The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Partial ZIP File Downloads

Published: 2025-01-20.

Last Updated: 2025-01-20 07:27:48 UTC

by Didier Stevens (Version: 1)

Say you want a file that is inside a huge online ZIP file (several gigabytes large). Downloading the complete ZIP file would take too long.

If the HTTP server supports the range header, you can do the following:

We will work with my DidierStevensSuite.zip file as an example (it's 13MB in size, not several GBs, but the principle remains te same).

First, with a HEAD HTTP request, we figure out the ZIP file size ...

The size of the ZIP file is 13189336 bytes.

The end of a ZIP file contains a series of DIR records that compose the directory of files (and directories) contained inside the ZIP file. This directory is usually small, compared to the file size, so we will do a partial download starting at position 13000000.

This can be done with the curl range option: this will add a header that specifies the range we want to download ...

Next we use my zipdump.py tool to parse the ZIP records (-f l) inside the partial ZIP download like this ...

Read the full entry: https://isc.sans.edu/diary/Partial+ZIP+File+Downloads/31608/

Geolocation and Starlink

Published: 2025-01-21.

Last Updated: 2025-01-21 15:40:20 UTC

by Johannes Ullrich (Version: 1)

Until now, satellite internet access has been more of a niche solution for internet access. But with the wide availability of Starlink, this is changing. Starlink's performance and price are competitive for many rural users to forgo solutions like cellular or slower DSL speeds if they are available at all.

Starlink offers a substantially different type of service from most "traditional" satellite networks. Traditional satellite networks use a small number of satellites in high orbits, connecting to a handful of ground stations. The ground station issues the IP address, and each ground station may cover a large geographic area, often exceeding individual countries. The IP address of a satellite user identifies the ground station location, not the user's location. Starlink, on the other hand, uses satellites in low earth orbit. The network can forward traffic among satellites, but typically, the satellite will attempt to pass the traffic to the closest base station in view. Due to the low orbit, each satellite only "sees" a relatively small area, and the ground station is usually within a couple hundred miles of the user.

It appears that Starlink is using AS 14593 and 27277. The first one is the one that is used for customer traffic. The second one seems to be used for the internal corporate network.

AS 14593 advertises 696 different prefixes [HE]. Most are small (/23 and /24). This is typical for a newer company like SpaceX that had to "cobble together" IP address space and couldn't get a large allocation. Starlink does not offer a publicly routable address to customers for regular consumer plans. Instead, it uses "carrier-grade NAT". The customer will receive a 100.64.0.0/10 address per RFC 6598 [CGNAT]. By default, the Starlink router will issue 192.168/16 addresses to the user's equipment unless the router is configured in bridge mode (or bypass mode).

The CGNAT address is later translated to a publicly routable address at the ground station. Starlink does support PTR records for its customer IPs and uses the following hostname scheme:

customer.[ground station identifier].pop.starlinkisp.net

Forward resolution for these hostnames does not work. This is likely configured to avoid issues with customers attempting to run mail servers. The "ground stations identifier" appears to follow the following format:

4 digits: City identifier

3 digits: Region (Country or the State, followed by 'X', for US-based ground stations)

1 digit: number

For example ...

Read the full entry: https://isc.sans.edu/diary/Geolocation+and+Starlink/31612/

Zero Trust and Entra ID Conditional Access (2025.01.19)

https://isc.sans.edu/diary/Zero+Trust+and+Entra+ID+Conditional+Access/31602/

New tool: immutable.py (2025.01.18)

https://isc.sans.edu/diary/New+tool+immutablepy/31598/

Leveraging Honeypot Data for Offensive Security Operations [Guest Diary] (2025.01.17)

https://isc.sans.edu/diary/Leveraging+Honeypot+Data+for+Offensive+Security+Operations+Guest+Diary/31596/

Extracting Practical Observations from Impractical Datasets (2025.01.16)

https://isc.sans.edu/diary/Extracting+Practical+Observations+from+Impractical+Datasets/31582/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

Product: Fortinet FortiProxy

CVSS Score: 9.8

** KEV since 2025-01-14 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-55591

ISC Podcast: https://isc.sans.edu/podcastdetail/9280

NVD References: https://fortiguard.fortinet.com/psirt/FG-IR-24-535

Product: Fortinet FortiSwitch

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-37936

NVD References: https://fortiguard.com/psirt/FG-IR-23-260

Product: Fortinet FortiSOAR

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-47572

NVD References: https://fortiguard.fortinet.com/psirt/FG-IR-24-210

Product: Fortinet FortiOS

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48886

NVD References: https://fortiguard.fortinet.com/psirt/FG-IR-24-221

Product: Cs-Grp Neo Impact

CVSS Score: 8.2

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-7344

ISC Podcast: https://isc.sans.edu/podcastdetail/9286

NVD References:

- https://uefi.org/revocationlistfile

- https://uefi.org/specs/UEFI/2.10/03_Boot_Manager.html

- https://uefi.org/specs/UEFI/2.10/32_Secure_Boot_and_Driver_Signing.html

- https://www.eset.com/blog/enterprise/preparing-for-uefi-bootkits-eset-discovery-shows-the-importance-of-cyber-intelligence/

- https://www.kb.cert.org/vuls/id/529659

- https://www.kb.cert.org/vuls/id/529659

- https://www.welivesecurity.com/en/eset-research/under-cloak-uefi-secure-boot-introducing-cve-2024-7344/

