In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between January 13-14, 2025.
During this period, The National Vulnerability Database published 108, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 3
High: 28
Medium: 29
Low: 1
Severity Not Assigned: 47
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2025-0412
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: Luxion KeyShot Viewer KSP File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Luxion KeyShot Viewer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the processing of KSP files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22139.
References: https://download.keyshot.com/cert/lsa-960930/lsa-960930.pdf?version=1.0
https://www.zerodayinitiative.com/advisories/ZDI-23-1716/
CWE-ID: CWE-119
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-12274
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin before 1.1.23 export settings functionality exports data to a public folder, with an easily guessable file name, allowing unauthenticated attackers to access the exported files (if they exist).
References: https://wpscan.com/vulnerability/e3176c9a-63f3-4a28-a8a7-8abb2b4100ef/
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-47894
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.2
Description: Kernel software installed and running inside a Guest VM may post improper commands to the GPU Firmware to read data outside the Guest's virtualised GPU memory.
References: https://www.imaginationtech.com/gpu-driver-vulnerabilities/
CWE-ID: CWE-823
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-47895
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.2
Description: Kernel software installed and running inside a Guest VM may post improper commands to the GPU Firmware to read data outside the Guest's virtualised GPU memory.
References: https://www.imaginationtech.com/gpu-driver-vulnerabilities/
CWE-ID: CWE-823
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-47897
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Software installed and run as a non-privileged user may conduct improper GPU system calls resulting in platform instability and reboots.
References: https://www.imaginationtech.com/gpu-driver-vulnerabilities/
CWE-ID: CWE-787
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-52938
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: Kernel software installed and running inside a Guest VM may post improper commands to the GPU Firmware to subvert reconstruction activities to trigger a write of data outside the Guest's virtualised GPU memory.
References: https://www.imaginationtech.com/gpu-driver-vulnerabilities/
CWE-ID: CWE-823
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-56065
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saleswonder.biz Team WP2LEADS allows Reflected XSS.This issue affects WP2LEADS: from n/a through 3.4.2.
References: https://patchstack.com/database/wordpress/plugin/wp2leads/vulnerability/wordpress-wp2leads-plugin-3-4-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-56301
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eniture Technology Distance Based Shipping Calculator allows Reflected XSS.This issue affects Distance Based Shipping Calculator: from n/a through 2.0.21.
References: https://patchstack.com/database/wordpress/plugin/distance-based-shipping-calculator/vulnerability/wordpress-distance-based-shipping-calculator-plugin-2-0-21-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
9. CVE-2025-22314
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Scripts Food Store – Online Food Delivery & Pickup allows Reflected XSS.This issue affects Food Store – Online Food Delivery & Pickup: from n/a through 1.5.1.
References: https://patchstack.com/database/wordpress/plugin/food-store/vulnerability/wordpress-food-store-plugin-1-5-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
10. CVE-2025-22337
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Infosoft Consultant Order Audit Log for WooCommerce allows Reflected XSS.This issue affects Order Audit Log for WooCommerce: from n/a through 2.0.
References: https://patchstack.com/database/wordpress/plugin/order-audit-log-for-woocommerce/vulnerability/wordpress-order-audit-log-for-woocommerce-plugin-2-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
11. CVE-2025-22344
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Convoy Media Category Library allows Reflected XSS.This issue affects Media Category Library: from n/a through 2.7.
References: https://patchstack.com/database/wordpress/plugin/media-category-library/vulnerability/wordpress-media-category-library-plugin-2-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
12. CVE-2025-22498
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in New Normal LLC LucidLMS allows Reflected XSS.This issue affects LucidLMS: from n/a through 1.0.5.
References: https://patchstack.com/database/wordpress/plugin/lucidlms/vulnerability/wordpress-lucidlms-plugin-1-0-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
13. CVE-2025-22499
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FAKTOR VIER F4 Post Tree allows Reflected XSS.This issue affects F4 Post Tree: from n/a through 1.1.18.
References: https://patchstack.com/database/wordpress/plugin/f4-tree/vulnerability/wordpress-f4-post-tree-plugin-1-1-18-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
14. CVE-2025-22506
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SmartAgenda Smart Agenda allows Stored XSS.This issue affects Smart Agenda: from n/a through 4.7.
References: https://patchstack.com/database/wordpress/plugin/smart-agenda-prise-de-rendez-vous-en-ligne/vulnerability/wordpress-smart-agenda-plugin-4-7-csrf-to-stored-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
15. CVE-2025-22514
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Yamna Tatheer KNR Author List Widget allows Reflected XSS.This issue affects KNR Author List Widget: from n/a through 3.1.1.
