In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between February 14-15, 2025.
During this period, The National Vulnerability Database published 127, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 3
High: 62
Medium: 39
Low: 1
Severity Not Assigned: 22
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-55904
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: IBM DevOps Deploy 8.0 through 8.0.1.4, 8.1 through 8.1.0.0 / IBM UrbanCode Deploy 7.0 through 7.0.5.25, 7.1 through 7.1.2.21, 7.2 through 7.2.3.14, and 7.3 through 7.3.2.9 could allow a remote privileged authenticated attacker to execute arbitrary commands on the system by sending specially crafted input containing special elements.
References: https://www.ibm.com/support/pages/node/7182841
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
2. CVE-2025-26519
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 1.4
Impact Score: 6.0
Description: musl libc 0.9.13 through 1.2.5 before 1.2.6 has an out-of-bounds write vulnerability when an attacker can trigger iconv conversion of untrusted EUC-KR text to UTF-8.
References: https://git.musl-libc.org/cgit/musl/commit/?id=c47ad25ea3b484e10326f933e927c0bc8cded3da
https://git.musl-libc.org/cgit/musl/commit/?id=e5adcd97b5196e29991b524237381a0202a60659
https://www.openwall.com/lists/oss-security/2025/02/13/2
http://www.openwall.com/lists/oss-security/2025/02/13/2
http://www.openwall.com/lists/oss-security/2025/02/13/3
http://www.openwall.com/lists/oss-security/2025/02/13/4
http://www.openwall.com/lists/oss-security/2025/02/13/5
http://www.openwall.com/lists/oss-security/2025/02/14/5
http://www.openwall.com/lists/oss-security/2025/02/14/6
CWE-ID: CWE-787
Common Platform Enumerations (CPE): Not Found
3. CVE-2025-22630
Base Score: 9.9
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 6.0
Description: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in MarketingFire Widget Options allows OS Command Injection.This issue affects Widget Options: from n/a through 4.1.0.
References: https://patchstack.com/database/wordpress/plugin/widget-options/vulnerability/wordpress-widget-options-plugin-4-1-0-arbitrary-code-execution-vulnerability?_s_id=cve
CWE-ID: CWE-77
Common Platform Enumerations (CPE): Not Found
4. CVE-2025-26788
Base Score: 8.4
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 6.0
Description: StrongKey FIDO Server before 4.15.1 treats a non-discoverable (namedcredential) flow as a discoverable transaction.
References: https://docs.strongkey.com/index.php/skfs-v3/skfs-release-notes
CWE-ID: CWE-639
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-13152
Base Score: 10.0
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 6.0
Description: Authorization Bypass Through User-Controlled SQL Primary Key vulnerability in BSS Software Mobuy Online Machinery Monitoring Panel allows SQL Injection.This issue affects Mobuy Online Machinery Monitoring Panel: before 2.0.
References: https://www.usom.gov.tr/bildirim/tr-25-0033
CWE-ID: CWE-566
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-52500
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 2.7
Description: Missing Authorization vulnerability in monetagwp Monetag Official Plugin allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Monetag Official Plugin: from n/a through 1.1.3.
References: https://patchstack.com/database/wordpress/plugin/monetag-official/vulnerability/wordpress-monetag-official-plugin-plugin-1-1-3-broken-access-control-vulnerability?_s_id=cve
CWE-ID: CWE-862
Common Platform Enumerations (CPE): Not Found
7. CVE-2025-0867
Base Score: 9.9
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 6.0
Description: The standard user uses the run as function to start the MEAC applications with administrative privileges. To ensure that the system can startup on its own, the credentials of the administrator were stored. Consequently, the EPC2 user can execute any command with administrative privileges. This allows a privilege escalation to the administrative level.
References: https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF
https://sick.com/psirt
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.first.org/cvss/calculator/3.1
https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0001.json
https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0001.pdf
CWE-ID: CWE-522
Common Platform Enumerations (CPE): Not Found
8. CVE-2025-22705
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Cross-Site Request Forgery (CSRF) vulnerability in godthor Disqus Popular Posts allows Reflected XSS. This issue affects Disqus Popular Posts: from n/a through 2.1.1.
References: https://patchstack.com/database/wordpress/plugin/disqus-popular-posts/vulnerability/wordpress-disqus-popular-posts-plugin-2-1-1-csrf-to-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
9. CVE-2025-23428
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound QMean – WordPress Did You Mean allows Reflected XSS. This issue affects QMean – WordPress Did You Mean: from n/a through 2.0.
References: https://patchstack.com/database/wordpress/plugin/qmean/vulnerability/wordpress-qmean-plugin-2-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
10. CVE-2025-23431
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Envato Affiliater allows Reflected XSS. This issue affects Envato Affiliater: from n/a through 1.2.4.
References: https://patchstack.com/database/wordpress/plugin/envato-affiliater/vulnerability/wordpress-envato-affiliater-plugin-1-2-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
11. CVE-2025-23474
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mike Martel Live Dashboard allows Reflected XSS. This issue affects Live Dashboard: from n/a through 0.3.3.
References: https://patchstack.com/database/wordpress/plugin/live-dashboard/vulnerability/wordpress-live-dashboard-plugin-0-3-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
12. CVE-2025-23492
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CantonBolo WordPress 淘宝客插件 allows Reflected XSS. This issue affects WordPress 淘宝客插件: from n/a through 1.1.2.
References: https://patchstack.com/database/wordpress/plugin/taobaoke/vulnerability/wordpress-plugin-1-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
13. CVE-2025-23523
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hoststreamsell HSS Embed Streaming Video allows Reflected XSS. This issue affects HSS Embed Streaming Video: from n/a through 3.23.
References: https://patchstack.com/database/wordpress/plugin/hss-embed-streaming-video/vulnerability/wordpress-hss-embed-streaming-video-plugin-3-23-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
14. CVE-2025-23525
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kvvaradha Kv Compose Email From Dashboard allows Reflected XSS. This issue affects Kv Compose Email From Dashboard: from n/a through 1.1.