Product: Microsoft Windows 10 21H2CVSS Score: 7.8** KEV since 2025-01-14 **NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-21333NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-21334NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-21335NVD References: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21333- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21334- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21335CVE-2024-12919 - The Paid Membership Subscriptions plugin for WordPress up to version 2.13.7 is vulnerable to Authentication Bypass, allowing unauthenticated attackers with knowledge of a valid payment ID to log in as any user who has made a purchase on the targeted site.Product: WordPress Paid Membership SubscriptionsActive Installations: 10,000+CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-12919NVD References: - https://plugins.trac.wordpress.org/changeset/3214706/paid-member-subscriptions- https://www.wordfence.com/threat-intel/vulnerabilities/id/d3a4fa4d-a7d2-4890-b0f5-5fe69bc5e7ac?source=cveCVE-2025-20055 - STEALTHONE D220/D340 network storage servers provided by Y'S corporation are vulnerable to OS command injection, allowing attackers to execute arbitrary commands.Product: Y'S corporation STEALTHONE D220/D340CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-20055NVD References: - https://jvn.jp/en/vu/JVNVU99653331/- https://stealthone.net/product_info/d220-d340%e3%80%8cv6-03-03%e3%80%8d%e5%8f%8a%e3%81%b3d440%e3%80%8cv7-00-11%e3%80%8d%e3%83%95%e3%82%a1%e3%83%bc%e3%83%a0%e3%82%a6%e3%82%a7%e3%82%a2%e3%82%92%e3%83%aa%e3%83%aa%e3%83%bc%e3%82%b9%e8%87%b4/CVE-2024-21797, CVE-2024-36295, CVE-2024-39370, CVE-2024-39604, CVE-2024-39784, CVE-2024-39785 - Wavlink AC3000 M33A8.V5030.210505 multiple command execution vulnerabilitiesProduct: Wavlink AC3000CVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-21797NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-36295NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39370NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39604NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39784NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39785NVD References: - https://talosintelligence.com/vulnerability_reports/TALOS-2024-2028- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2047- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2031- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2038- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2058CVE-2024-34166, CVE-2024-34544, CVE-2024-37186, CVE-2024-39360, CVE-2024-39367, CVE-2024-39759 through CVE-2024-39765, CVE-2024-39781 through CVE-2024-39783 - Wavlink AC3000 M33A8.V5030.210505. is vulnerable to an os command injection flaw in touchlist_sync.cgi, allowing for arbitrary code execution via specially crafted HTTP requests.Product: Wavlink AC3000CVSS Score: 10.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-34166NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-34544NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-37186NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39360NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39367NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39759NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39760NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39761NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39762NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39763NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39764NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39765NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39781NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39782NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39783NVD References: - https://talosintelligence.com/vulnerability_reports/TALOS-2024-2000- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2044- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2032- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2054- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2023- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2018- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2020- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2033CVE-2024-36258, CVE-2024-36272, CVE-2024-36290, CVE-2024-36493, CVE-2024-37184, CVE-2024-37357, CVE-2024-39288, CVE-2024-39294, CVE-2024-39299, CVE-2024-39357 through CVE-2024-39359, CVE-2024-39603, CVE-2024-39756, CVE-2024-39757, CVE-2024-39768 through CVE-2024-39770, CVE-2024-39774, CVE-2024-39801 through CVE-2024-39803 - Wavlink AC3000 M33A8.V5030.210505.0 buffer overflow vulnerabilitiesProduct: Wavlink AC3000CVSS Score: 10.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-36258NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-36272NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-36290NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-36493NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-37184NVD: https://nvd.nist.gov/vuln/detail/CV…

Product: WordPress Paid Membership Subscriptions

Active Installations: 10,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-12919

NVD References:

- https://plugins.trac.wordpress.org/changeset/3214706/paid-member-subscriptions

- https://www.wordfence.com/threat-intel/vulnerabilities/id/d3a4fa4d-a7d2-4890-b0f5-5fe69bc5e7ac?source=cve

Product: Y'S corporation STEALTHONE D220/D340

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-20055

NVD References:

- https://jvn.jp/en/vu/JVNVU99653331/

- https://stealthone.net/product_info/d220-d340%e3%80%8cv6-03-03%e3%80%8d%e5%8f%8a%e3%81%b3d440%e3%80%8cv7-00-11%e3%80%8d%e3%83%95%e3%82%a1%e3%83%bc%e3%83%a0%e3%82%a6%e3%82%a7%e3%82%a2%e3%82%92%e3%83%aa%e3%83%aa%e3%83%bc%e3%82%b9%e8%87%b4/

Product: Wavlink AC3000

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-21797

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-36295

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39370

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39604

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39784

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39785

NVD References:

- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2028

- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2047

- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2031

- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2038

- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2058

Product: Wavlink AC3000CVSS Score: 10.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-34166NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-34544NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-37186NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39360NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39367NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39759NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39760NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39761NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39762NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39763NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39764NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39765NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39781NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39782NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39783NVD References: - https://talosintelligence.com/vulnerability_reports/TALOS-2024-2000- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2044- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2032- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2054- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2023- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2018- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2020- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2033CVE-2024-36258, CVE-2024-36272, CVE-2024-36290, CVE-2024-36493, CVE-2024-37184, CVE-2024-37357, CVE-2024-39288, CVE-2024-39294, CVE-2024-39299, CVE-2024-39357 through CVE-2024-39359, CVE-2024-39603, CVE-2024-39756, CVE-2024-39757, CVE-2024-39768 through CVE-2024-39770, CVE-2024-39774, CVE-2024-39801 through CVE-2024-39803 - Wavlink AC3000 M33A8.V5030.210505.0 buffer overflow vulnerabilitiesProduct: Wavlink AC3000CVSS Score: 10.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-36258NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-36272NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-36290NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-36493NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-37184NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-37357NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39288NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39294NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39299NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39357NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39358NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39359NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39603NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39756NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39757NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39768NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39769NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39770NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39774NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39801NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39802NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39803NVD References: - https://talosintelligence.com/vulnerability_reports/TALOS-2024-2046- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2045- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2019- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2041- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2025- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2029- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2021- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2026- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2048- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2039- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2027- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2040- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2042- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2024- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2043- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2022- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2030- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2049CVE-2024-38666, CVE-2024-39280, CVE-2024-39602, CVE-2024-39788 through CVE-2024-39790, CVE-2024-39793 through CVE-2024-39795, CVE-2024-39798 through CVE-2024-39800 - Wavlink AC3000 M33A8.V5030.210505 has external config control vulnerabilitiesProduct: Wavlink AC3000 M33A8CVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38666NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39280NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39602NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39788NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39789NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39790NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39793NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39794NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39795NVD: https://nvd.nist.g…

