In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between October 11-12, 2025.
During this period, The National Vulnerability Database published 76, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 5
High: 4
Medium: 61
Low: 6
Severity Not Assigned: 0
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2025-31717
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: In modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed.
References: https://www.unisoc.com/en/support/announcement/1976557615080263681
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
2. CVE-2025-31718
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: In modem, there is a possible system crash due to improper input validation. This could lead to remote escalation of privilege with no additional execution privileges needed.
References: https://www.unisoc.com/en/support/announcement/1976557615080263681
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
3. CVE-2025-11533
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The WP Freeio plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.21. This is due to the process_register() function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site.
References: https://themeforest.net/item/freeio-freelance-marketplace-wordpress-theme/42045416
https://www.wordfence.com/threat-intel/vulnerabilities/id/0db85f84-04e9-42eb-a16b-96554fbfd186?source=cve
CWE-ID: CWE-269
Common Platform Enumerations (CPE): Not Found
4. CVE-2025-58287
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: Use After Free (UAF) vulnerability in the office service. Successful exploitation of this vulnerability may affect service confidentiality.
References: https://consumer.huawei.com/en/support/bulletin/2025/10/
CWE-ID: CWE-275
Common Platform Enumerations (CPE): Not Found
5. CVE-2025-58298
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 2.5
Impact Score: 4.7
Description: Data processing error vulnerability in the package management module. Successful exploitation of this vulnerability may affect availability.
References: https://consumer.huawei.com/en/support/bulletin/2025/10/
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
6. CVE-2025-58299
Base Score: 8.4
Base Severity: HIGH
Exploitability Score: 2.5
Impact Score: 5.9
Description: Use After Free (UAF) vulnerability in the storage management module. Successful exploitation of this vulnerability may affect availability.
References: https://consumer.huawei.com/en/support/bulletin/2025/10/
CWE-ID: CWE-416
Common Platform Enumerations (CPE): Not Found
7. CVE-2025-6553
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The Ovatheme Events Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the process_checkout() function in all versions up to, and including, 1.8.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
References: https://themeforest.net/item/em4u-event-management-multipurpose-wordpress-theme/20846579
https://themeforest.net/item/em4u-event-management-multipurpose-wordpress-theme/20846579#item-description__change_log
https://www.wordfence.com/threat-intel/vulnerabilities/id/808392a9-dbac-4896-8677-6ddc1213d80d?source=cve
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
8. CVE-2025-6439
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The WooCommerce Designer Pro plugin for WordPress, used by the Pricom - Printing Company & Design Services WordPress theme, is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'wcdp_save_canvas_design_ajax' function in all versions up to, and including, 1.9.26. This makes it possible for unauthenticated attackers to delete all files in an arbitrary directory on the server, which can lead to remote code execution, data loss, or site unavailability.
References: https://codecanyon.net/item/woocommerce-designer-pro-cmyk-card-flyer/22027731
https://www.wordfence.com/threat-intel/vulnerabilities/id/407a0bc3-2775-4a34-9817-924bf94a4f94?source=cve
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
9. CVE-2025-8593
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The GSheetConnector For Gravity Forms plugin for WordPress is vulnerable to authorization bypass in versions less than, or equal to, 1.3.27. This is due to a missing capability check on the 'install_plugin' function. This makes it possible for authenticated attackers, with subscriber-level access and above to install plugins on the target site and potentially achieve arbitrary code execution on the server under certain conditions.
References: https://plugins.trac.wordpress.org/browser/gsheetconnector-gravity-forms/tags/1.3.23/includes/class-gravityform-gs-service.php#L128
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3354113%40gsheetconnector-gravity-forms&new=3354113%40gsheetconnector-gravity-forms&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/c7266ce6-2853-4c5d-9e36-8c5b7418b072?source=cve
CWE-ID: CWE-862
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between October 11-12, 2025.
During this period, The National Vulnerability Database published 76, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 5
High: 4
Medium: 61
Low: 6
Severity Not Assigned: 0
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2025-31717
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: In modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed.
References: https://www.unisoc.com/en/support/announcement/1976557615080263681
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
2. CVE-2025-31718
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: In modem, there is a possible system crash due to improper input validation. This could lead to remote escalation of privilege with no additional execution privileges needed.
References: https://www.unisoc.com/en/support/announcement/1976557615080263681
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
3. CVE-2025-11533
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The WP Freeio plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.21. This is due to the process_register() function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site.
References: https://themeforest.net/item/freeio-freelance-marketplace-wordpress-theme/42045416
https://www.wordfence.com/threat-intel/vulnerabilities/id/0db85f84-04e9-42eb-a16b-96554fbfd186?source=cve
CWE-ID: CWE-269
Common Platform Enumerations (CPE): Not Found
4. CVE-2025-58287
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: Use After Free (UAF) vulnerability in the office service. Successful exploitation of this vulnerability may affect service confidentiality.
References: https://consumer.huawei.com/en/support/bulletin/2025/10/
CWE-ID: CWE-275
Common Platform Enumerations (CPE): Not Found
5. CVE-2025-58298
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 2.5
Impact Score: 4.7
Description: Data processing error vulnerability in the package management module. Successful exploitation of this vulnerability may affect availability.
References: https://consumer.huawei.com/en/support/bulletin/2025/10/
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
6. CVE-2025-58299
Base Score: 8.4
Base Severity: HIGH
Exploitability Score: 2.5
Impact Score: 5.9
Description: Use After Free (UAF) vulnerability in the storage management module. Successful exploitation of this vulnerability may affect availability.
References: https://consumer.huawei.com/en/support/bulletin/2025/10/
CWE-ID: CWE-416
Common Platform Enumerations (CPE): Not Found
7. CVE-2025-6553
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The Ovatheme Events Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the process_checkout() function in all versions up to, and including, 1.8.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
References: https://themeforest.net/item/em4u-event-management-multipurpose-wordpress-theme/20846579
https://themeforest.net/item/em4u-event-management-multipurpose-wordpress-theme/20846579#item-description__change_log
https://www.wordfence.com/threat-intel/vulnerabilities/id/808392a9-dbac-4896-8677-6ddc1213d80d?source=cve
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
8. CVE-2025-6439
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The WooCommerce Designer Pro plugin for WordPress, used by the Pricom - Printing Company & Design Services WordPress theme, is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'wcdp_save_canvas_design_ajax' function in all versions up to, and including, 1.9.26. This makes it possible for unauthenticated attackers to delete all files in an arbitrary directory on the server, which can lead to remote code execution, data loss, or site unavailability.
References: https://codecanyon.net/item/woocommerce-designer-pro-cmyk-card-flyer/22027731
https://www.wordfence.com/threat-intel/vulnerabilities/id/407a0bc3-2775-4a34-9817-924bf94a4f94?source=cve
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
9. CVE-2025-8593
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The GSheetConnector For Gravity Forms plugin for WordPress is vulnerable to authorization bypass in versions less than, or equal to, 1.3.27. This is due to a missing capability check on the 'install_plugin' function. This makes it possible for authenticated attackers, with subscriber-level access and above to install plugins on the target site and potentially achieve arbitrary code execution on the server under certain conditions.
References: https://plugins.trac.wordpress.org/browser/gsheetconnector-gravity-forms/tags/1.3.23/includes/class-gravityform-gs-service.php#L128
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3354113%40gsheetconnector-gravity-forms&new=3354113%40gsheetconnector-gravity-forms&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/c7266ce6-2853-4c5d-9e36-8c5b7418b072?source=cve
CWE-ID: CWE-862
Common Platform Enumerations (CPE): Not Found