5.3
CVE-2025-12849 - Contest Gallery <= 28.0.2 - Missing Authorization
The Contest Gallery plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 28.0.2. This is due to the plugin registering the `cg_check_wp_admin_upload_v10` AJAX action for both authenticated and unauthenticated users without implementing capability checks oโฆ
8.7
CVE-2025-13190 - D-Link DIR-816L __ajax_exporer.sgi scandir_main stack-based overflow
A vulnerability was found in D-Link DIR-816L 2_06_b09_beta. This vulnerability affects the function scandir_main of the file /portal/__ajax_exporer.sgi. The manipulation of the argument en results in stack-based buffer overflow. The attack may be performed from remote. The exploit has been made pubโฆ
8.7
CVE-2025-13189 - D-Link DIR-816L gena.cgi genacgi_main stack-based overflow
A vulnerability has been found in D-Link DIR-816L 2_06_b09_beta. This affects the function genacgi_main of the file gena.cgi. The manipulation of the argument SERVER_ID/HTTP_SID leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed tโฆ
4.3
CVE-2025-12494 - Image Gallery โ Photo Grid & Video Gallery <= 2.12.28 - Improper Authorization to Authenticated (Auโฆ
The Image Gallery โ Photo Grid & Video Gallery plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajax_import_file function in all versions up to, and including, 2.12.28. This makes it possible for authenticated attackers, with author-levelโฆ
6.5
CVE-2025-8994 - WP Project Manager <= 2.6.26 - Authenticated (Subscriber+) SQL Injection via 'completed_at_operator'
The Project Management, Team Collaboration, Kanban Board, Gantt Charts, Task Manager and More โ WP Project Manager plugin for WordPress is vulnerable to time-based SQL Injection via the โcompleted_at_operatorโ parameter in all versions up to, and including, 2.6.26 due to insufficient escaping on thโฆ
4.3
CVE-2025-12847 - All in One SEO โ Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic <= 4.8.9 - Missing Auโฆ
The All in One SEO โ Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized arbitrary media attachment deletion due to a missing authorization check in all versions up to, and including, 4.8.9. This is due to the REST API endpoint `/wp-json/aโฆ
4.3
CVE-2025-12182 - Qi Blocks <= 1.4.3 - Missing Authorization to Arbitrary Attachment Resize
The Qi Blocks plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the `resize_image_callback()` function in all versions up to, and including, 1.4.3. This is due to the plugin not properly verifying that a user has permission to resize a specific attachmenโฆ
7.2
CVE-2025-8386 - AVEVA Application Server IDE Basic Cross-site Scripting
The vulnerability, if exploited, could allow an authenticated miscreant (with privilege of "aaConfigTools") to tamper with App Objects' help files and persist a cross-site scripting (XSS) injection that when executed by a victim user, can result in horizontal or vertical escalation of privilegeโฆ
8.3
CVE-2025-9317 - AVEVA Edge Use of a Broken or Risky Cryptographic Algorithm
The vulnerability, if exploited, could allow a miscreant with read access to Edge Project files or Edge Offline Cache files to reverse engineer Edge users' app-native or Active Directory passwords through computational brute-forcing of weak hashes.
8.2
CVE-2025-64309 - Brightpick Mission Control / Internal Logic Control Unprotected Transport of Credentials
Brightpick Mission Control discloses device telemetry, configuration, and credential information via WebSocket traffic to unauthenticated users when they connect to a specific URL. The unauthenticated URL can be discovered through basic network scanning techniques.