Product: Wavlink AC3000 M33A8

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38666

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39280

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39602

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39788

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39789

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39790

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39793

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39794

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39795

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39798

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39799

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39800

NVD References:

- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2051

- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2055

- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2052

- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2056

- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2056

- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2056

- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2053

- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2050

Product: Wavlink AC3000

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39273

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39608

NVD References:

- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2037

- https://talosintelligence.com/vulnerability_reports/TALOS-2024-2036

Product: Wavlink AC3000

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39363

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2024-2017

Product: Wavlink AC3000 M33A8

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39754

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2024-2034

Product: Wavlink AC3000

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39786

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39787

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2024-2057

Product: Ivanti EPM

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-10811

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-13159

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-13160

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-13161

NVD References: https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6

Product: Microsoft Windows

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-21298

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21298

Product: Windows Reliable Multicast Transport Driver

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-21307

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21307

Product: Microsoft Windows NTLM

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-21311

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21311

Product: XWiki Platform

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-23025

NVD References:

- https://extensions.xwiki.org/xwiki/bin/view/Extension/CKEditor+Integration#HAdministrationSection

- https://extensions.xwiki.org/xwiki/bin/view/Extension/Realtime%20WYSIWYG%20Editor

- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rmm7-r7wr-xpfg

- https://jira.xwiki.org/browse/XWIKI-21949

Product: Blackberry QNX Software Development Platform

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48856

NVD References: https://support.blackberry.com/pkb/s/article/140334

Product: Rasa Open source machine learning framework

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49375

NVD References: https://github.com/RasaHQ/rasa-pro-security-advisories/security/advisories/GHSA-cpv4-ggrr-7j9v

Product: H3C N12 V100R005

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57479

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57480

NVD References:

- http://h3c.com

- https://gist.github.com/XiaoCurry/c7214be67a44a4a8858c5138ecd05984

- https://gist.github.com/XiaoCurry/16213a4d68f95f17cd0fc2cd07e78a90

Product: Discourse AI

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54142

NVD References:

- https://github.com/discourse/discourse-ai/commit/92f122c54d9d7ead9223a056270bff5b4c42c73f

- https://github.com/discourse/discourse-ai/security/advisories/GHSA-94c2-qr2h-88jv

Product: H3C N12

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57473

NVD References:

- http://h3c.com

- https://gist.github.com/XiaoCurry/85ae28b7437d24d9c531c970612d3bd8

Product: Mongoose

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-23061

NVD References:

- https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md

- https://github.com/Automattic/mongoose/commit/64a9f9706f2428c49e0cfb8e223065acc645f7bc

- https://github.com/Automattic/mongoose/releases/tag/8.9.5

- https://www.npmjs.com/package/mongoose?activeTab=versions

Product: The Post Grid Gutenberg Blocks plugin

Active Installations: 40,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-9636

NVD References:

- https://plugins.trac.wordpress.org/browser/post-grid/tags/2.2.93/includes/blocks/form-wrap/functions.php#L3200

- https://plugins.trac.wordpress.org/changeset/3117675/post-grid/trunk/includes/blocks/form-wrap/functions.php

- https://plugins.trac.wordpress.org/changeset/3221012/post-grid/trunk/includes/blocks/form-wrap/functions.php

- https://www.wordfence.com/threat-intel/vulnerabilities/id/1bbe01b8-24ed-4e1e-bafc-0f4dea96c1f3?source=cve

Product: Rsync CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-12084NVD References: - https://access.redhat.com/security/cve/CVE-2024-12084- https://bugzilla.redhat.com/show_bug.cgi?id=2330527- https://kb.cert.org/vuls/id/952657- http://www.openwall.com/lists/oss-security/2025/01/14/6CVE-2025-22968 - D-Link DWR-M972V 1.05SSG is vulnerable to remote code execution via SSH with root privileges.Product: D-Link DWR-M972VCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22968NVD References: - https://github.com/CRUNZEX/CVE-2025-22968- https://github.com/CRUNZEX/CVE-DLINK-LTE- https://www.dlink.com/en/security-bulletin/CVE-2024-57011 through CVE-2024-57022 - TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain multiple OS command injection vulnerabilitiesProduct: TOTOLINK X5000RCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57011NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57012NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57013NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57014NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57015NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57016NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57017NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57018NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57019NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57020NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57021NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57022NVD References: - https://github.com/tiger5671/Vulnerabilities/blob/main/TOTOLINK%20X5000R/setScheduleCfg/setScheduleCfg.md- https://www.totolink.net/CVE-2024-44136 - iOS and iPadOS versions prior to 17.5 are vulnerable to a flaw allowing attackers with physical access to disable Stolen Device Protection.Product: Apple iOSCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44136NVD References: https://support.apple.com/en-us/120905CVE-2025-22146 - Sentry's SAML SSO implementation contains a critical vulnerability that could allow an attacker to take over any user account on the same instance with a malicious SAML Identity Provider and knowledge of the victim's email address.Product: Sentry SAML SSO implementationCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22146NVD References: - https://github.com/getsentry/sentry/pull/83407- https://github.com/getsentry/sentry/security/advisories/GHSA-7pq6-v88g-wf3wCVE-2024-48126 - HI-SCAN 6040i Hitrax HX-03-19-I was discovered to contain hardcoded credentials for access to vendor support and service access.Product: Hitrax HI-SCAN 6040iCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48126NVD References: https://kth.diva-portal.org/smash/get/diva2:1876534/FULLTEXT01.pdfCVE-2025-0455 - The airPASS from NetVision Information is vulnerable to SQL Injection, enabling remote attackers to manipulate database information.Product: NetVision Information airPASSCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-0455NVD References: - https://www.twcert.org.tw/en/cp-139-8358-143bc-2.html- https://www.twcert.org.tw/tw/cp-132-8357-28308-1.htmlCVE-2025-0456 - The airPASS from NetVision Information has a Missing Authentication vulnerability that allows unauthenticated remote attackers to access specific administrative functionality and retrieve all accounts and passwords.Product: NetVision Information airPASSCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-0456NVD References: - https://www.twcert.org.tw/en/cp-139-8360-e97b8-2.html- https://www.twcert.org.tw/tw/cp-132-8359-53aa7-1.htmlCVE-2025-22904, CVE-2025-22907, CVE-2025-22913, CVE-2025-22916 - RE11S v1.11 was discovered to contain stack overflow vulnerabilitiesProduct: RE11S v1.11CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22904NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22907NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22913NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22916NVD References: - http://re11s.com- https://github.com/xyqer1/RE11S_1.11-setWAN-3-StackOverflow- https://github.com/xyqer1/RE11S_1.11-formWlSiteSurvey-StackOverflow- https://github.com/xyqer1/RE11S_1.11-formStaDrvSetup-StackOverflow- https://github.com/xyqer1/RE11S_1.11-formPPPoESetup-StackOverflow- https://www.edimax.com/edimax/global/CVE-2025-22905, CVE-2025-22906, CVE-2025-22912 - RE11S v1.11 was discovered to contain command injection vulnerabilitiesProduct: RE11S v1.11CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22905NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22906NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22912NVD References: - http://re11s.com- https://github.com/xyqer1/RE11S_1.11-mp-CommandInjection- https://github.com/xyqer1/RE11S_1.11-setWAN-CommandInjection- https://github.com/xyqer1/RE11S_1.11-formAccept-CommandInjection- https://www.edimax.com/edimax/global/CVE-2025-0471 - PMB platform is vulnerable to unrestricted file uploading, allowing attackers to gain remote access and execute commands on machines runn…