References: https://patchstack.com/database/wordpress/plugin/kv-send-email-from-admin/vulnerability/wordpress-kv-compose-email-from-dashboard-plugin-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
15. CVE-2025-23568
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fredsted WP Login Attempt Log allows Reflected XSS. This issue affects WP Login Attempt Log: from n/a through 1.3.
References: https://patchstack.com/database/wordpress/plugin/wp-login-attempt-log/vulnerability/wordpress-wp-login-attempt-log-plugin-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
16. CVE-2025-23571
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Internal Links Generator allows Reflected XSS. This issue affects Internal Links Generator: from n/a through 3.51.
References: https://patchstack.com/database/wordpress/plugin/internal-links-generator/vulnerability/wordpress-internal-links-generator-plugin-3-51-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
17. CVE-2025-23598
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in craig.edmunds@gmail.com Recip.ly allows Reflected XSS. This issue affects Recip.ly: from n/a through 1.1.8.
References: https://patchstack.com/database/wordpress/plugin/reciply/vulnerability/wordpress-recip-ly-plugin-1-1-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
18. CVE-2025-23646
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Matt Brooks Library Instruction Recorder allows Reflected XSS. This issue affects Library Instruction Recorder: from n/a through 1.1.4.
References: https://patchstack.com/database/wordpress/plugin/library-instruction-recorder/vulnerability/wordpress-library-instruction-recorder-plugin-1-1-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
19. CVE-2025-23647
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ariagle WP-Clap allows Reflected XSS. This issue affects WP-Clap: from n/a through 1.5.
References: https://patchstack.com/database/wordpress/plugin/wp-clap/vulnerability/wordpress-wp-clap-plugin-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
20. CVE-2025-23648
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wjharil AdsMiddle allows Reflected XSS. This issue affects AdsMiddle: from n/a through 1.0.
References: https://patchstack.com/database/wordpress/plugin/adsmiddle/vulnerability/wordpress-adsmiddle-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
21. CVE-2025-23650
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in razvypp Tidy.ro allows Reflected XSS. This issue affects Tidy.ro: from n/a through 1.3.
References: https://patchstack.com/database/wordpress/plugin/tidyro/vulnerability/wordpress-tidy-ro-plugin-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
22. CVE-2025-23651
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Scroll Top allows Reflected XSS. This issue affects Scroll Top: from n/a through 1.3.3.
References: https://patchstack.com/database/wordpress/plugin/scroll-to-top-builder/vulnerability/wordpress-scroll-top-plugin-1-3-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
23. CVE-2025-23652
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Add custom content after post allows Reflected XSS. This issue affects Add custom content after post: from n/a through 1.0.
References: https://patchstack.com/database/wordpress/plugin/add-custom-content-after-post/vulnerability/wordpress-add-custom-content-after-post-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
24. CVE-2025-23653
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Form To Online Booking allows Reflected XSS. This issue affects Form To Online Booking: from n/a through 1.0.
References: https://patchstack.com/database/wordpress/plugin/cf7-calendly-integration/vulnerability/wordpress-form-to-online-booking-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
25. CVE-2025-23655
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Contact Form 7 – Paystack Add-on allows Reflected XSS. This issue affects Contact Form 7 – Paystack Add-on: from n/a through 1.2.3.
References: https://patchstack.com/database/wordpress/plugin/cf7-paystack-add-on/vulnerability/wordpress-contact-form-7-paystack-add-on-plugin-1-2-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
26. CVE-2025-23657
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WordPress-to-candidate for Salesforce CRM allows Reflected XSS. This issue affects WordPress-to-candidate for Salesforce CRM: from n/a through 1.0.1.
References: https://patchstack.com/database/wordpress/plugin/salesforce-wordpress-to-candidate/vulnerability/wordpress-wordpress-to-candidate-for-salesforce-crm-plugin-1-0-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
27. CVE-2025-23658
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tauhidul Alam Advanced Angular Contact Form allows Reflected XSS. This issue affects Advanced Angular Contact Form: from n/a through 1.1.0.
References: https://patchstack.com/database/wordpress/plugin/advanced-angular-contact-form/vulnerability/wordpress-advanced-angular-contact-form-plugin-1-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
28. CVE-2025-23742
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Podamibe Nepal Podamibe Twilio Private Call allows Reflected XSS. This issue affects Podamibe Twilio Private Call: from n/a through 1.0.1.
References: https://patchstack.com/database/wordpress/plugin/podamibe-twilio-private-call/vulnerability/wordpress-podamibe-twilio-private-call-plugin-1-0-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
29. CVE-2025-23748
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Singsys -Awesome Gallery allows Reflected XSS. This issue affects Singsys -Awesome Gallery: from n/a through 1.0.
References: https://patchstack.com/database/wordpress/plugin/awesome-gallery-singsys/vulnerability/wordpress-singsys-awesome-gallery-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
30. CVE-2025-23750
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in devbunchuk Custom Widget Creator allows Reflected XSS. This issue affects Custom Widget Creator: from n/a through 1.0.5.
References: https://patchstack.com/database/wordpress/plugin/custom-widget-creator/vulnerability/wordpress-custom-widget-creator-plugin-1-0-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
31. CVE-2025-23751
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Think201 Data Dash allows Reflected XSS. This issue affects Data Dash: from n/a through 1.2.3.
References: https://patchstack.com/database/wordpress/plugin/data-dash/vulnerability/wordpress-data-dash-plugin-1-2-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
32. CVE-2025-23786
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DuoGeek Email to Download allows Reflected XSS. This issue affects Email to Download: from n/a through 3.1.0.
References: https://patchstack.com/database/wordpress/plugin/email-to-download/vulnerability/wordpress-email-to-download-plugin-3-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
33. CVE-2025-23787
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Easy Bet allows Reflected XSS. This issue affects Easy Bet: from n/a through 1.0.7.
References: https://patchstack.com/database/wordpress/plugin/easy-bet/vulnerability/wordpress-easy-bet-plugin-1-0-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
34. CVE-2025-23788
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Easy Filter allows Reflected XSS. This issue affects Easy Filter: from n/a through 1.10.
