| DataType | ProblemTypes | Impact | Publishdate | |
|---|---|---|---|---|
Threat detailsImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WProyal Royal Elementor Addons allows Stored XSS.This issue affects Royal Elementor Addons: from n/a through 1.7.1017. | CVE | CWE-79 | 05-07-2025 | |
Threat detailsImproper handling of insufficient permission in Bixby wakeup prior to version 2.3.74.8 allows local attackers to access sensitive data. | CVE | 05-07-2025 | ||
Threat detailsMemory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ. During unmarshalling of OpenWire commands the size value of buffers was not properly validated which could lead to excessive memory allocation and be exploited to cause a denial of service (DoS) by depleting process memory, thereby affecting applications and services that rely on the availability of the ActiveMQ broker when not using mutual TLS connections. This issue affects Apache ActiveMQ: from 6.0.0 before 6.1.6, from 5.18.0 before 5.18.7, from 5.17.0 before 5.17.7, before 5.16.8. ActiveMQ 5.19.0 is not affected. Users are recommended to upgrade to version 6.1.6+, 5.19.0+, 5.18.7+, 5.17.7, or 5.16.8 or which fixes the issue. Existing users may implement mutual TLS to mitigate the risk on affected brokers. | CVE | CWE-789 | 05-07-2025 | |
Threat detailsOut-of-bounds write in Keymaster trustlet prior to SMR May-2025 Release 1 allows local privileged attackers to write out-of-bounds memory. | CVE | 05-07-2025 | ||
Threat detailsPath traversal vulnerability in Samsung Members prior to version 5.0.00.11 allows attackers to read and write arbitrary file with the privilege of Samsung Members. | CVE | 05-07-2025 | ||
Threat detailsImproper access control in SmartManagerCN prior to SMR May-2025 Release 1 allows local attackers to launch activities within SmartManagerCN. | CVE | 05-07-2025 | ||
Threat detailsUse of implicit intent for sensitive communication in EnrichedCall prior to SMR May-2025 Release 1 allows local attackers to access sensitive information. User interaction is required for triggering this vulnerability. | CVE | 05-07-2025 | ||
Threat detailsImproper Export of Android Application Components in NotificationHistoryImageProvider prior to SMR May-2025 Release 1 allows local attackers to access notification images. | CVE | 05-07-2025 | ||
Threat detailsImproper export of android application components in Settings in Galaxy Watch prior to SMR May-2025 Release 1 allows physical attackers to access developer settings. | CVE | 05-07-2025 | ||
Threat detailsImproper access control in SmartManagerCN prior to SMR May-2025 Release 1 allows local attackers to launch arbitrary activities with SmartManagerCN privilege. | CVE | 05-07-2025 | ||
Threat detailsImproper verification of intent by broadcast receiver in UnifiedWFC prior to SMR May-2025 Release 1 allows local attackers to manipulate VoWiFi related behaviors. | CVE | 05-07-2025 | ||
Threat detailsUse of implicit intent for sensitive communication in Wi-Fi P2P service prior to SMR May-2025 Release 1 allows local attackers to access sensitive information. | CVE | 05-07-2025 | ||
Threat detailsImproper handling of insufficient permission or privileges in sepunion service prior to SMR May-2025 Release 1 allows local privileged attackers to access files with system privilege. | CVE | 05-07-2025 | ||
Threat detailsImproper handling of insufficient permission in SpenGesture service prior to SMR May-2025 Release 1 allows local attackers to track the S Pen position. | CVE | 05-07-2025 | ||
Threat detailsOut-of-bounds write in memory initialization in libsavsvc.so prior to SMR May-2025 Release 1 allows local attackers to write out-of-bounds memory. | CVE | 05-07-2025 | ||