Product: D-Link DWR-M972VCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22968NVD References: - https://github.com/CRUNZEX/CVE-2025-22968- https://github.com/CRUNZEX/CVE-DLINK-LTE- https://www.dlink.com/en/security-bulletin/CVE-2024-57011 through CVE-2024-57022 - TOTOLINK X5000R V9.1.0cu.2350_B20230313 was discovered to contain multiple OS command injection vulnerabilitiesProduct: TOTOLINK X5000RCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57011NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57012NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57013NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57014NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57015NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57016NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57017NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57018NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57019NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57020NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57021NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57022NVD References: - https://github.com/tiger5671/Vulnerabilities/blob/main/TOTOLINK%20X5000R/setScheduleCfg/setScheduleCfg.md- https://www.totolink.net/CVE-2024-44136 - iOS and iPadOS versions prior to 17.5 are vulnerable to a flaw allowing attackers with physical access to disable Stolen Device Protection.Product: Apple iOSCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44136NVD References: https://support.apple.com/en-us/120905CVE-2025-22146 - Sentry's SAML SSO implementation contains a critical vulnerability that could allow an attacker to take over any user account on the same instance with a malicious SAML Identity Provider and knowledge of the victim's email address.Product: Sentry SAML SSO implementationCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22146NVD References: - https://github.com/getsentry/sentry/pull/83407- https://github.com/getsentry/sentry/security/advisories/GHSA-7pq6-v88g-wf3wCVE-2024-48126 - HI-SCAN 6040i Hitrax HX-03-19-I was discovered to contain hardcoded credentials for access to vendor support and service access.Product: Hitrax HI-SCAN 6040iCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48126NVD References: https://kth.diva-portal.org/smash/get/diva2:1876534/FULLTEXT01.pdfCVE-2025-0455 - The airPASS from NetVision Information is vulnerable to SQL Injection, enabling remote attackers to manipulate database information.Product: NetVision Information airPASSCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-0455NVD References: - https://www.twcert.org.tw/en/cp-139-8358-143bc-2.html- https://www.twcert.org.tw/tw/cp-132-8357-28308-1.htmlCVE-2025-0456 - The airPASS from NetVision Information has a Missing Authentication vulnerability that allows unauthenticated remote attackers to access specific administrative functionality and retrieve all accounts and passwords.Product: NetVision Information airPASSCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-0456NVD References: - https://www.twcert.org.tw/en/cp-139-8360-e97b8-2.html- https://www.twcert.org.tw/tw/cp-132-8359-53aa7-1.htmlCVE-2025-22904, CVE-2025-22907, CVE-2025-22913, CVE-2025-22916 - RE11S v1.11 was discovered to contain stack overflow vulnerabilitiesProduct: RE11S v1.11CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22904NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22907NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22913NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22916NVD References: - http://re11s.com- https://github.com/xyqer1/RE11S_1.11-setWAN-3-StackOverflow- https://github.com/xyqer1/RE11S_1.11-formWlSiteSurvey-StackOverflow- https://github.com/xyqer1/RE11S_1.11-formStaDrvSetup-StackOverflow- https://github.com/xyqer1/RE11S_1.11-formPPPoESetup-StackOverflow- https://www.edimax.com/edimax/global/CVE-2025-22905, CVE-2025-22906, CVE-2025-22912 - RE11S v1.11 was discovered to contain command injection vulnerabilitiesProduct: RE11S v1.11CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22905NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22906NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22912NVD References: - http://re11s.com- https://github.com/xyqer1/RE11S_1.11-mp-CommandInjection- https://github.com/xyqer1/RE11S_1.11-setWAN-CommandInjection- https://github.com/xyqer1/RE11S_1.11-formAccept-CommandInjection- https://www.edimax.com/edimax/global/CVE-2025-0471 - PMB platform is vulnerable to unrestricted file uploading, allowing attackers to gain remote access and execute commands on machines running versions 4.0.10 and above.Product: PMB platformCVSS Score: 9.9NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-0471NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-pmb-platformCVE-2024-57768 - JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component validRoleKey?sysRole.key.Product: JFinalOACVSS Score: 9.8NVD: https:/…

Product: TOTOLINK X5000R

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57011

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57012

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57013

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57014

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57015

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57016

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57017

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57018

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57019

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57020

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57021

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57022

NVD References:

- https://github.com/tiger5671/Vulnerabilities/blob/main/TOTOLINK%20X5000R/setScheduleCfg/setScheduleCfg.md

- https://www.totolink.net/

Product: Apple iOS

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44136

NVD References: https://support.apple.com/en-us/120905

Product: Sentry SAML SSO implementation

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22146

NVD References:

- https://github.com/getsentry/sentry/pull/83407

- https://github.com/getsentry/sentry/security/advisories/GHSA-7pq6-v88g-wf3w

Product: Hitrax HI-SCAN 6040i

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-48126

NVD References: https://kth.diva-portal.org/smash/get/diva2:1876534/FULLTEXT01.pdf

Product: NetVision Information airPASS

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-0455

NVD References:

- https://www.twcert.org.tw/en/cp-139-8358-143bc-2.html

- https://www.twcert.org.tw/tw/cp-132-8357-28308-1.html

Product: NetVision Information airPASS

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-0456

NVD References:

- https://www.twcert.org.tw/en/cp-139-8360-e97b8-2.html

- https://www.twcert.org.tw/tw/cp-132-8359-53aa7-1.html

Product: RE11S v1.11

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22904

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22907

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22913

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22916

NVD References:

- http://re11s.com

- https://github.com/xyqer1/RE11S_1.11-setWAN-3-StackOverflow

- https://github.com/xyqer1/RE11S_1.11-formWlSiteSurvey-StackOverflow

- https://github.com/xyqer1/RE11S_1.11-formStaDrvSetup-StackOverflow

- https://github.com/xyqer1/RE11S_1.11-formPPPoESetup-StackOverflow

- https://www.edimax.com/edimax/global/

Product: RE11S v1.11

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22905

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22906

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22912

NVD References:

- http://re11s.com

- https://github.com/xyqer1/RE11S_1.11-mp-CommandInjection

- https://github.com/xyqer1/RE11S_1.11-setWAN-CommandInjection

- https://github.com/xyqer1/RE11S_1.11-formAccept-CommandInjection

- https://www.edimax.com/edimax/global/

Product: PMB platform

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-0471

NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-pmb-platform

Product: JFinalOA

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57768

NVD References: https://gitee.com/r1bbit/JFinalOA/issues/IBHUMT

Product: D-Link 816A2_FWv1.10CNB05_R1B011D88210

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57684

NVD References:

- https://github.com/abcdefg-png/IoT-vulnerable/blob/main/Unauthorized_Vulnerability/D-Link/DIR-816/formDMZ.md

- https://www.dlink.com/en/security-bulletin/

Product: Tenda i24

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57483

NVD References:

- http://tenda.com

- https://gist.github.com/XiaoCurry/7dd5c6ab5af9df49883535b997cef7a4

Product: Tenda AC18

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57579

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57580

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57581

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57582

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57583

NVD References:

- https://github.com/qijiale/Tenda/tree/main/6

- https://github.com/qijiale/Tenda/tree/main/7

- https://github.com/qijiale/Tenda/tree/main/8

- https://github.com/qijiale/Tenda/tree/main/9

Product: Mike Selander WP Options Editor

Active Installations: This plugin has been closed as of December 5, 2024 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-23797

NVD References: https://patchstack.com/database/wordpress/plugin/wp-options-editor/vulnerability/wordpress-wp-options-editor-plugin-1-1-csrf-to-privilege-escalation-vulnerability?_s_id=cve

Product: Harsh iSpring Embedder

Active Installations: unknown

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-23922

NVD References: https://patchstack.com/database/wordpress/plugin/embed-ispring/vulnerability/wordpress-ispring-embedder-plugin-1-0-csrf-to-arbitrary-file-upload-vulnerability?_s_id=cve

Product: WeGIA

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57031

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57034

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57035

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-23219

NVD References:

- https://github.com/nmmorette/vulnerability-research/tree/main/CVE-2024-57031

- https://github.com/nmmorette/vulnerability-research/tree/main/CVE-2024-57034

- https://github.com/nmmorette/vulnerability-research/tree/main/CVE-2024-57035

- https://github.com/nilsonLazarin/WeGIA/issues/827

- https://github.com/LabRedesCefetRJ/WeGIA/commit/ae9c859006143bd0087b3e6e48a0677e1fff5c7e

- https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-h2mg-4c7q-w69v

- https://www.wegia.org

CVE-2024-57032 - WeGIA < 3.2.0 is vulnerable to Incorrect Access Control in controle/control.php, allowing password changes without validating the old password.

Product: WeGIA controle

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57032

NVD References:

- https://github.com/nmmorette/vulnerability-research/blob/main/CVE-2024-57032

- https://www.wegia.org/

CVE-2024-13375 - The Adifier System plugin for WordPress is susceptible to privilege escalation through account takeover, allowing unauthenticated attackers to change passwords and gain unauthorized access to user accounts.

Product: WordPress Adifier System plugin

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-13375

NVD References:

- https://themeforest.net/item/adifier-classified-ads-wordpress-theme/21633950

- https://www.wordfence.com/threat-intel/vulnerabilities/id/fbf2aeed-0f18-4ef6-aff8-9e8c4531d789?source=cve

CVE-2024-38337 - IBM Sterling Secure Proxy versions 6.0.0.0 to 6.2.0.0 may allow unauthorized access to sensitive data through incorrect permission settings.

Product: IBM Sterling Secure Proxy

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38337

NVD References: https://www.ibm.com/support/pages/node/7179166

CVE-2024-41783 - IBM Sterling Secure Proxy versions 6.0.0.0 to 6.2.0.0 are vulnerable to command injection by privileged users due to inadequate input validation.

Product: IBM Sterling Secure Proxy

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-41783

NVD References: https://www.ibm.com/support/pages/node/7176189

CVE-2025-0585 - The a+HRD from aEnrich Technology is vulnerable to SQL Injection, enabling remote attackers to manipulate database data.

Product: aEnrich Technology a+HRD

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-0585

NVD References:

- https://www.twcert.org.tw/en/cp-139-8373-91edc-2.html

- https://www.twcert.org.tw/tw/cp-132-8372-19721-1.html

CVE-2024-32555 - Easy Real Estate has an Incorrect Privilege Assignment vulnerability allowing Privilege Escalation in versions up to 2.2.6.