References: https://patchstack.com/database/wordpress/plugin/knr-author-list-widget/vulnerability/wordpress-axact-author-list-widget-plugin-3-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
16. CVE-2025-22567
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in trustist TRUSTist REVIEWer allows Reflected XSS.This issue affects TRUSTist REVIEWer: from n/a through 2.0.
References: https://patchstack.com/database/wordpress/plugin/trustist-reviewer/vulnerability/wordpress-trustist-reviewer-plugin-2-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
17. CVE-2025-22568
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Paramveer Singh for Arete IT Private Limited Post And Page Reactions allows Reflected XSS.This issue affects Post And Page Reactions: from n/a through 1.0.5.
References: https://patchstack.com/database/wordpress/plugin/post-and-page-reactions/vulnerability/wordpress-post-and-page-reactions-plugin-1-0-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
18. CVE-2025-22569
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in grandslambert Featured Page Widget allows Reflected XSS.This issue affects Featured Page Widget: from n/a through 2.2.
References: https://patchstack.com/database/wordpress/plugin/featured-page-widget/vulnerability/wordpress-featured-page-widget-plugin-2-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
19. CVE-2025-22570
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Miloš Đekić Inline Tweets allows Stored XSS.This issue affects Inline Tweets: from n/a through 2.0.
References: https://patchstack.com/database/wordpress/plugin/inline-tweets/vulnerability/wordpress-inline-tweets-plugin-2-0-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
20. CVE-2025-22576
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Marcus Downing Site PIN allows Reflected XSS.This issue affects Site PIN: from n/a through 1.3.
References: https://patchstack.com/database/wordpress/plugin/site-pin/vulnerability/wordpress-site-pin-plugin-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
21. CVE-2025-22583
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Anshul Sojatia Scan External Links allows Reflected XSS.This issue affects Scan External Links: from n/a through 1.0.
References: https://patchstack.com/database/wordpress/plugin/scan-external-links/vulnerability/wordpress-scan-external-links-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
22. CVE-2025-22586
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Detlef Stöver WPEX Replace DB Urls allows Reflected XSS.This issue affects WPEX Replace DB Urls: from n/a through 0.4.0.
References: https://patchstack.com/database/wordpress/plugin/wpex-replace/vulnerability/wordpress-wpex-replace-db-urls-plugin-0-4-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
23. CVE-2025-22588
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Scanventory.net Scanventory allows Reflected XSS.This issue affects Scanventory: from n/a through 1.1.3.
References: https://patchstack.com/database/wordpress/plugin/woocommerce-inventory-management/vulnerability/wordpress-scanventory-plugin-1-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
24. CVE-2025-22777
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Deserialization of Untrusted Data vulnerability in GiveWP GiveWP allows Object Injection.This issue affects GiveWP: from n/a through 3.19.3.
References: https://patchstack.com/database/wordpress/plugin/give/vulnerability/wordpress-givewp-plugin-3-19-3-php-object-injection-vulnerability?_s_id=cve
https://securityonline.info/cve-2025-22777-cvss-9-8-critical-security-alert-for-givewp-plugin-with-100000-active-installations/
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
25. CVE-2024-47796
Base Score: 8.4
Base Severity: HIGH
Exploitability Score: 2.5
Impact Score: 5.9
Description: An improper array index validation vulnerability exists in the nowindow functionality of OFFIS DCMTK 3.6.8. A specially crafted DICOM file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability.
References: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=89a6e399f1e17d08a8bc8cdaa05b2ac9a50cd4f6
https://talosintelligence.com/vulnerability_reports/TALOS-2024-2122
https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-2122
CWE-ID: CWE-119
Common Platform Enumerations (CPE): Not Found
26. CVE-2024-52333
Base Score: 8.4
Base Severity: HIGH
Exploitability Score: 2.5
Impact Score: 5.9
Description: An improper array index validation vulnerability exists in the determineMinMax functionality of OFFIS DCMTK 3.6.8. A specially crafted DICOM file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability.
References: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=03e851b0586d05057c3268988e180ffb426b2e03
https://talosintelligence.com/vulnerability_reports/TALOS-2024-2121
https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-2121
CWE-ID: CWE-119
Common Platform Enumerations (CPE): Not Found
27. CVE-2025-22963
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 5.9
Description: Teedy through 1.11 allows CSRF for account takeover via POST /api/user/admin.