Threat detailsOut-of-bounds write in parsing media files in libsavsvc.so prior to SMR May-2025 Release 1 allows local attackers to write out-of-bounds memory. | CVE | 05-07-2025 | ||
Threat detailsImproper handling of insufficient permission in CocktailBarService prior to SMR May-2025 Release 1 allows local attackers to use the privileged api. | CVE | 05-07-2025 | ||
Threat detailsImproper access control in Samsung Gallery prior to version 14.5.10.3 in Global Android 13, 14.5.09.3 in China Android 13, and 15.5.04.5 in Android 14 allows physical attackers to access data across multiple user profiles. | CVE | 05-07-2025 | ||
Threat detailsImproper handling of insufficient permission in PackageInstallerCN prior to version 15.0.11.0 allows local attacker to bypass user interaction for requested installation. | CVE | 05-07-2025 | ||
Threat details | CVE | 05-07-2025 | ||
Threat details | CVE | 05-07-2025 | ||
Threat detailsImproper access control in Samsung Gallery prior to version 14.5.10.3 in Global Android 13, 14.5.09.3 in China Android 13, and 15.5.04.5 in Android 14 allows attackers to read and write arbitrary file with the privilege of Samsung Gallery. | CVE | 05-07-2025 | ||
Threat detailsUse of implicit intent for sensitive communication in translation in Samsung Notes prior to version 4.4.29.23 allows local attackers to get sensitive information. User interaction is required for triggering this vulnerability. | CVE | 05-07-2025 | ||
Threat detailsOut-of-bounds read in applying binary of text content in Samsung Notes prior to version 4.4.29.23 allows attackers to read out-of-bounds memory. | CVE | 05-07-2025 | ||
Threat detailsImproper Export of Android Application Components in AODService prior to version 8.8.28.12 allows local attackers to launch arbitrary activity with systemui privilege. | CVE | 05-07-2025 | ||
Threat detailsImproper access control in PENUP prior to version 3.9.19.32 allows local attackers to access files with PENUP privilege. | CVE | 05-07-2025 | ||
Threat detailsImproper authentication in Secure Folder prior to version 1.8.12.0 in Android 13, and 1.9.21.00 in Android 14 allows physical attackers to reset the lock type of Secure Folder. | CVE | 05-07-2025 | ||
Threat detailsImproper verification of intent by broadcast receiver in Samsung Flow prior to version 4.9.17.6 allows local attackers to modify Samsung Flow configuration. | CVE | 05-07-2025 | ||
Threat detailsImproper input validation in Samsung Flow prior to version 4.9.17.6 allows local attackers to access data within Samsung Flow. | CVE | 05-07-2025 | ||
Threat detailsImproper access control in Samsung Gallery prior to version 14.5.10.3 in Global Android 13, 14.5.09.3 in China Android 13, and 15.5.04.5 in Android 14 allows remote attackers to access data and perform internal operations within Samsung Gallery. | CVE | 05-07-2025 | ||
Threat detailsImproper access control in Bixby Vision prior to version 3.8.1 in Android 13, 3.8.3 in Android 14, 3.8.21 in Android 15 allows local attackers to access image files with Bixby Vision privilege. | CVE | 05-07-2025 | ||
Threat detailsImproper input validation in Samsung Gallery prior to version 14.5.10.3 in Global Android 13, 14.5.09.3 in China Android 13, and 15.5.04.5 in Android 14 allows local attackers to access data within Samsung Gallery. | CVE | 05-07-2025 | ||
Threat detailsThe Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown widget display_message_text parameter in all versions up to, and including, 1.7.1017 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | CVE | CWE-79 | NETWORK: LOW | 05-07-2025 |
