8.8
CVE-2025-55345 - Unsafe symlink following in restricted workspace-write sandbox leads to RCE
Using Codex CLI in workspace-write mode inside a malicious context (repo, directory, etc) could lead to arbitrary file overwrite and potentially remote code execution due to symlinks being followed outside the allowed current working directory.
8.8
CVE-2025-6184 - Tutor LMS Pro β eLearning and online course solution <= 3.7.0 - Authenticated (Tutor Instructor+) Sβ¦
The Tutor LMS Pro β eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the βorderβ parameter used in the get_submitted_assignments() function in all versions up to, and including, 3.7.0 due to insufficient escaping on the user supplied parameter β¦
8.7
CVE-2025-8761 - INSTAR 2K+/4K Backend IPC Server denial of service
A vulnerability has been found in INSTAR 2K+ and 4K 3.11.1 Build 1124. This vulnerability affects unknown code of the component Backend IPC Server. The manipulation leads to denial of service. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
7
CVE-2025-8762 - INSTAR 2K+/4K UART improper physical access control
A vulnerability was found in INSTAR 2K+ and 4K 3.11.1 Build 1124. This issue affects some unknown processing of the component UART Interface. The manipulation leads to improper physical access control. It is possible to launch the attack on the physical device. The exploit has been disclosed to theβ¦
9.3
CVE-2025-8760 - INSTAR 2K+/4K fcgi_server base64_decode buffer overflow
A vulnerability was identified in INSTAR 2K+ and 4K 3.11.1 Build 1124. This affects the function base64_decode of the component fcgi_server. The manipulation of the argument Authorization leads to buffer overflow. It is possible to initiate the attack remotely.
9.8
CVE-2025-6715 - Latepoint < 5.1.94 - Unauthenticated LFI
The LatePoint WordPress plugin before 5.1.94 is vulnerable to Local File Inclusion via the layout parameter. This makes it possible for attackers to include and execute PHP files on the server, allowing the execution of any PHP code in those files.
9.8
CVE-2025-7384 - Database for Contact Form 7, WPforms, Elementor forms <= 1.4.3 - Unauthenticated PHP Object Injectiβ¦
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.3 via deserialization of untrusted input in the get_lead_detail function. This makes it possible for unauthenticated attackers to inject a Pβ¦
6.5
CVE-2025-0818 - Multiple elFinder Plugins <= (Various Versions) - Directory Traversal to Arbitrary File Deletion
Several WordPress plugins using elFinder versions 2.1.64 and prior are vulnerable to Directory Traversal in various versions. This makes it possible for unauthenticated attackers to delete arbitrary files. Successful exploitation of this vulnerability requires a site owner to explicitly make an insβ¦
4.3
CVE-2025-8491 - Easy restaurant menu manager <= 2.0.2 - Cross-Site Request Forgery to Menu Upload
The Easy restaurant menu manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.2. This is due to missing or incorrect nonce validation on the nsc_eprm_save_menu() function. This makes it possible for unauthenticated attackers to upload a β¦
4.3
CVE-2025-8891 - OceanWP <= 4.0.9 - 4.1.1 - Cross-Site Request Forgery to Ocean Extra Plugin Installation
The OceanWP theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 4.0.9 to 4.1.1. This is due to missing or incorrect nonce validation on the oceanwp_notice_button_click() function. This makes it possible for unauthenticated attackers to install the Ocean Extra plugin via a foβ¦