References: https://patchstack.com/database/wordpress/plugin/easy-filter/vulnerability/wordpress-easy-filter-plugin-1-10-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
35. CVE-2025-23789
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tahminajannat URL Shortener | Conversion Tracking | AB Testing | WooCommerce allows Reflected XSS. This issue affects URL Shortener | Conversion Tracking | AB Testing | WooCommerce: from n/a through 9.0.2.
References: https://patchstack.com/database/wordpress/plugin/easy-broken-link-checker/vulnerability/wordpress-url-shortener-woocommerce-plugin-9-0-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
36. CVE-2025-23790
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wassereimer Easy Code Placement allows Reflected XSS. This issue affects Easy Code Placement: from n/a through 18.11.
References: https://patchstack.com/database/wordpress/plugin/easy-code-placement/vulnerability/wordpress-easy-code-placement-plugin-18-11-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
37. CVE-2025-23851
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Coronavirus (COVID-19) Outbreak Data Widgets allows Reflected XSS. This issue affects Coronavirus (COVID-19) Outbreak Data Widgets: from n/a through 1.1.1.
References: https://patchstack.com/database/wordpress/plugin/coronavirus-data-widgets/vulnerability/wordpress-coronavirus-covid-19-outbreak-data-widgets-plugin-1-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
38. CVE-2025-23853
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in michelem NoFollow Free allows Reflected XSS. This issue affects NoFollow Free: from n/a through 1.6.3.
References: https://patchstack.com/database/wordpress/plugin/nofollow-free/vulnerability/wordpress-nofollow-free-plugin-1-6-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
39. CVE-2025-23857
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Essential WP Real Estate allows Reflected XSS. This issue affects Essential WP Real Estate: from n/a through 1.1.3.
References: https://patchstack.com/database/wordpress/plugin/essential-wp-real-estate/vulnerability/wordpress-essential-wp-real-estate-plugin-1-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
40. CVE-2025-23905
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Johannes van Poelgeest Admin Options Pages allows Reflected XSS. This issue affects Admin Options Pages: from n/a through 0.9.7.
References: https://patchstack.com/database/wordpress/plugin/admin-options-pages/vulnerability/wordpress-admin-options-pages-plugin-0-9-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
41. CVE-2025-24554
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in awcode AWcode Toolkit allows Reflected XSS. This issue affects AWcode Toolkit: from n/a through 1.0.14.
References: https://patchstack.com/database/wordpress/plugin/awcode-toolkit/vulnerability/wordpress-awcode-toolkit-plugin-1-0-14-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
42. CVE-2025-24558
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks CRM Perks allows Reflected XSS. This issue affects CRM Perks: from n/a through 1.1.5.
References: https://patchstack.com/database/wordpress/plugin/support-x/vulnerability/wordpress-crm-perks-plugin-1-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
43. CVE-2025-24564
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aviplugins.com Contact Form With Shortcode allows Reflected XSS. This issue affects Contact Form With Shortcode: from n/a through 4.2.5.
References: https://patchstack.com/database/wordpress/plugin/contact-form-with-shortcode/vulnerability/wordpress-contact-form-with-shortcode-plugin-4-2-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
44. CVE-2025-24565
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saleswonder Team Tobias WP2LEADS allows Reflected XSS. This issue affects WP2LEADS: from n/a through 3.3.3.
References: https://patchstack.com/database/wordpress/plugin/wp2leads/vulnerability/wordpress-wp2leads-plugin-3-3-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
45. CVE-2025-24566
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tomáš Groulík Intro Tour Tutorial DeepPresentation allows Reflected XSS. This issue affects Intro Tour Tutorial DeepPresentation: from n/a through 6.5.2.
References: https://patchstack.com/database/wordpress/plugin/dp-intro-tours/vulnerability/wordpress-intro-tour-tutorial-deeppresentation-plugin-6-5-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
46. CVE-2025-24592
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SysBasics Customize My Account for WooCommerce allows Reflected XSS. This issue affects Customize My Account for WooCommerce: from n/a through 2.8.22.
References: https://patchstack.com/database/wordpress/plugin/customize-my-account-for-woocommerce/vulnerability/wordpress-sysbasics-customize-my-account-for-woocommerce-plugin-2-8-22-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
47. CVE-2025-24614
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in agileLogix Post Timeline allows Reflected XSS. This issue affects Post Timeline: from n/a through 2.3.9.
References: https://patchstack.com/database/wordpress/plugin/post-timeline/vulnerability/wordpress-post-timeline-plugin-2-3-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
48. CVE-2025-24615
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fatcatapps Analytics Cat allows Reflected XSS. This issue affects Analytics Cat: from n/a through 1.1.2.
References: https://patchstack.com/database/wordpress/plugin/analytics-cat/vulnerability/wordpress-analytics-cat-plugin-1-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
49. CVE-2025-24616
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UIUX Lab Uix Page Builder allows Reflected XSS. This issue affects Uix Page Builder: from n/a through 1.7.3.
References: https://patchstack.com/database/wordpress/plugin/uix-page-builder/vulnerability/wordpress-uix-page-builder-plugin-1-7-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
50. CVE-2025-24617
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AcyMailing Newsletter Team AcyMailing SMTP Newsletter allows Reflected XSS. This issue affects AcyMailing SMTP Newsletter: from n/a through n/a.
References: https://patchstack.com/database/wordpress/plugin/acymailing/vulnerability/wordpress-acymailing-plugin-9-11-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
51. CVE-2025-24641
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rickonline_nl Better WishList API allows Stored XSS. This issue affects Better WishList API: from n/a through 1.1.3.
References: https://patchstack.com/database/wordpress/plugin/better-wlm-api/vulnerability/wordpress-better-wishlist-api-plugin-1-1-3-stored-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
52. CVE-2025-24688
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brandtoss WP Mailster allows Reflected XSS. This issue affects WP Mailster: from n/a through 1.8.20.0.