Threat detailsImproper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in BOINC Server allows Stored XSS.This issue affects BOINC Server: through 1.4.7. | CVE | LOW | 05-07-2025 | |
Threat detailsImproper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in BOINC Server allows Stored XSS.This issue affects BOINC Server: through 1.4.7. | CVE | LOW | 05-07-2025 | |
Threat detailsImproper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in BOINC Server allows Stored XSS.This issue affects BOINC Server: before 1.4.5. | CVE | LOW | 05-07-2025 | |
Threat detailsCross-Site Request Forgery (CSRF) vulnerability in BOINC Server allows Cross Site Request Forgery.This issue affects BOINC Server: before 1.4.3. | CVE | LOW | 05-07-2025 | |
Threat detailsThe WZ Followed Posts – Display what visitors are reading plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wfp' shortcode in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | CVE | CWE-79 | NETWORK: LOW | 05-07-2025 |
Threat detailsA NULL Pointer Dereference in RT-Labs P-Net version 1.0.1 or earlier allows an attacker to induce a crash in IO devices that use the library by sending a malicious RPC packet. | CVE | CWE-476 | LOW | 05-07-2025 |
Threat detailsUnrestricted file upload in TCMAN's GIM v11. This vulnerability allows an unauthenticated attacker to upload any file within the server, even a malicious file to obtain a Remote Code Execution (RCE). | CVE | CWE-434 | LOW | 05-07-2025 |
Threat detailsOut-of-bounds Read vulnerability in unpack_response (session.c) in libplctag from 2.0 through 2.6.3 allows Overread Buffers via network. | CVE | CWE-125 | LOW | 05-07-2025 |
Threat detailsOut-of-bounds Read vulnerability in unpack_response (conn.c) in libplctag from 2.0 through 2.6.3 allows Overread Buffers via network. | CVE | CWE-125 | LOW | 05-07-2025 |
Threat detailsAn Heap-based Buffer Overflow in RT-Labs P-Net version 1.0.1 or earlier allows an attacker to induce a crash in IO devices that use the library by sending a malicious RPC packet. | CVE | CWE-122 | LOW | 05-07-2025 |
Threat detailsAn Heap-based Buffer Overflow in RT-Labs P-Net version 1.0.1 or earlier allows an attacker to induce a crash in IO devices that use the library by sending a malicious RPC packet. | CVE | CWE-122 | LOW | 05-07-2025 |
Threat detailsAn Out-of-bounds Write in RT-Labs P-Net version 1.0.1 or earlier allows an attacker to induce a crash in IO devices that use the library by sending a malicious RPC packet. | CVE | CWE-787 | LOW | 05-07-2025 |
Threat detailsAn Unchecked Input for Loop Condition in RT-Labs P-Net version 1.0.1 or earlier allows an attacker to cause IO devices that use the library to enter an infinite loop by sending a malicious RPC packet. | CVE | CWE-606 | LOW | 05-07-2025 |
Threat detailsAn Heap-based Buffer Overflow in RT-Labs P-Net version 1.0.1 or earlier allows an attacker to corrupt the memory of IO devices that use the library by sending a malicious RPC packet. | CVE | CWE-122 | LOW | 05-07-2025 |
Threat detailsAn Out-of-bounds Write in RT-Labs P-Net version 1.0.1 or earlier allows an attacker to induce a crash in IO devices that use the library by sending a malicious RPC packet. | CVE | CWE-787 | LOW | 05-07-2025 |
Threat detailsAn Out-of-bounds Write in RT-Labs P-Net version 1.0.1 or earlier allows an attacker to corrupt the memory of IO devices that use the library by sending a malicious RPC packet. | CVE | CWE-787 | LOW | 05-07-2025 |
Threat detailsAn Out-of-bounds Write in RT-Labs P-Net version 1.0.1 or earlier allows an attacker to corrupt the memory of IO devices that use the library by sending a malicious RPC packet. | CVE | CWE-787 | LOW | 05-07-2025 |