Product: Easy Real Estate

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-32555

NVD References: https://patchstack.com/database/wordpress/plugin/easy-real-estate/vulnerability/wordpress-easy-real-estate-plugin-2-2-6-privilege-escalation-vulnerability?_s_id=cve

CVE-2024-49655 - ARPrice is vulnerable to SQL Injection in versions up to 4.0.3, allowing for improper neutralization of special elements in SQL commands.

Product: ARPrice

Active Installations: unknown

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49655

NVD References: https://patchstack.com/database/wordpress/plugin/arprice/vulnerability/wordpress-arprice-plugin-4-0-3-unauthenticated-sql-injection-vulnerability?_s_id=cve

CVE-2024-49688 - Deserialization of Untrusted Data vulnerability in NotFound ARPrice allows Object Injection. This issue affects ARPrice: from n/a through 4.0.3.

Product: ARPrice

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49688

NVD References: https://patchstack.com/database/wordpress/plugin/arprice/vulnerability/wordpress-arprice-plugin-4-0-3-unauthenticated-php-object-injection-vulnerability?_s_id=cve

CVE-2024-51818 - Fancy Product Designer through version 6.4.3 is vulnerable to SQL Injection, allowing attackers to manipulate database queries and potentially extract sensitive information.

Product: Fancy Product Designer

Active Installations: unknown

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-51818

NVD References: https://patchstack.com/database/wordpress/plugin/fancy-product-designer/vulnerability/wordpress-fancy-product-designer-plugin-6-4-3-unauthenticated-sql-injection-vulnerability?_s_id=cve

CVE-2024-51888 - Homey Login Register from n/a through 2.4.0 is vulnerable to Incorrect Privilege Assignment, allowing for Privilege Escalation.

Product: Homey Login Register

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-51888

NVD References: https://patchstack.com/database/wordpress/plugin/homey-login-register/vulnerability/wordpress-homey-login-register-plugin-2-4-0-privilege-escalation-vulnerability?_s_id=cve

CVE-2024-51919 - Fancy Product Designer allows for unrestricted upload of dangerous file types, impacting versions from n/a to 6.4.3.

Product: Fancy Product Designer

Active Installations: unknown

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-51919

NVD References: https://patchstack.com/database/wordpress/plugin/fancy-product-designer/vulnerability/wordpress-fancy-product-designer-plugin-6-4-3-unauthenticated-arbitrary-file-upload-vulnerability?_s_id=cve

CVE-2025-22553 - Multiple Carousel version n/a through 2.0 is vulnerable to SQL Injection due to improper neutralization of special elements in SQL commands.

Product: Multiple Carousel

Active Installations: unknown

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22553

NVD References: https://patchstack.com/database/wordpress/plugin/multicarousel/vulnerability/wordpress-multiple-carousel-plugin-2-0-sql-injection-vulnerability?_s_id=cve

CVE-2025-22723 - UkrSolution Barcode Scanner with Inventory & Order Manager allows attackers to upload a web shell to a web server due to unrestricted file type upload vulnerability.

Product: UkrSolution Barcode Scanner with Inventory & Order Manager

Active Installations: 1,000+

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22723

NVD References: https://patchstack.com/database/wordpress/plugin/barcode-scanner-lite-pos-to-manage-products-inventory-and-orders/vulnerability/wordpress-barcode-scanner-and-inventory-manager-plugin-1-6-7-arbitrary-file-upload-vulnerability?_s_id=cve

CVE-2024-54794 - The script input feature of SpagoBI 3.5.1 allows arbitrary code execution.

Product: SpagoBI

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54794

NVD References: https://github.com/MarioTesoro/CVE-2024-54794

CVE-2025-24024 - Mjolnir v1.9.0 allows unauthorized users to access server administration components if enabled, posing a security risk that is addressed in versions 1.9.1 and 1.9.2.

Product: Matrix Mjolnir

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-24024

NVD References:

- https://github.com/matrix-org/mjolnir/commit/b437fa16b5425985715df861987c836affd51eea

- https://github.com/matrix-org/mjolnir/commit/d0ef527a9e3eb45e17143d5295a64b775ccaa23d

- https://github.com/matrix-org/mjolnir/security/advisories/GHSA-3jq6-xc85-m394

CVE-2025-21524 - The vulnerability in JD Edwards EnterpriseOne Tools product of Oracle JD Edwards allows an unauthenticated attacker to compromise the system.

Product: Oracle JD Edwards EnterpriseOne

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-21524

NVD References: https://www.oracle.com/security-alerts/cpujan2025.html

CVE-2025-21535 - The Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) is vulnerable to an easily exploitable vulnerability that allows unauthenticated attackers with network access via T3, IIOP to compromise the server and potentially take over.

Product: Oracle WebLogic Server

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-21535

NVD References: https://www.oracle.com/security-alerts/cpujan2025.html

CVE-2025-21547 - Oracle Hospitality OPERA 5 product is vulnerable to an easily exploitable issue that allows unauthenticated attackers to compromise the system, resulting in unauthorized access to critical data and potential denial of service (DOS) attacks.

Product: Oracle Hospitality OPERA 5

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-21547

NVD References: https://www.oracle.com/security-alerts/cpujan2025.html

CVE-2025-21556 - The vulnerability in the Oracle Agile PLM Framework product of Oracle Supply Chain allows a low privileged attacker to compromise the framework via HTTP, potentially leading to a complete takeover with a CVSS score of 9.9.

Product: Oracle Agile PLM Framework

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-21556

NVD References: https://www.oracle.com/security-alerts/cpujan2025.html

CVE-2024-13091 - The WPBot Pro Wordpress Chatbot plugin is vulnerable to arbitrary file uploads leading to potential remote code execution.

Product: WPBot Pro WordPress Chatbot

Active Installations: 5,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-13091

NVD References:

- https://www.wordfence.com/threat-intel/vulnerabilities/id/0f9b6979-2662-4d2f-9656-b880dd80832c?source=cve

- https://www.wpbot.pro/

The following vulnerability needs a manual review: CVE-2024-12833

Product: WeGIA controle

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-57032

NVD References:

- https://github.com/nmmorette/vulnerability-research/blob/main/CVE-2024-57032

- https://www.wegia.org/

CVE-2024-13375 - The Adifier System plugin for WordPress is susceptible to privilege escalation through account takeover, allowing unauthenticated attackers to change passwords and gain unauthorized access to user accounts.