References: https://patchstack.com/database/wordpress/plugin/wp-mailster/vulnerability/wordpress-wp-mailster-plugin-1-8-20-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
53. CVE-2025-24692
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.2
Description: Missing Authorization vulnerability in Michael Revellin-Clerc Bulk Menu Edit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Bulk Menu Edit: from n/a through 1.3.
References: https://patchstack.com/database/wordpress/plugin/bulk-menu-edit/vulnerability/wordpress-bulk-menu-edit-plugin-1-3-broken-access-control-vulnerability?_s_id=cve
CWE-ID: CWE-862
Common Platform Enumerations (CPE): Not Found
54. CVE-2025-24699
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company WP Coder allows Cross-Site Scripting (XSS). This issue affects WP Coder: from n/a through 3.6.
References: https://patchstack.com/database/wordpress/plugin/wp-coder/vulnerability/wordpress-wp-coder-plugin-3-6-csrf-to-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
55. CVE-2025-24700
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xylus Themes WP Event Aggregator allows Reflected XSS. This issue affects WP Event Aggregator: from n/a through 1.8.2.
References: https://patchstack.com/database/wordpress/plugin/wp-event-aggregator/vulnerability/wordpress-wp-event-aggregator-plugin-1-8-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
56. CVE-2024-12651
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Exposed Dangerous Method or Function vulnerability in PTT Inc. HGS Mobile App allows Manipulating User-Controlled Variables.This issue affects HGS Mobile App: before 6.5.0.
References: https://www.usom.gov.tr/bildirim/tr-25-0034
CWE-ID: CWE-749
Common Platform Enumerations (CPE): Not Found
57. CVE-2025-25745
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: D-Link DIR-853 A1 FW1.20B07 was discovered to contain a stack-based buffer overflow vulnerability via the Password parameter in the SetQuickVPNSettings module.
References: https://dear-sunshine-ba5.notion.site/D-Link-DIR-853-2-1812386a664480ea82a7f8321d967187
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
58. CVE-2024-8893
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: Use of Hard-coded Credentials vulnerability in GoodWe Technologies Co., Ltd. GW1500‑XS allows anyone in physical proximity to the device to fully access the web interface of the inverter via Wi‑Fi.This issue affects GW1500‑XS: 1.1.2.1.
References: https://os-s.net/publications/advisories/CVE-2024-8893.pdf
CWE-ID: CWE-798
Common Platform Enumerations (CPE): Not Found
59. CVE-2025-25206
Base Score: 8.3
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.5
Description: eLabFTW is an open source electronic lab notebook for research labs. Prior to version 5.1.15, an incorrect input validation could allow an authenticated user to read sensitive information, including login token or other content stored in the database. This could lead to privilege escalation if cookies are enabled (default setting). Users must upgrade to eLabFTW version 5.1.15 to receive a fix. No known workarounds are available.
References: https://github.com/elabftw/elabftw/releases/tag/5.1.15
https://github.com/elabftw/elabftw/security/advisories/GHSA-qffc-rfjh-77gg
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
60. CVE-2025-25997
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 2.5
Impact Score: 4.7
Description: Directory Traversal vulnerability in FeMiner wms v.1.0 allows a remote attacker to obtain sensitive information via the databak.php component.
References: https://github.com/FeMiner/wms/issues/22
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
61. CVE-2025-26156
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A SQL Injection vulnerability was found in /shopping/track-orders.php in PHPGurukul Online Shopping Portal v2.1, which allows remote attackers to execute arbitrary code via orderid POST request parameter.
References: https://github.com/rtnthakur/CVE/blob/main/PHPGurukul/README.md
https://github.com/rtnthakur/CVE/blob/main/PHPGurukul/README.md
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
62. CVE-2025-25297
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.0
Description: Label Studio is an open source data labeling tool. Prior to version 1.16.0, Label Studio's S3 storage integration feature contains a Server-Side Request Forgery (SSRF) vulnerability in its endpoint configuration. When creating an S3 storage connection, the application allows users to specify a custom S3 endpoint URL via the s3_endpoint parameter. This endpoint URL is passed directly to the boto3 AWS SDK without proper validation or restrictions on the protocol or destination. The vulnerability allows an attacker to make the application send HTTP requests to arbitrary internal services by specifying them as the S3 endpoint. When the storage sync operation is triggered, the application attempts to make S3 API calls to the specified endpoint, effectively making HTTP requests to the target service and returning the response in error messages. This SSRF vulnerability enables attackers to bypass network segmentation and access internal services that should not be accessible from the external network. The vulnerability is particularly severe because error messages from failed requests contain the full response body, allowing data exfiltration from internal services. Version 1.16.0 contains a patch for the issue.
References: https://github.com/HumanSignal/label-studio/commit/06a2b29c1208e1878ccae66e6b84c8b24598fa79
https://github.com/HumanSignal/label-studio/security/advisories/GHSA-m238-fmcw-wh58
CWE-ID: CWE-918
Common Platform Enumerations (CPE): Not Found
63. CVE-2022-26083
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 1.1
Impact Score: 5.8
Description: Generation of weak initialization vector in an Intel(R) IPP Cryptography software library before version 2021.5 may allow an unauthenticated user to potentially enable information disclosure via local access.
References: https://intel.com/content/www/us/en/security-center/advisory/intel-sa-00667.html
CWE-ID: CWE-1204
Common Platform Enumerations (CPE): Not Found
64. CVE-2025-0592
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The vulnerability may allow a remote low priviledged attacker to run arbitrary shell commands by manipulating the firmware file and uploading it to the device.
References: https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF
https://sick.com/psirt
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.first.org/cvss/calculator/3.1
https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0002.json
https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0002.pdf
CWE-ID: CWE-924
Common Platform Enumerations (CPE): Not Found
65. CVE-2025-0593
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The vulnerability may allow a remote low priviledged attacker to run arbitrary shell commands by using lower-level functions to interact with the device.
References: https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF
https://sick.com/psirt
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.first.org/cvss/calculator/3.1
https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0002.json
https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0002.pdf
CWE-ID: CWE-77
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between February 14-15, 2025.