Threat detailsAn Heap-based Buffer Overflow in RT-Labs P-Net version 1.0.1 or earlier allows an attacker to induce a crash in IO devices that use the library by sending a malicious RPC packet. | CVE | CWE-122 | LOW | 05-07-2025 |
Threat detailsThe Login Lockdown & Protection plugin for WordPress is vulnerable to unauthorized nonce access due to a missing capability check on the ajax_run_tool function in all versions up to, and including, 2.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain a valid nonce that can be used to generate a global unlock key, which can in turn be used to add arbitrary IP address to the plugin allowlist. This can only by exploited on new installations where the site administrator hasn't visited the loginlockdown page yet. | CVE | CWE-862 | NETWORK: LOW | 05-07-2025 |
Threat detailsThe WPshop 2 – E-Commerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 2.0.0 to 2.6.0 via the callback_generate_api_key() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create valid API keys on behalf of other users. | CVE | CWE-639 | NETWORK: LOW | 05-07-2025 |
Threat detailsA flaw was found in the mod_auth_openidc module for Apache httpd. This flaw allows a remote, unauthenticated attacker to trigger a denial of service by sending an empty POST request when the OIDCPreservePost directive is enabled. The server crashes consistently, affecting availability. | CVE | LOW | 05-07-2025 | |
Threat detailsThe Search Exclude plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the get_rest_permission function in all versions up to, and including, 2.4.9. This makes it possible for unauthenticated attackers to modify plugin settings, excluding content from search results. | CVE | CWE-862 | NETWORK: LOW | 05-07-2025 |
Threat detailsThe Download Manager and Payment Form WordPress Plugin – WP SmartPay plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 1.1.0 to 2.7.13 via the show() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view other user's data like email address, name, and notes. | CVE | CWE-200 | NETWORK: LOW | 05-07-2025 |
Threat detailsThe WPshop 2 – E-Commerce plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 2.0.0 to 2.6.0. This is due to the plugin not properly validating a user's identity prior to updating their details like email & password through the update() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. | CVE | CWE-269 | NETWORK: LOW | 05-07-2025 |
Threat detailsThe PeproDev Ultimate Profile Solutions plugin for WordPress is vulnerable to Authentication Bypass in versions 1.9.1 to 7.5.2. This is due to handel_ajax_req() function not having proper restrictions on the change_user_meta functionality that makes it possible to set a OTP code and subsequently log in with that OTP code. This makes it possible for unauthenticated attackers to login as other users on the site, including administrators. | CVE | CWE-288 | NETWORK: LOW | 05-07-2025 |
Threat detailsThe CarDealerPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘saleclass' parameter in all versions up to, and including, 6.7.2504.00 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | CVE | CWE-79 | NETWORK: LOW | 05-07-2025 |
Threat detailsThe Xavin's List Subpages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'xls' shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | CVE | CWE-79 | NETWORK: LOW | 05-07-2025 |
Threat detailsThe PeproDev Ultimate Profile Solutions plugin for WordPress is vulnerable to unauthorized access of data via its publicly exposed reset-password endpoint. The plugin looks up the 'valid_email' value based solely on a supplied username parameter, without verifying that the requester is associated with that user account. This allows unauthenticated attackers to enumerate email addresses for any user, including administrators. | CVE | CWE-285 | NETWORK: LOW | 05-07-2025 |