Product: WordPress Adifier System plugin

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-13375

NVD References:

- https://themeforest.net/item/adifier-classified-ads-wordpress-theme/21633950

- https://www.wordfence.com/threat-intel/vulnerabilities/id/fbf2aeed-0f18-4ef6-aff8-9e8c4531d789?source=cve

CVE-2024-38337 - IBM Sterling Secure Proxy versions 6.0.0.0 to 6.2.0.0 may allow unauthorized access to sensitive data through incorrect permission settings.

Product: IBM Sterling Secure Proxy

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38337

NVD References: https://www.ibm.com/support/pages/node/7179166

CVE-2024-41783 - IBM Sterling Secure Proxy versions 6.0.0.0 to 6.2.0.0 are vulnerable to command injection by privileged users due to inadequate input validation.

Product: IBM Sterling Secure Proxy

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-41783

NVD References: https://www.ibm.com/support/pages/node/7176189

CVE-2025-0585 - The a+HRD from aEnrich Technology is vulnerable to SQL Injection, enabling remote attackers to manipulate database data.

Product: aEnrich Technology a+HRD

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-0585

NVD References:

- https://www.twcert.org.tw/en/cp-139-8373-91edc-2.html

- https://www.twcert.org.tw/tw/cp-132-8372-19721-1.html

CVE-2024-32555 - Easy Real Estate has an Incorrect Privilege Assignment vulnerability allowing Privilege Escalation in versions up to 2.2.6.

Product: Easy Real Estate

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-32555

NVD References: https://patchstack.com/database/wordpress/plugin/easy-real-estate/vulnerability/wordpress-easy-real-estate-plugin-2-2-6-privilege-escalation-vulnerability?_s_id=cve

CVE-2024-49655 - ARPrice is vulnerable to SQL Injection in versions up to 4.0.3, allowing for improper neutralization of special elements in SQL commands.

Product: ARPrice

Active Installations: unknown

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49655

NVD References: https://patchstack.com/database/wordpress/plugin/arprice/vulnerability/wordpress-arprice-plugin-4-0-3-unauthenticated-sql-injection-vulnerability?_s_id=cve

CVE-2024-49688 - Deserialization of Untrusted Data vulnerability in NotFound ARPrice allows Object Injection. This issue affects ARPrice: from n/a through 4.0.3.

Product: ARPrice

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49688

NVD References: https://patchstack.com/database/wordpress/plugin/arprice/vulnerability/wordpress-arprice-plugin-4-0-3-unauthenticated-php-object-injection-vulnerability?_s_id=cve

CVE-2024-51818 - Fancy Product Designer through version 6.4.3 is vulnerable to SQL Injection, allowing attackers to manipulate database queries and potentially extract sensitive information.

Product: Fancy Product Designer

Active Installations: unknown

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-51818

NVD References: https://patchstack.com/database/wordpress/plugin/fancy-product-designer/vulnerability/wordpress-fancy-product-designer-plugin-6-4-3-unauthenticated-sql-injection-vulnerability?_s_id=cve

CVE-2024-51888 - Homey Login Register from n/a through 2.4.0 is vulnerable to Incorrect Privilege Assignment, allowing for Privilege Escalation.

Product: Homey Login Register

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-51888

NVD References: https://patchstack.com/database/wordpress/plugin/homey-login-register/vulnerability/wordpress-homey-login-register-plugin-2-4-0-privilege-escalation-vulnerability?_s_id=cve

CVE-2024-51919 - Fancy Product Designer allows for unrestricted upload of dangerous file types, impacting versions from n/a to 6.4.3.

Product: Fancy Product Designer

Active Installations: unknown

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-51919

NVD References: https://patchstack.com/database/wordpress/plugin/fancy-product-designer/vulnerability/wordpress-fancy-product-designer-plugin-6-4-3-unauthenticated-arbitrary-file-upload-vulnerability?_s_id=cve

CVE-2025-22553 - Multiple Carousel version n/a through 2.0 is vulnerable to SQL Injection due to improper neutralization of special elements in SQL commands.

Product: Multiple Carousel

Active Installations: unknown

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22553

NVD References: https://patchstack.com/database/wordpress/plugin/multicarousel/vulnerability/wordpress-multiple-carousel-plugin-2-0-sql-injection-vulnerability?_s_id=cve

CVE-2025-22723 - UkrSolution Barcode Scanner with Inventory & Order Manager allows attackers to upload a web shell to a web server due to unrestricted file type upload vulnerability.

Product: UkrSolution Barcode Scanner with Inventory & Order Manager

Active Installations: 1,000+

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22723

NVD References: https://patchstack.com/database/wordpress/plugin/barcode-scanner-lite-pos-to-manage-products-inventory-and-orders/vulnerability/wordpress-barcode-scanner-and-inventory-manager-plugin-1-6-7-arbitrary-file-upload-vulnerability?_s_id=cve

CVE-2024-54794 - The script input feature of SpagoBI 3.5.1 allows arbitrary code execution.

Product: SpagoBI

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54794

NVD References: https://github.com/MarioTesoro/CVE-2024-54794

CVE-2025-24024 - Mjolnir v1.9.0 allows unauthorized users to access server administration components if enabled, posing a security risk that is addressed in versions 1.9.1 and 1.9.2.

Product: Matrix Mjolnir

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-24024

NVD References:

- https://github.com/matrix-org/mjolnir/commit/b437fa16b5425985715df861987c836affd51eea

- https://github.com/matrix-org/mjolnir/commit/d0ef527a9e3eb45e17143d5295a64b775ccaa23d

- https://github.com/matrix-org/mjolnir/security/advisories/GHSA-3jq6-xc85-m394

CVE-2025-21524 - The vulnerability in JD Edwards EnterpriseOne Tools product of Oracle JD Edwards allows an unauthenticated attacker to compromise the system.

