7.5
CVE-2025-41724 - Sauter: Crash via Incomplete SOAP Request
An unauthenticated remote attacker can crash the wscserver by sending incomplete SOAP requests. The wscserver process will not be restarted by a watchdog and a device reboot is necessary to make it work again.
9.8
CVE-2025-41723 - Sauter: Directory Traversal in importFile SOAP Method
The importFile SOAP method is vulnerable to a directory traversal attack. An unauthenticated remote attacker bypass the path restriction and upload files to arbitrary locations.
7.5
CVE-2025-41722 - Sauter: Hard-coded Authentication Credentials
The wsc server uses a hard-coded certificate to check the authenticity of SOAP messages. An unauthenticated remote attacker can extract private keys from the Software of the affected devices.
2.7
CVE-2025-41721 - Sauter: Command Injection
A high privileged remote attacker can influence the parameters passed to the openssl command due to improper neutralization of special elements when adding a password protected self-signed certificate.
4.3
CVE-2025-41720 - Sauter: Arbitrary File Upload
A low privileged remote attacker can upload arbitrary data masked as a png file to the affected device using the webserver API because only the file extension is verified.
8.8
CVE-2025-41719 - Sauter: Improper Validation of user-controlled data
A low privileged remote attacker can corrupt the webserver users storage on the device by setting a sequence of unsupported characters which leads to deletion of all previously configured users and the creation of the default Administrator with a known default password.
4.3
CVE-2025-10570 - Flexible Refund and Return Order for WooCommerce <= 1.0.38 - Missing Authorization to Authenticatedβ¦
The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.38 via the save_refund_request() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to submitβ¦
4.4
CVE-2025-12033 - Simple Banner <= 3.0.10 - Authenticated (Admin+) Stored Cross-Site Scripting
The Simple Banner β Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pro_version_activation_code' parameter in all versions up to, and including, 3.0.10 due to insufficient inβ¦
4.3
CVE-2025-10588 - PixelYourSite <= 11.1.2 β Cross-Site Request Forgery to GDPR Options Modification
The PixelYourSite β Your smart PIXEL (TAG) & API Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 11.1.2. This is due to missing or incorrect nonce validation on the adminEnableGdprAjax() function. This makes it possible for unauthenticaβ¦
6.5
CVE-2025-5983 - Meta Tag Manager < 3.3 - Contributor+ Open Redirect
The Meta Tag Manager WordPress plugin before 3.3 does not restrict which roles can create http-equiv refresh meta tags.