Threat detailsThe Relevanssi – A Better Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the highlights functionality in all versions up to, and including, 4.24.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via the search results. | CVE | CWE-79 | NETWORK: LOW | 05-07-2025 |
Threat detailsThe Multiple Post Type Order plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mpto' shortcode in all versions up to, and including, 1.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | CVE | CWE-79 | NETWORK: LOW | 05-07-2025 |
Threat detailsThe Woocommerce Multiple Addresses plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.7.1. This is due to insufficient restrictions on user meta that can be updated through the save_multiple_shipping_addresses() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator. | CVE | CWE-269 | NETWORK: LOW | 05-07-2025 |
Threat detailsThe PeproDev Ultimate Profile Solutions plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handel_ajax_req() function in versions 1.9.1 to 7.5.2. This makes it possible for unauthenticated attackers to update arbitrary user's metadata which can be leveraged to block an administrator from accessing their site when wp_capabilities is set to 0. | CVE | CWE-285 | NETWORK: LOW | 05-07-2025 |
Threat detailsIBM i 7.2, 7.3, 7.4, 7.5, and 7.6 is vulnerable to authentication and authorization attacks due to incorrect validation processing in IBM i Netserver. A malicious actor could use the weaknesses, in conjunction with brute force authentication attacks or to bypass authority restrictions, to access the server. | CVE | CWE-295 | NETWORK: LOW | 05-07-2025 |
Threat detailsThe PGS Core plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 5.8.0. This makes it possible for unauthenticated attackers to add, modify, or plugin options. | CVE | CWE-862 | NETWORK: LOW | 05-06-2025 |
Threat detailsThe PGS Core plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.8.0 via deserialization of untrusted input in the 'import_header' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | CVE | CWE-502 | NETWORK: LOW | 05-06-2025 |
Threat details266 vulnerability in Crestron Automate VX allows Privilege Escalation.This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49. | CVE | LOW | 05-06-2025 | |
Threat detailsThe PGS Core plugin for WordPress is vulnerable to SQL Injection via the 'event' parameter in the 'save_header_builder' function in all versions up to, and including, 5.8.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | CVE | CWE-89 | NETWORK: LOW | 05-06-2025 |
Threat detailsUse after free in WebAudio in Google Chrome prior to 136.0.7103.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | CVE | CWE-416 | LOW | 05-06-2025 |
Threat detailsIn Tenda RX3 V1.0br_V16.03.13.11 in the GetParentControlInfo function of the web url /goform/GetParentControlInfo, the manipulation of the parameter mac leads to stack overflow. | CVE | LOW | 05-06-2025 | |
Threat detailsLinksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.ddnsStatus DynDNS function via the hostname parameter. | CVE | LOW | 05-06-2025 | |
Threat detailsLinksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.ddnsStatus DynDNS function via the password parameter. | CVE | LOW | 05-06-2025 | |
Threat detailsNetgear EX8000 V1.0.0.126 is vulnerable to Command Injection via the Iface parameter in the action_wireless function. | CVE | LOW | 05-06-2025 | |