References: https://blog.teedy.io/
https://github.com/sismics/docs/releases/tag/v1.11
https://github.com/sota70/teedy-v1.11-csrf
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
28. CVE-2024-46479
Base Score: 9.9
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 6.0
Description: Venki Supravizio BPM through 18.0.1 was discovered to contain an arbitrary file upload vulnerability. An authenticated attacker may upload a malicious file, leading to remote code execution.
References: https://github.com/Lorenzo-de-Sa/Vulnerability-Research
https://github.com/Lorenzo-de-Sa/Vulnerability-Research/blob/main/CVE-2024-46479.md
https://www.venki.com.br/ferramenta-bpm/supravizio/
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
29. CVE-2024-5743
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: An attacker could exploit the 'Use of Password Hash With Insufficient Computational Effort' vulnerability in EveHome Eve Play to execute arbitrary code.
This issue affects Eve Play: through 1.1.42.
References: https://www.evehome.com/en-us/security-content
CWE-ID: CWE-916
Common Platform Enumerations (CPE): Not Found
30. CVE-2024-46480
Base Score: 8.4
Base Severity: HIGH
Exploitability Score: 1.7
Impact Score: 6.0
Description: An NTLM hash leak in Venki Supravizio BPM up to 18.0.1 allows authenticated attackers with Application Administrator access to escalate privileges on the underlying host system.
References: https://github.com/Lorenzo-de-Sa/Vulnerability-Research
https://github.com/Lorenzo-de-Sa/Vulnerability-Research/blob/main/CVE-2024-46480.md
https://www.venki.com.br/ferramenta-bpm/supravizio/
CWE-ID: CWE-522
Common Platform Enumerations (CPE): Not Found
31. CVE-2024-46481
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 2.7
Description: The login page of Venki Supravizio BPM up to 18.1.1 is vulnerable to open redirect leading to reflected XSS.
References: https://github.com/Lorenzo-de-Sa/Vulnerability-Research
https://github.com/Lorenzo-de-Sa/Vulnerability-Research/blob/main/CVE-2024-46481.md
https://www.venki.com.br/ferramenta-bpm/supravizio/
CWE-ID: CWE-601
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between January 13-14, 2025.
During this period, The National Vulnerability Database published 108, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 3
High: 28
Medium: 29
Low: 1
Severity Not Assigned: 47
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2025-0412
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: Luxion KeyShot Viewer KSP File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Luxion KeyShot Viewer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the processing of KSP files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22139.
References: https://download.keyshot.com/cert/lsa-960930/lsa-960930.pdf?version=1.0
https://www.zerodayinitiative.com/advisories/ZDI-23-1716/
CWE-ID: CWE-119
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-12274
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin before 1.1.23 export settings functionality exports data to a public folder, with an easily guessable file name, allowing unauthenticated attackers to access the exported files (if they exist).
References: https://wpscan.com/vulnerability/e3176c9a-63f3-4a28-a8a7-8abb2b4100ef/
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-47894
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.2
Description: Kernel software installed and running inside a Guest VM may post improper commands to the GPU Firmware to read data outside the Guest's virtualised GPU memory.
References: https://www.imaginationtech.com/gpu-driver-vulnerabilities/
CWE-ID: CWE-823
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-47895
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.2
Description: Kernel software installed and running inside a Guest VM may post improper commands to the GPU Firmware to read data outside the Guest's virtualised GPU memory.
References: https://www.imaginationtech.com/gpu-driver-vulnerabilities/
CWE-ID: CWE-823
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-47897
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Software installed and run as a non-privileged user may conduct improper GPU system calls resulting in platform instability and reboots.
References: https://www.imaginationtech.com/gpu-driver-vulnerabilities/
CWE-ID: CWE-787
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-52938
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: Kernel software installed and running inside a Guest VM may post improper commands to the GPU Firmware to subvert reconstruction activities to trigger a write of data outside the Guest's virtualised GPU memory.
References: https://www.imaginationtech.com/gpu-driver-vulnerabilities/
CWE-ID: CWE-823
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-56065
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saleswonder.biz Team WP2LEADS allows Reflected XSS.This issue affects WP2LEADS: from n/a through 3.4.2.
References: https://patchstack.com/database/wordpress/plugin/wp2leads/vulnerability/wordpress-wp2leads-plugin-3-4-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-56301
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eniture Technology Distance Based Shipping Calculator allows Reflected XSS.This issue affects Distance Based Shipping Calculator: from n/a through 2.0.21.
