5.3
CVE-2025-1676 - hzmanyun Education and Training System pdf2swf os command injection
A vulnerability classified as critical was found in hzmanyun Education and Training System 3.1.1. Affected by this vulnerability is the function pdf2swf of the file /pdf2swf. The manipulation of the argument file leads to os command injection. The attack can be launched remotely. The exploit has beβ¦
6.4
CVE-2024-13695 - Enfold <= 6.0.9 - Authenticated (Subscriber+) Server-Side Request Forgery via attachment_id
The Enfold theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.0.9 via the 'attachment_id' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originatβ¦
5.3
CVE-2024-13693 - Enfold <= 6.0.9 - Missing Authorization to Sensitive Information Disclosure in avia-export-class.php
The Enfold theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check in avia-export-class.php in all versions up to, and including, 6.0.9. This makes it possible for unauthenticated attackers to export all avia settings which may included sensitive informatiβ¦
4.3
CVE-2024-13494 - WordPress File Upload <= 4.25.2 - Cross-Site Request Forgery in wfu_file_details
The WordPress File Upload plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.25.2. This is due to missing or incorrect nonce validation on the 'wfu_file_details' function. This makes it possible for unauthenticated attackers to modify user data β¦
8.2
CVE-2025-1675 - Out of bounds read in dns_copy_qname
The function dns_copy_qname in dns_pack.c performs performs a memcpy operation with an untrusted field and does not check if the source buffer is large enough to contain the copied data.
8.2
CVE-2025-1674 - Out of bounds read when unpacking DNS answers
A lack of input validation allows for out of bounds reads caused by malicious or malformed packets.
8.2
CVE-2025-1673 - Out of bounds read when calling crc16_ansi and strlen in dns_validate_msg
A malicious or malformed DNS packet without a payload can cause an out-of-bounds read, resulting in a crash (denial of service) or an incorrect computation.
5.3
CVE-2025-1063 - Classified Listing β Classified ads & Business Directory Plugin <= 4.0.4 - Unauthenticated Settingsβ¦
The Classified Listing β Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.4 via the rtcl_taxonomy_settings_export function. This makes it possible for unauthenticated attackers to extract sensitβ¦
9.8
CVE-2025-1128 - Everest Forms <= 3.0.9.4 - Unauthenticated Arbitrary File Upload, Read, and Deletion
The Everest Forms β Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file upload, read, and deletion due to missing file type and path validation in the 'format' method of the EVF_Form_Fields_Upload class in all versions upβ¦
7.5
CVE-2025-1648 - Yawave <= 2.9.1 - Unauthenticated SQL Injection
The Yawave plugin for WordPress is vulnerable to SQL Injection via the 'lbid' parameter in all versions up to, and including, 2.9.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated aβ¦