Threat detailsAn issue in the component /internals/functions of R-fx Networks Linux Malware Detect v1.6.5 allows attackers to escalate privileges and execute arbitrary code via supplying a file that contains a crafted filename. | CVE | LOW | 05-06-2025 | |
Threat detailsMrDoc v0.95 and before is vulnerable to Server-Side Request Forgery (SSRF) in the validate_url function of the app_doc/utils.py file. | CVE | LOW | 05-06-2025 | |
Threat detailsLinksys E5600 v1.1.0.26 was discovered to contain a command injection vulnerability in the runtime.ddnsStatus DynDNS function via the mailex parameter. | CVE | LOW | 05-06-2025 | |
Threat detailsIncorrect JSON input stringification in Google's Tensorflow serving versions up to 2.18.0 allows for potentially unbounded recursion leading to server crash. | CVE | LOW | 05-06-2025 | |
Threat detailspassport-wsfed-saml2 provides passport strategy for both WS-fed and SAML2 protocol. A vulnerability present starting in version 3.0.5 up to and including version 4.6.3 allows an attacker to impersonate any user in the Auth0 tenant during SAML authentication by crafting a SAMLResponse. This can be done by using a valid SAML object that was signed by the configured IdP. Users are affected specifically when the service provider is using passport-wsfed-saml2 and a valid SAML document signed by the Identity Provider can be obtained. Version 4.6.4 contains a fix for the vulnerability. | CVE | CWE-287 | LOW | 05-06-2025 |
Threat detailsCleartext Transmission of Sensitive Information vulnerability in Crestron Automate VX allows Sniffing Network Traffic. The device allows Web UI and API access over non-secure network ports which exposes sensitive information such as user passwords. This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49. | CVE | LOW | 05-06-2025 | |
Threat detailsThere is a stack overflow vulnerability in Tenda RX3 V1.0br_V16.03.13.11 In the fromSetWifiGusetBasic function of the web url /goform/ WifiGuestSet, the manipulation of the parameter shareSpeed leads to stack overflow. | CVE | LOW | 05-06-2025 | |
Threat details | CVE | LOW | 05-06-2025 | |
Threat detailsExposure of Sensitive Information to an Unauthorized Actor vulnerability in Crestron Automate VX allows Functionality Misuse. There is no visible indication when the system is recording and recording can be enabled remotely via a network API. This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49. | CVE | LOW | 05-06-2025 | |
Threat detailspassport-wsfed-saml2 provides passport strategy for both WS-fed and SAML2 protocol. A vulnerability present starting in version 3.0.5 up to and including version 4.6.3 allows an attacker to impersonate any user during SAML authentication by tampering with a valid SAML response. This can be done by adding attributes to the response. Users are affected specifically when the service provider is using `passport-wsfed-saml2` and a valid SAML Response signed by the Identity Provider can be obtained. Version 4.6.4 contains a fix for the vulnerability. | CVE | CWE-287 | LOW | 05-06-2025 |
Threat detailsThe PublishPress Capabilities WordPress plugin before 2.5.2, PublishPress Capabilities Pro WordPress plugin before 2.5.2 unserializes the content of imported files, which could lead to PHP object injection attacks by administrators, on multisite WordPress configurations. Successful exploitation in this case requires other plugins with a suitable gadget chain to be present on the site. | CVE | NETWORK: LOW | 05-06-2025 | |
Threat detailsThe LearnPress WordPress plugin before 4.1.7.2 unserialises user input in a REST API endpoint available to unauthenticated users, which could lead to PHP Object Injection when a suitable gadget is present, leadint to remote code execution (RCE). To successfully exploit this vulnerability attackers must have knowledge of the site secrets, allowing them to generate a valid hash via the wp_hash() function. | CVE | CWE-502 | NETWORK: HIGH | 05-06-2025 |