References: https://patchstack.com/database/wordpress/plugin/distance-based-shipping-calculator/vulnerability/wordpress-distance-based-shipping-calculator-plugin-2-0-21-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
9. CVE-2025-22314
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Scripts Food Store – Online Food Delivery & Pickup allows Reflected XSS.This issue affects Food Store – Online Food Delivery & Pickup: from n/a through 1.5.1.
References: https://patchstack.com/database/wordpress/plugin/food-store/vulnerability/wordpress-food-store-plugin-1-5-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
10. CVE-2025-22337
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Infosoft Consultant Order Audit Log for WooCommerce allows Reflected XSS.This issue affects Order Audit Log for WooCommerce: from n/a through 2.0.
References: https://patchstack.com/database/wordpress/plugin/order-audit-log-for-woocommerce/vulnerability/wordpress-order-audit-log-for-woocommerce-plugin-2-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
11. CVE-2025-22344
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Convoy Media Category Library allows Reflected XSS.This issue affects Media Category Library: from n/a through 2.7.
References: https://patchstack.com/database/wordpress/plugin/media-category-library/vulnerability/wordpress-media-category-library-plugin-2-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
12. CVE-2025-22498
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in New Normal LLC LucidLMS allows Reflected XSS.This issue affects LucidLMS: from n/a through 1.0.5.
References: https://patchstack.com/database/wordpress/plugin/lucidlms/vulnerability/wordpress-lucidlms-plugin-1-0-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
13. CVE-2025-22499
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FAKTOR VIER F4 Post Tree allows Reflected XSS.This issue affects F4 Post Tree: from n/a through 1.1.18.
References: https://patchstack.com/database/wordpress/plugin/f4-tree/vulnerability/wordpress-f4-post-tree-plugin-1-1-18-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
14. CVE-2025-22506
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SmartAgenda Smart Agenda allows Stored XSS.This issue affects Smart Agenda: from n/a through 4.7.
References: https://patchstack.com/database/wordpress/plugin/smart-agenda-prise-de-rendez-vous-en-ligne/vulnerability/wordpress-smart-agenda-plugin-4-7-csrf-to-stored-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
15. CVE-2025-22514
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Yamna Tatheer KNR Author List Widget allows Reflected XSS.This issue affects KNR Author List Widget: from n/a through 3.1.1.
References: https://patchstack.com/database/wordpress/plugin/knr-author-list-widget/vulnerability/wordpress-axact-author-list-widget-plugin-3-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
16. CVE-2025-22567
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in trustist TRUSTist REVIEWer allows Reflected XSS.This issue affects TRUSTist REVIEWer: from n/a through 2.0.
References: https://patchstack.com/database/wordpress/plugin/trustist-reviewer/vulnerability/wordpress-trustist-reviewer-plugin-2-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
17. CVE-2025-22568
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Paramveer Singh for Arete IT Private Limited Post And Page Reactions allows Reflected XSS.This issue affects Post And Page Reactions: from n/a through 1.0.5.
References: https://patchstack.com/database/wordpress/plugin/post-and-page-reactions/vulnerability/wordpress-post-and-page-reactions-plugin-1-0-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
18. CVE-2025-22569
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in grandslambert Featured Page Widget allows Reflected XSS.This issue affects Featured Page Widget: from n/a through 2.2.
References: https://patchstack.com/database/wordpress/plugin/featured-page-widget/vulnerability/wordpress-featured-page-widget-plugin-2-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
19. CVE-2025-22570
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Miloš Đekić Inline Tweets allows Stored XSS.This issue affects Inline Tweets: from n/a through 2.0.
References: https://patchstack.com/database/wordpress/plugin/inline-tweets/vulnerability/wordpress-inline-tweets-plugin-2-0-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
20. CVE-2025-22576
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Marcus Downing Site PIN allows Reflected XSS.This issue affects Site PIN: from n/a through 1.3.
References: https://patchstack.com/database/wordpress/plugin/site-pin/vulnerability/wordpress-site-pin-plugin-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
21. CVE-2025-22583
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Anshul Sojatia Scan External Links allows Reflected XSS.This issue affects Scan External Links: from n/a through 1.0.
References: https://patchstack.com/database/wordpress/plugin/scan-external-links/vulnerability/wordpress-scan-external-links-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
22. CVE-2025-22586
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Detlef Stöver WPEX Replace DB Urls allows Reflected XSS.This issue affects WPEX Replace DB Urls: from n/a through 0.4.0.