Product: Oracle JD Edwards EnterpriseOne

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-21524

NVD References: https://www.oracle.com/security-alerts/cpujan2025.html

CVE-2025-21535 - The Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) is vulnerable to an easily exploitable vulnerability that allows unauthenticated attackers with network access via T3, IIOP to compromise the server and potentially take over.

Product: Oracle WebLogic Server

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-21535

NVD References: https://www.oracle.com/security-alerts/cpujan2025.html

CVE-2025-21547 - Oracle Hospitality OPERA 5 product is vulnerable to an easily exploitable issue that allows unauthenticated attackers to compromise the system, resulting in unauthorized access to critical data and potential denial of service (DOS) attacks.

Product: Oracle Hospitality OPERA 5

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-21547

NVD References: https://www.oracle.com/security-alerts/cpujan2025.html

CVE-2025-21556 - The vulnerability in the Oracle Agile PLM Framework product of Oracle Supply Chain allows a low privileged attacker to compromise the framework via HTTP, potentially leading to a complete takeover with a CVSS score of 9.9.

Product: Oracle Agile PLM Framework

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-21556

NVD References: https://www.oracle.com/security-alerts/cpujan2025.html

CVE-2024-13091 - The WPBot Pro Wordpress Chatbot plugin is vulnerable to arbitrary file uploads leading to potential remote code execution.

Product: WPBot Pro WordPress Chatbot

Active Installations: 5,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-13091

NVD References:

- https://www.wordfence.com/threat-intel/vulnerabilities/id/0f9b6979-2662-4d2f-9656-b880dd80832c?source=cve

- https://www.wpbot.pro/

The following vulnerability needs a manual review: CVE-2024-12833

Product: WordPress Adifier System plugin

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-13375

NVD References:

- https://themeforest.net/item/adifier-classified-ads-wordpress-theme/21633950

- https://www.wordfence.com/threat-intel/vulnerabilities/id/fbf2aeed-0f18-4ef6-aff8-9e8c4531d789?source=cve

Product: IBM Sterling Secure Proxy

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38337

NVD References: https://www.ibm.com/support/pages/node/7179166

Product: IBM Sterling Secure Proxy

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-41783

NVD References: https://www.ibm.com/support/pages/node/7176189

Product: aEnrich Technology a+HRD

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-0585

NVD References:

- https://www.twcert.org.tw/en/cp-139-8373-91edc-2.html

- https://www.twcert.org.tw/tw/cp-132-8372-19721-1.html

Product: Easy Real Estate

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-32555

NVD References: https://patchstack.com/database/wordpress/plugin/easy-real-estate/vulnerability/wordpress-easy-real-estate-plugin-2-2-6-privilege-escalation-vulnerability?_s_id=cve

Product: ARPrice

Active Installations: unknown

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49655

NVD References: https://patchstack.com/database/wordpress/plugin/arprice/vulnerability/wordpress-arprice-plugin-4-0-3-unauthenticated-sql-injection-vulnerability?_s_id=cve

Product: ARPrice

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-49688

NVD References: https://patchstack.com/database/wordpress/plugin/arprice/vulnerability/wordpress-arprice-plugin-4-0-3-unauthenticated-php-object-injection-vulnerability?_s_id=cve

Product: Fancy Product Designer

Active Installations: unknown

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-51818

NVD References: https://patchstack.com/database/wordpress/plugin/fancy-product-designer/vulnerability/wordpress-fancy-product-designer-plugin-6-4-3-unauthenticated-sql-injection-vulnerability?_s_id=cve

Product: Homey Login Register

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-51888

NVD References: https://patchstack.com/database/wordpress/plugin/homey-login-register/vulnerability/wordpress-homey-login-register-plugin-2-4-0-privilege-escalation-vulnerability?_s_id=cve

Product: Fancy Product Designer

Active Installations: unknown

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-51919

NVD References: https://patchstack.com/database/wordpress/plugin/fancy-product-designer/vulnerability/wordpress-fancy-product-designer-plugin-6-4-3-unauthenticated-arbitrary-file-upload-vulnerability?_s_id=cve

Product: Multiple Carousel

Active Installations: unknown

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22553

NVD References: https://patchstack.com/database/wordpress/plugin/multicarousel/vulnerability/wordpress-multiple-carousel-plugin-2-0-sql-injection-vulnerability?_s_id=cve

Product: UkrSolution Barcode Scanner with Inventory & Order Manager

Active Installations: 1,000+

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-22723

NVD References: https://patchstack.com/database/wordpress/plugin/barcode-scanner-lite-pos-to-manage-products-inventory-and-orders/vulnerability/wordpress-barcode-scanner-and-inventory-manager-plugin-1-6-7-arbitrary-file-upload-vulnerability?_s_id=cve

Product: SpagoBI

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-54794

NVD References: https://github.com/MarioTesoro/CVE-2024-54794

Product: Matrix Mjolnir

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-24024

NVD References:

- https://github.com/matrix-org/mjolnir/commit/b437fa16b5425985715df861987c836affd51eea

- https://github.com/matrix-org/mjolnir/commit/d0ef527a9e3eb45e17143d5295a64b775ccaa23d

- https://github.com/matrix-org/mjolnir/security/advisories/GHSA-3jq6-xc85-m394

Product: Oracle JD Edwards EnterpriseOne

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-21524

NVD References: https://www.oracle.com/security-alerts/cpujan2025.html

Product: Oracle WebLogic Server

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-21535

NVD References: https://www.oracle.com/security-alerts/cpujan2025.html

Product: Oracle Hospitality OPERA 5

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-21547

NVD References: https://www.oracle.com/security-alerts/cpujan2025.html

Product: Oracle Agile PLM Framework

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-21556

NVD References: https://www.oracle.com/security-alerts/cpujan2025.html

Product: WPBot Pro WordPress Chatbot

Active Installations: 5,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-13091

NVD References:

- https://www.wordfence.com/threat-intel/vulnerabilities/id/0f9b6979-2662-4d2f-9656-b880dd80832c?source=cve

- https://www.wpbot.pro/

The following vulnerability needs a manual review: CVE-2024-12833