During this period, The National Vulnerability Database published 127, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 3
High: 62
Medium: 39
Low: 1
Severity Not Assigned: 22
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-55904
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: IBM DevOps Deploy 8.0 through 8.0.1.4, 8.1 through 8.1.0.0 / IBM UrbanCode Deploy 7.0 through 7.0.5.25, 7.1 through 7.1.2.21, 7.2 through 7.2.3.14, and 7.3 through 7.3.2.9 could allow a remote privileged authenticated attacker to execute arbitrary commands on the system by sending specially crafted input containing special elements.
References: https://www.ibm.com/support/pages/node/7182841
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
2. CVE-2025-26519
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 1.4
Impact Score: 6.0
Description: musl libc 0.9.13 through 1.2.5 before 1.2.6 has an out-of-bounds write vulnerability when an attacker can trigger iconv conversion of untrusted EUC-KR text to UTF-8.
References: https://git.musl-libc.org/cgit/musl/commit/?id=c47ad25ea3b484e10326f933e927c0bc8cded3da
https://git.musl-libc.org/cgit/musl/commit/?id=e5adcd97b5196e29991b524237381a0202a60659
https://www.openwall.com/lists/oss-security/2025/02/13/2
http://www.openwall.com/lists/oss-security/2025/02/13/2
http://www.openwall.com/lists/oss-security/2025/02/13/3
http://www.openwall.com/lists/oss-security/2025/02/13/4
http://www.openwall.com/lists/oss-security/2025/02/13/5
http://www.openwall.com/lists/oss-security/2025/02/14/5
http://www.openwall.com/lists/oss-security/2025/02/14/6
CWE-ID: CWE-787
Common Platform Enumerations (CPE): Not Found
3. CVE-2025-22630
Base Score: 9.9
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 6.0
Description: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in MarketingFire Widget Options allows OS Command Injection.This issue affects Widget Options: from n/a through 4.1.0.
References: https://patchstack.com/database/wordpress/plugin/widget-options/vulnerability/wordpress-widget-options-plugin-4-1-0-arbitrary-code-execution-vulnerability?_s_id=cve
CWE-ID: CWE-77
Common Platform Enumerations (CPE): Not Found
4. CVE-2025-26788
Base Score: 8.4
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 6.0
Description: StrongKey FIDO Server before 4.15.1 treats a non-discoverable (namedcredential) flow as a discoverable transaction.
References: https://docs.strongkey.com/index.php/skfs-v3/skfs-release-notes
CWE-ID: CWE-639
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-13152
Base Score: 10.0
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 6.0
Description: Authorization Bypass Through User-Controlled SQL Primary Key vulnerability in BSS Software Mobuy Online Machinery Monitoring Panel allows SQL Injection.This issue affects Mobuy Online Machinery Monitoring Panel: before 2.0.
References: https://www.usom.gov.tr/bildirim/tr-25-0033
CWE-ID: CWE-566
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-52500
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 2.7
Description: Missing Authorization vulnerability in monetagwp Monetag Official Plugin allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Monetag Official Plugin: from n/a through 1.1.3.
References: https://patchstack.com/database/wordpress/plugin/monetag-official/vulnerability/wordpress-monetag-official-plugin-plugin-1-1-3-broken-access-control-vulnerability?_s_id=cve
CWE-ID: CWE-862
Common Platform Enumerations (CPE): Not Found
7. CVE-2025-0867
Base Score: 9.9
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 6.0
Description: The standard user uses the run as function to start the MEAC applications with administrative privileges. To ensure that the system can startup on its own, the credentials of the administrator were stored. Consequently, the EPC2 user can execute any command with administrative privileges. This allows a privilege escalation to the administrative level.
References: https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF
https://sick.com/psirt
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.first.org/cvss/calculator/3.1
https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0001.json
https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0001.pdf
CWE-ID: CWE-522
Common Platform Enumerations (CPE): Not Found
8. CVE-2025-22705
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Cross-Site Request Forgery (CSRF) vulnerability in godthor Disqus Popular Posts allows Reflected XSS. This issue affects Disqus Popular Posts: from n/a through 2.1.1.
References: https://patchstack.com/database/wordpress/plugin/disqus-popular-posts/vulnerability/wordpress-disqus-popular-posts-plugin-2-1-1-csrf-to-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
9. CVE-2025-23428
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound QMean – WordPress Did You Mean allows Reflected XSS. This issue affects QMean – WordPress Did You Mean: from n/a through 2.0.
References: https://patchstack.com/database/wordpress/plugin/qmean/vulnerability/wordpress-qmean-plugin-2-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
10. CVE-2025-23431
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Envato Affiliater allows Reflected XSS. This issue affects Envato Affiliater: from n/a through 1.2.4.
References: https://patchstack.com/database/wordpress/plugin/envato-affiliater/vulnerability/wordpress-envato-affiliater-plugin-1-2-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
11. CVE-2025-23474
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mike Martel Live Dashboard allows Reflected XSS. This issue affects Live Dashboard: from n/a through 0.3.3.
References: https://patchstack.com/database/wordpress/plugin/live-dashboard/vulnerability/wordpress-live-dashboard-plugin-0-3-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
12. CVE-2025-23492
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CantonBolo WordPress 淘宝客插件 allows Reflected XSS. This issue affects WordPress 淘宝客插件: from n/a through 1.1.2.
References: https://patchstack.com/database/wordpress/plugin/taobaoke/vulnerability/wordpress-plugin-1-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
13. CVE-2025-23523
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hoststreamsell HSS Embed Streaming Video allows Reflected XSS. This issue affects HSS Embed Streaming Video: from n/a through 3.23.
References: https://patchstack.com/database/wordpress/plugin/hss-embed-streaming-video/vulnerability/wordpress-hss-embed-streaming-video-plugin-3-23-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
14. CVE-2025-23525
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kvvaradha Kv Compose Email From Dashboard allows Reflected XSS. This issue affects Kv Compose Email From Dashboard: from n/a through 1.1.
References: https://patchstack.com/database/wordpress/plugin/kv-send-email-from-admin/vulnerability/wordpress-kv-compose-email-from-dashboard-plugin-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
15. CVE-2025-23568
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fredsted WP Login Attempt Log allows Reflected XSS. This issue affects WP Login Attempt Log: from n/a through 1.3.