References: https://patchstack.com/database/wordpress/plugin/wpex-replace/vulnerability/wordpress-wpex-replace-db-urls-plugin-0-4-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
23. CVE-2025-22588
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Scanventory.net Scanventory allows Reflected XSS.This issue affects Scanventory: from n/a through 1.1.3.
References: https://patchstack.com/database/wordpress/plugin/woocommerce-inventory-management/vulnerability/wordpress-scanventory-plugin-1-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
24. CVE-2025-22777
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Deserialization of Untrusted Data vulnerability in GiveWP GiveWP allows Object Injection.This issue affects GiveWP: from n/a through 3.19.3.
References: https://patchstack.com/database/wordpress/plugin/give/vulnerability/wordpress-givewp-plugin-3-19-3-php-object-injection-vulnerability?_s_id=cve
https://securityonline.info/cve-2025-22777-cvss-9-8-critical-security-alert-for-givewp-plugin-with-100000-active-installations/
CWE-ID: CWE-502
Common Platform Enumerations (CPE): Not Found
25. CVE-2024-47796
Base Score: 8.4
Base Severity: HIGH
Exploitability Score: 2.5
Impact Score: 5.9
Description: An improper array index validation vulnerability exists in the nowindow functionality of OFFIS DCMTK 3.6.8. A specially crafted DICOM file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability.
References: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=89a6e399f1e17d08a8bc8cdaa05b2ac9a50cd4f6
https://talosintelligence.com/vulnerability_reports/TALOS-2024-2122
https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-2122
CWE-ID: CWE-119
Common Platform Enumerations (CPE): Not Found
26. CVE-2024-52333
Base Score: 8.4
Base Severity: HIGH
Exploitability Score: 2.5
Impact Score: 5.9
Description: An improper array index validation vulnerability exists in the determineMinMax functionality of OFFIS DCMTK 3.6.8. A specially crafted DICOM file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability.
References: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=03e851b0586d05057c3268988e180ffb426b2e03
https://talosintelligence.com/vulnerability_reports/TALOS-2024-2121
https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-2121
CWE-ID: CWE-119
Common Platform Enumerations (CPE): Not Found
27. CVE-2025-22963
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 5.9
Description: Teedy through 1.11 allows CSRF for account takeover via POST /api/user/admin.
References: https://blog.teedy.io/
https://github.com/sismics/docs/releases/tag/v1.11
https://github.com/sota70/teedy-v1.11-csrf
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
28. CVE-2024-46479
Base Score: 9.9
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 6.0
Description: Venki Supravizio BPM through 18.0.1 was discovered to contain an arbitrary file upload vulnerability. An authenticated attacker may upload a malicious file, leading to remote code execution.
References: https://github.com/Lorenzo-de-Sa/Vulnerability-Research
https://github.com/Lorenzo-de-Sa/Vulnerability-Research/blob/main/CVE-2024-46479.md
https://www.venki.com.br/ferramenta-bpm/supravizio/
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
29. CVE-2024-5743
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: An attacker could exploit the 'Use of Password Hash With Insufficient Computational Effort' vulnerability in EveHome Eve Play to execute arbitrary code.
This issue affects Eve Play: through 1.1.42.
References: https://www.evehome.com/en-us/security-content
CWE-ID: CWE-916
Common Platform Enumerations (CPE): Not Found
30. CVE-2024-46480
Base Score: 8.4
Base Severity: HIGH
Exploitability Score: 1.7
Impact Score: 6.0
Description: An NTLM hash leak in Venki Supravizio BPM up to 18.0.1 allows authenticated attackers with Application Administrator access to escalate privileges on the underlying host system.
References: https://github.com/Lorenzo-de-Sa/Vulnerability-Research
https://github.com/Lorenzo-de-Sa/Vulnerability-Research/blob/main/CVE-2024-46480.md
https://www.venki.com.br/ferramenta-bpm/supravizio/
CWE-ID: CWE-522
Common Platform Enumerations (CPE): Not Found
31. CVE-2024-46481
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 2.7
Description: The login page of Venki Supravizio BPM up to 18.1.1 is vulnerable to open redirect leading to reflected XSS.
References: https://github.com/Lorenzo-de-Sa/Vulnerability-Research
https://github.com/Lorenzo-de-Sa/Vulnerability-Research/blob/main/CVE-2024-46481.md
https://www.venki.com.br/ferramenta-bpm/supravizio/
CWE-ID: CWE-601
Common Platform Enumerations (CPE): Not Found