Threat detailsThe Ocean Extra WordPress plugin before 2.0.5 unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import (intentionally or not) a malicious Customizer Styling file and a suitable gadget chain is present on the blog. | CVE | NETWORK: LOW | 05-06-2025 | |
Threat detailsThe Customizer Export/Import WordPress plugin before 0.9.5 unserializes the content of an imported file, which could lead to PHP object injection issues when an admin imports (intentionally or not) a malicious file and a suitable gadget chain is present on the blog. | CVE | CWE-502 | NETWORK: LOW | 05-06-2025 |
Threat detailsThe WP Word Count WordPress plugin through 3.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. | CVE | NETWORK: LOW | 05-06-2025 | |
Threat detailsThe Automatic User Roles Switcher WordPress plugin before 1.1.2 does not have authorisation and proper CSRF checks, allowing any authenticated users like subscriber to add any role to themselves, such as administrator | CVE | NETWORK: LOW | 05-06-2025 | |
Threat detailsThe Official Integration for Billingo WordPress plugin before 3.4.0 does not sanitise and escape some of its settings, which could allow high privilege users with a role as low as Shop Manager to perform Stored Cross-Site Scripting attacks. | CVE | NETWORK: LOW | 05-06-2025 | |
Threat detailsThe Smart Slider 3 WordPress plugin before 3.5.1.11 unserialises the content of an imported file, which could lead to PHP object injection issues when a user import (intentionally or not) a malicious file, and a suitable gadget chain is present on the site. | CVE | NETWORK: LOW | 05-06-2025 | |
Threat detailsAn out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in tvOS 16, iOS 16, watchOS 9. An app may be able to cause unexpected system termination or write kernel memory. | CVE | CWE-787 | LOCAL: LOW | 05-06-2025 |
Threat detailsA type confusion issue was addressed with improved checks. This issue is fixed in macOS Ventura 13. An app may be able to execute arbitrary code with kernel privileges. | CVE | CWE-843 | LOCAL: LOW | 05-06-2025 |
Threat detailsA use after free issue was addressed with improved memory management. This issue is fixed in macOS Big Sur 11.7, macOS Ventura 13, iOS 16, watchOS 9, macOS Monterey 12.6, tvOS 16. An app may be able to execute arbitrary code with kernel privileges. | CVE | CWE-416 | LOCAL: LOW | 05-06-2025 |
Threat detailsThe issue was addressed with additional restrictions on the observability of app states. This issue is fixed in macOS Big Sur 11.7, macOS Ventura 13, iOS 16, watchOS 9, macOS Monterey 12.6, tvOS 16. A sandboxed app may be able to determine which app is currently using the camera. | CVE | NVD-CWE-noinfo | LOCAL: LOW | 05-06-2025 |
Threat detailsThis issue was addressed with improved checks. This issue is fixed in tvOS 16, iOS 16, watchOS 9. An app may be able to execute arbitrary code with kernel privileges. | CVE | NVD-CWE-noinfo | LOCAL: LOW | 05-06-2025 |
Threat detailsThis issue was addressed with improved validation of symlinks. This issue is fixed in macOS Ventura 13. Processing a maliciously crafted DMG file may lead to arbitrary code execution with system privileges. | CVE | CWE-59 | LOCAL: LOW | 05-06-2025 |
Threat detailsA use after free issue was addressed with improved memory management. This issue is fixed in Safari 16.1, iOS 16.1 and iPadOS 16, macOS Ventura 13. Processing maliciously crafted web content may lead to arbitrary code execution. | CVE | CWE-416 | NETWORK: LOW | 05-06-2025 |