References: https://patchstack.com/database/wordpress/plugin/wp-login-attempt-log/vulnerability/wordpress-wp-login-attempt-log-plugin-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
16. CVE-2025-23571
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Internal Links Generator allows Reflected XSS. This issue affects Internal Links Generator: from n/a through 3.51.
References: https://patchstack.com/database/wordpress/plugin/internal-links-generator/vulnerability/wordpress-internal-links-generator-plugin-3-51-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
17. CVE-2025-23598
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in craig.edmunds@gmail.com Recip.ly allows Reflected XSS. This issue affects Recip.ly: from n/a through 1.1.8.
References: https://patchstack.com/database/wordpress/plugin/reciply/vulnerability/wordpress-recip-ly-plugin-1-1-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
18. CVE-2025-23646
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Matt Brooks Library Instruction Recorder allows Reflected XSS. This issue affects Library Instruction Recorder: from n/a through 1.1.4.
References: https://patchstack.com/database/wordpress/plugin/library-instruction-recorder/vulnerability/wordpress-library-instruction-recorder-plugin-1-1-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
19. CVE-2025-23647
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ariagle WP-Clap allows Reflected XSS. This issue affects WP-Clap: from n/a through 1.5.
References: https://patchstack.com/database/wordpress/plugin/wp-clap/vulnerability/wordpress-wp-clap-plugin-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
20. CVE-2025-23648
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wjharil AdsMiddle allows Reflected XSS. This issue affects AdsMiddle: from n/a through 1.0.
References: https://patchstack.com/database/wordpress/plugin/adsmiddle/vulnerability/wordpress-adsmiddle-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
21. CVE-2025-23650
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in razvypp Tidy.ro allows Reflected XSS. This issue affects Tidy.ro: from n/a through 1.3.
References: https://patchstack.com/database/wordpress/plugin/tidyro/vulnerability/wordpress-tidy-ro-plugin-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
22. CVE-2025-23651
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Scroll Top allows Reflected XSS. This issue affects Scroll Top: from n/a through 1.3.3.
References: https://patchstack.com/database/wordpress/plugin/scroll-to-top-builder/vulnerability/wordpress-scroll-top-plugin-1-3-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
23. CVE-2025-23652
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Add custom content after post allows Reflected XSS. This issue affects Add custom content after post: from n/a through 1.0.
References: https://patchstack.com/database/wordpress/plugin/add-custom-content-after-post/vulnerability/wordpress-add-custom-content-after-post-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
24. CVE-2025-23653
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Form To Online Booking allows Reflected XSS. This issue affects Form To Online Booking: from n/a through 1.0.
References: https://patchstack.com/database/wordpress/plugin/cf7-calendly-integration/vulnerability/wordpress-form-to-online-booking-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
25. CVE-2025-23655
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Contact Form 7 – Paystack Add-on allows Reflected XSS. This issue affects Contact Form 7 – Paystack Add-on: from n/a through 1.2.3.
References: https://patchstack.com/database/wordpress/plugin/cf7-paystack-add-on/vulnerability/wordpress-contact-form-7-paystack-add-on-plugin-1-2-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
26. CVE-2025-23657
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WordPress-to-candidate for Salesforce CRM allows Reflected XSS. This issue affects WordPress-to-candidate for Salesforce CRM: from n/a through 1.0.1.
References: https://patchstack.com/database/wordpress/plugin/salesforce-wordpress-to-candidate/vulnerability/wordpress-wordpress-to-candidate-for-salesforce-crm-plugin-1-0-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
27. CVE-2025-23658
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tauhidul Alam Advanced Angular Contact Form allows Reflected XSS. This issue affects Advanced Angular Contact Form: from n/a through 1.1.0.
References: https://patchstack.com/database/wordpress/plugin/advanced-angular-contact-form/vulnerability/wordpress-advanced-angular-contact-form-plugin-1-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
28. CVE-2025-23742
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Podamibe Nepal Podamibe Twilio Private Call allows Reflected XSS. This issue affects Podamibe Twilio Private Call: from n/a through 1.0.1.
References: https://patchstack.com/database/wordpress/plugin/podamibe-twilio-private-call/vulnerability/wordpress-podamibe-twilio-private-call-plugin-1-0-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
29. CVE-2025-23748
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Singsys -Awesome Gallery allows Reflected XSS. This issue affects Singsys -Awesome Gallery: from n/a through 1.0.
References: https://patchstack.com/database/wordpress/plugin/awesome-gallery-singsys/vulnerability/wordpress-singsys-awesome-gallery-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
30. CVE-2025-23750
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in devbunchuk Custom Widget Creator allows Reflected XSS. This issue affects Custom Widget Creator: from n/a through 1.0.5.
References: https://patchstack.com/database/wordpress/plugin/custom-widget-creator/vulnerability/wordpress-custom-widget-creator-plugin-1-0-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
31. CVE-2025-23751
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Think201 Data Dash allows Reflected XSS. This issue affects Data Dash: from n/a through 1.2.3.
References: https://patchstack.com/database/wordpress/plugin/data-dash/vulnerability/wordpress-data-dash-plugin-1-2-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
32. CVE-2025-23786
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DuoGeek Email to Download allows Reflected XSS. This issue affects Email to Download: from n/a through 3.1.0.
References: https://patchstack.com/database/wordpress/plugin/email-to-download/vulnerability/wordpress-email-to-download-plugin-3-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
33. CVE-2025-23787
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Easy Bet allows Reflected XSS. This issue affects Easy Bet: from n/a through 1.0.7.
References: https://patchstack.com/database/wordpress/plugin/easy-bet/vulnerability/wordpress-easy-bet-plugin-1-0-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
34. CVE-2025-23788
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Easy Filter allows Reflected XSS. This issue affects Easy Filter: from n/a through 1.10.
