerability discovered by kr0d in WordPress Plugin KiotViet Sync versions = 1.8.5...
WordPress KiotViet Sync plugin <= 1.8.5 - Unauthenticated Webhook Key Exposure vulnerability
Unauthenticated Webhook Key Exposure vulnerability discovered by kr0d in WordPress Plugin KiotViet Sync versions = 1.8.5...