| DataType | ProblemTypes | Impact | Publishdate | |
|---|---|---|---|---|
| CVE | CWE-79 | 05-07-2025 | ||
| CVE | 05-07-2025 | |||
| CVE | CWE-789 | 05-07-2025 | ||
| CVE | 05-07-2025 | |||
| CVE | 05-07-2025 | |||
| CVE | 05-07-2025 | |||
| CVE | 05-07-2025 | |||
| CVE | 05-07-2025 | |||
| CVE | 05-07-2025 | |||
| CVE | 05-07-2025 | |||
| CVE | 05-07-2025 | |||
| CVE | 05-07-2025 | |||
| CVE | 05-07-2025 | |||
| CVE | 05-07-2025 | |||
| CVE | 05-07-2025 | |||
| CVE | 05-07-2025 | |||
| CVE | 05-07-2025 | |||
| CVE | 05-07-2025 | |||
| CVE | 05-07-2025 | |||
| CVE | 05-07-2025 | |||
| CVE | 05-07-2025 | |||
| CVE | 05-07-2025 | |||
| CVE | 05-07-2025 | |||
| CVE | 05-07-2025 | |||
| CVE | 05-07-2025 | |||
| CVE | 05-07-2025 | |||
| CVE | 05-07-2025 | |||
| CVE | 05-07-2025 | |||
| CVE | 05-07-2025 | |||
| CVE | 05-07-2025 | |||
| CVE | 05-07-2025 | |||
| CVE | 05-07-2025 | |||
| CVE | CWE-79 | NETWORK: LOW | 05-07-2025 | |
| CVE | LOW | 05-07-2025 | ||
| CVE | LOW | 05-07-2025 | ||
| CVE | LOW | 05-07-2025 | ||
| CVE | LOW | 05-07-2025 | ||
| CVE | CWE-79 | NETWORK: LOW | 05-07-2025 | |
| CVE | CWE-476 | LOW | 05-07-2025 | |
| CVE | CWE-434 | LOW | 05-07-2025 | |
| CVE | CWE-125 | LOW | 05-07-2025 | |
| CVE | CWE-125 | LOW | 05-07-2025 | |
| CVE | CWE-122 | LOW | 05-07-2025 | |
| CVE | CWE-122 | LOW | 05-07-2025 | |
| CVE | CWE-787 | LOW | 05-07-2025 | |
| CVE | CWE-606 | LOW | 05-07-2025 | |
| CVE | CWE-122 | LOW | 05-07-2025 | |
| CVE | CWE-787 | LOW | 05-07-2025 | |
| CVE | CWE-787 | LOW | 05-07-2025 | |
| CVE | CWE-787 | LOW | 05-07-2025 | |
| CVE | CWE-122 | LOW | 05-07-2025 | |
| CVE | CWE-862 | NETWORK: LOW | 05-07-2025 | |
| CVE | CWE-639 | NETWORK: LOW | 05-07-2025 | |
| CVE | LOW | 05-07-2025 | ||
| CVE | CWE-862 | NETWORK: LOW | 05-07-2025 | |
| CVE | CWE-200 | NETWORK: LOW | 05-07-2025 | |
| CVE | CWE-269 | NETWORK: LOW | 05-07-2025 | |
| CVE | CWE-288 | NETWORK: LOW | 05-07-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 05-07-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 05-07-2025 | |
| CVE | CWE-285 | NETWORK: LOW | 05-07-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 05-07-2025 | |
| CVE | CWE-79 | NETWORK: LOW | 05-07-2025 | |
| CVE | CWE-269 | NETWORK: LOW | 05-07-2025 | |
| CVE | CWE-285 | NETWORK: LOW | 05-07-2025 | |
| CVE | CWE-295 | NETWORK: LOW | 05-07-2025 | |
| CVE | CWE-862 | NETWORK: LOW | 05-06-2025 | |
| CVE | CWE-502 | NETWORK: LOW | 05-06-2025 | |
| CVE | LOW | 05-06-2025 | ||
| CVE | CWE-89 | NETWORK: LOW | 05-06-2025 | |
| CVE | CWE-416 | LOW | 05-06-2025 | |
| CVE | LOW | 05-06-2025 | ||
| CVE | LOW | 05-06-2025 | ||
| CVE | LOW | 05-06-2025 | ||
| CVE | LOW | 05-06-2025 | ||
| CVE | LOW | 05-06-2025 | ||
| CVE | LOW | 05-06-2025 | ||
| CVE | LOW | 05-06-2025 | ||
| CVE | LOW | 05-06-2025 | ||
| CVE | CWE-287 | LOW | 05-06-2025 | |
| CVE | LOW | 05-06-2025 | ||
| CVE | LOW | 05-06-2025 | ||
| CVE | LOW | 05-06-2025 | ||
| CVE | LOW | 05-06-2025 | ||
| CVE | CWE-287 | LOW | 05-06-2025 | |
| CVE | NETWORK: LOW | 05-06-2025 | ||
| CVE | CWE-502 | NETWORK: HIGH | 05-06-2025 | |
| CVE | NETWORK: LOW | 05-06-2025 | ||
| CVE | CWE-502 | NETWORK: LOW | 05-06-2025 | |
| CVE | NETWORK: LOW | 05-06-2025 | ||
| CVE | NETWORK: LOW | 05-06-2025 | ||
| CVE | NETWORK: LOW | 05-06-2025 | ||
| CVE | NETWORK: LOW | 05-06-2025 | ||
| CVE | CWE-787 | LOCAL: LOW | 05-06-2025 | |
| CVE | CWE-843 | LOCAL: LOW | 05-06-2025 | |
| CVE | CWE-416 | LOCAL: LOW | 05-06-2025 | |
| CVE | NVD-CWE-noinfo | LOCAL: LOW | 05-06-2025 | |
| CVE | NVD-CWE-noinfo | LOCAL: LOW | 05-06-2025 | |
| CVE | CWE-59 | LOCAL: LOW | 05-06-2025 | |
| CVE | CWE-416 | NETWORK: LOW | 05-06-2025 |