References: https://patchstack.com/database/wordpress/plugin/easy-filter/vulnerability/wordpress-easy-filter-plugin-1-10-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
35. CVE-2025-23789
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tahminajannat URL Shortener | Conversion Tracking | AB Testing | WooCommerce allows Reflected XSS. This issue affects URL Shortener | Conversion Tracking | AB Testing | WooCommerce: from n/a through 9.0.2.
References: https://patchstack.com/database/wordpress/plugin/easy-broken-link-checker/vulnerability/wordpress-url-shortener-woocommerce-plugin-9-0-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
36. CVE-2025-23790
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wassereimer Easy Code Placement allows Reflected XSS. This issue affects Easy Code Placement: from n/a through 18.11.
References: https://patchstack.com/database/wordpress/plugin/easy-code-placement/vulnerability/wordpress-easy-code-placement-plugin-18-11-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
37. CVE-2025-23851
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Coronavirus (COVID-19) Outbreak Data Widgets allows Reflected XSS. This issue affects Coronavirus (COVID-19) Outbreak Data Widgets: from n/a through 1.1.1.
References: https://patchstack.com/database/wordpress/plugin/coronavirus-data-widgets/vulnerability/wordpress-coronavirus-covid-19-outbreak-data-widgets-plugin-1-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
38. CVE-2025-23853
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in michelem NoFollow Free allows Reflected XSS. This issue affects NoFollow Free: from n/a through 1.6.3.
References: https://patchstack.com/database/wordpress/plugin/nofollow-free/vulnerability/wordpress-nofollow-free-plugin-1-6-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
39. CVE-2025-23857
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Essential WP Real Estate allows Reflected XSS. This issue affects Essential WP Real Estate: from n/a through 1.1.3.
References: https://patchstack.com/database/wordpress/plugin/essential-wp-real-estate/vulnerability/wordpress-essential-wp-real-estate-plugin-1-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
40. CVE-2025-23905
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Johannes van Poelgeest Admin Options Pages allows Reflected XSS. This issue affects Admin Options Pages: from n/a through 0.9.7.
References: https://patchstack.com/database/wordpress/plugin/admin-options-pages/vulnerability/wordpress-admin-options-pages-plugin-0-9-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
41. CVE-2025-24554
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in awcode AWcode Toolkit allows Reflected XSS. This issue affects AWcode Toolkit: from n/a through 1.0.14.
References: https://patchstack.com/database/wordpress/plugin/awcode-toolkit/vulnerability/wordpress-awcode-toolkit-plugin-1-0-14-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
42. CVE-2025-24558
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks CRM Perks allows Reflected XSS. This issue affects CRM Perks: from n/a through 1.1.5.
References: https://patchstack.com/database/wordpress/plugin/support-x/vulnerability/wordpress-crm-perks-plugin-1-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
43. CVE-2025-24564
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aviplugins.com Contact Form With Shortcode allows Reflected XSS. This issue affects Contact Form With Shortcode: from n/a through 4.2.5.
References: https://patchstack.com/database/wordpress/plugin/contact-form-with-shortcode/vulnerability/wordpress-contact-form-with-shortcode-plugin-4-2-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
44. CVE-2025-24565
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saleswonder Team Tobias WP2LEADS allows Reflected XSS. This issue affects WP2LEADS: from n/a through 3.3.3.
References: https://patchstack.com/database/wordpress/plugin/wp2leads/vulnerability/wordpress-wp2leads-plugin-3-3-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
45. CVE-2025-24566
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tomáš Groulík Intro Tour Tutorial DeepPresentation allows Reflected XSS. This issue affects Intro Tour Tutorial DeepPresentation: from n/a through 6.5.2.
References: https://patchstack.com/database/wordpress/plugin/dp-intro-tours/vulnerability/wordpress-intro-tour-tutorial-deeppresentation-plugin-6-5-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
46. CVE-2025-24592
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SysBasics Customize My Account for WooCommerce allows Reflected XSS. This issue affects Customize My Account for WooCommerce: from n/a through 2.8.22.
References: https://patchstack.com/database/wordpress/plugin/customize-my-account-for-woocommerce/vulnerability/wordpress-sysbasics-customize-my-account-for-woocommerce-plugin-2-8-22-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
47. CVE-2025-24614
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in agileLogix Post Timeline allows Reflected XSS. This issue affects Post Timeline: from n/a through 2.3.9.
References: https://patchstack.com/database/wordpress/plugin/post-timeline/vulnerability/wordpress-post-timeline-plugin-2-3-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
48. CVE-2025-24615
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fatcatapps Analytics Cat allows Reflected XSS. This issue affects Analytics Cat: from n/a through 1.1.2.
References: https://patchstack.com/database/wordpress/plugin/analytics-cat/vulnerability/wordpress-analytics-cat-plugin-1-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
49. CVE-2025-24616
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UIUX Lab Uix Page Builder allows Reflected XSS. This issue affects Uix Page Builder: from n/a through 1.7.3.
References: https://patchstack.com/database/wordpress/plugin/uix-page-builder/vulnerability/wordpress-uix-page-builder-plugin-1-7-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
50. CVE-2025-24617
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AcyMailing Newsletter Team AcyMailing SMTP Newsletter allows Reflected XSS. This issue affects AcyMailing SMTP Newsletter: from n/a through n/a.
References: https://patchstack.com/database/wordpress/plugin/acymailing/vulnerability/wordpress-acymailing-plugin-9-11-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
51. CVE-2025-24641
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rickonline_nl Better WishList API allows Stored XSS. This issue affects Better WishList API: from n/a through 1.1.3.
References: https://patchstack.com/database/wordpress/plugin/better-wlm-api/vulnerability/wordpress-better-wishlist-api-plugin-1-1-3-stored-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
52. CVE-2025-24688
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brandtoss WP Mailster allows Reflected XSS. This issue affects WP Mailster: from n/a through 1.8.20.0.
References: https://patchstack.com/database/wordpress/plugin/wp-mailster/vulnerability/wordpress-wp-mailster-plugin-1-8-20-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
53. CVE-2025-24692
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.2
Description: Missing Authorization vulnerability in Michael Revellin-Clerc Bulk Menu Edit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Bulk Menu Edit: from n/a through 1.3.
References: https://patchstack.com/database/wordpress/plugin/bulk-menu-edit/vulnerability/wordpress-bulk-menu-edit-plugin-1-3-broken-access-control-vulnerability?_s_id=cve
CWE-ID: CWE-862
Common Platform Enumerations (CPE): Not Found
54. CVE-2025-24699
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company WP Coder allows Cross-Site Scripting (XSS). This issue affects WP Coder: from n/a through 3.6.
References: https://patchstack.com/database/wordpress/plugin/wp-coder/vulnerability/wordpress-wp-coder-plugin-3-6-csrf-to-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
55. CVE-2025-24700
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xylus Themes WP Event Aggregator allows Reflected XSS. This issue affects WP Event Aggregator: from n/a through 1.8.2.
References: https://patchstack.com/database/wordpress/plugin/wp-event-aggregator/vulnerability/wordpress-wp-event-aggregator-plugin-1-8-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
56. CVE-2024-12651
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: Exposed Dangerous Method or Function vulnerability in PTT Inc. HGS Mobile App allows Manipulating User-Controlled Variables.This issue affects HGS Mobile App: before 6.5.0.
References: https://www.usom.gov.tr/bildirim/tr-25-0034
CWE-ID: CWE-749
Common Platform Enumerations (CPE): Not Found
57. CVE-2025-25745
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: D-Link DIR-853 A1 FW1.20B07 was discovered to contain a stack-based buffer overflow vulnerability via the Password parameter in the SetQuickVPNSettings module.
References: https://dear-sunshine-ba5.notion.site/D-Link-DIR-853-2-1812386a664480ea82a7f8321d967187
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
58. CVE-2024-8893
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: Use of Hard-coded Credentials vulnerability in GoodWe Technologies Co., Ltd. GW1500‑XS allows anyone in physical proximity to the device to fully access the web interface of the inverter via Wi‑Fi.This issue affects GW1500‑XS: 1.1.2.1.
References: https://os-s.net/publications/advisories/CVE-2024-8893.pdf
CWE-ID: CWE-798
Common Platform Enumerations (CPE): Not Found
59. CVE-2025-25206
Base Score: 8.3
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.5
Description: eLabFTW is an open source electronic lab notebook for research labs. Prior to version 5.1.15, an incorrect input validation could allow an authenticated user to read sensitive information, including login token or other content stored in the database. This could lead to privilege escalation if cookies are enabled (default setting). Users must upgrade to eLabFTW version 5.1.15 to receive a fix. No known workarounds are available.
References: https://github.com/elabftw/elabftw/releases/tag/5.1.15
https://github.com/elabftw/elabftw/security/advisories/GHSA-qffc-rfjh-77gg
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
60. CVE-2025-25997
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 2.5
Impact Score: 4.7
Description: Directory Traversal vulnerability in FeMiner wms v.1.0 allows a remote attacker to obtain sensitive information via the databak.php component.
References: https://github.com/FeMiner/wms/issues/22
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
61. CVE-2025-26156
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A SQL Injection vulnerability was found in /shopping/track-orders.php in PHPGurukul Online Shopping Portal v2.1, which allows remote attackers to execute arbitrary code via orderid POST request parameter.
References: https://github.com/rtnthakur/CVE/blob/main/PHPGurukul/README.md
https://github.com/rtnthakur/CVE/blob/main/PHPGurukul/README.md
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
62. CVE-2025-25297
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.0
Description: Label Studio is an open source data labeling tool. Prior to version 1.16.0, Label Studio's S3 storage integration feature contains a Server-Side Request Forgery (SSRF) vulnerability in its endpoint configuration. When creating an S3 storage connection, the application allows users to specify a custom S3 endpoint URL via the s3_endpoint parameter. This endpoint URL is passed directly to the boto3 AWS SDK without proper validation or restrictions on the protocol or destination. The vulnerability allows an attacker to make the application send HTTP requests to arbitrary internal services by specifying them as the S3 endpoint. When the storage sync operation is triggered, the application attempts to make S3 API calls to the specified endpoint, effectively making HTTP requests to the target service and returning the response in error messages. This SSRF vulnerability enables attackers to bypass network segmentation and access internal services that should not be accessible from the external network. The vulnerability is particularly severe because error messages from failed requests contain the full response body, allowing data exfiltration from internal services. Version 1.16.0 contains a patch for the issue.
References: https://github.com/HumanSignal/label-studio/commit/06a2b29c1208e1878ccae66e6b84c8b24598fa79
https://github.com/HumanSignal/label-studio/security/advisories/GHSA-m238-fmcw-wh58
CWE-ID: CWE-918
Common Platform Enumerations (CPE): Not Found
63. CVE-2022-26083
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 1.1
Impact Score: 5.8
Description: Generation of weak initialization vector in an Intel(R) IPP Cryptography software library before version 2021.5 may allow an unauthenticated user to potentially enable information disclosure via local access.
References: https://intel.com/content/www/us/en/security-center/advisory/intel-sa-00667.html
CWE-ID: CWE-1204
Common Platform Enumerations (CPE): Not Found
64. CVE-2025-0592
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The vulnerability may allow a remote low priviledged attacker to run arbitrary shell commands by manipulating the firmware file and uploading it to the device.
References: https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF
https://sick.com/psirt
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.first.org/cvss/calculator/3.1
https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0002.json
https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0002.pdf
CWE-ID: CWE-924
Common Platform Enumerations (CPE): Not Found
65. CVE-2025-0593
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The vulnerability may allow a remote low priviledged attacker to run arbitrary shell commands by using lower-level functions to interact with the device.
References: https://cdn.sick.com/media/docs/1/11/411/Special_information_CYBERSECURITY_BY_SICK_en_IM0084411.PDF
https://sick.com/psirt
https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
https://www.first.org/cvss/calculator/3.1
https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0002.json
https://www.sick.com/.well-known/csaf/white/2025/sca-2025-0002.pdf
CWE-ID: CWE-77
Common Platform Enumerations (CPE): Not Found