The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Microsoft Patch Tuesday for November 2025

Published: 2025-11-11

Last Updated: 2025-11-11 19:24:30 UTC

by Johannes Ullrich (Version: 1)

Today's Microsoft Patch Tuesday offers fixes for 80 different vulnerabilities. One of the vulnerabilities is already being exploited, and five are rated as critical.

Notable Vulnerabilities:

CVE-2025-62215: This vulnerability is already being exploited. It is a privilege escalation vulnerability in the Windows Kernel. These types of vulnerabilities are often exploited as part of a more complex attack chain; however, exploiting this specific vulnerability is likely to be relatively straightforward, given the existence of prior similar vulnerabilities.

CVE-2025-60724: A critical GDI+ remote execution vulnerability. GDI+ parses various graphics files. The attack surface is likely huge, as anything in Windows (Browsers, email, and Office Documents) will use this library at some point to display images. We also have a critical vulnerability in Direct-X CVE-2025-60716. Microsoft classifies this as a privilege escalation issue, yet still rates it as critical.

CVE-2025-62199: A code execution vulnerability in Microsoft Office. Another component with a huge attack surface that is often exploited.

Given the number and type of vulnerabilities, I would consider this patch Tuesday "lighter than normal". There are no "Patch Now" vulnerabilities, and I suggest applying these vulnerabilities in accordance with your vulnerability management program ...

Read the full entry: https://isc.sans.edu/diary/Microsoft+Patch+Tuesday+for+November+2025/32468/

It isn't always defaults: Scans for 3CX usernames

Published: 2025-11-10

Last Updated: 2025-11-10 15:23:31 UTC

by Johannes Ullrich (Version: 1)

Today, I noticed scans using the username "FTP_3cx" showing up in our logs. 3CX is a well-known maker of business phone system software. My first guess was that this was a default user for one of their systems. But Google came up empty for this particular string. The 3CX software does not appear to run an FTP server, but it offers a feature to back up configurations to an FTP server. The example user used in the documentation is "3cxftpuser", not "FTP_3cx". Additionally, the documentation notes that the FTP server can run on a different system from the 3CX software. For a backup, it would not make much sense to have it all run on the same system.

The scans we are seeing likely target FTP servers users set up to back up 3CX configurations, and not the 3CX software itself. I am not familiar enough with 3CX to know precisely what the backup contains, but it most likely includes sufficient information to breach the 3CX installation.

The credentials we observe with our Cowrie-based honeypots are collected for telnet and ftp. In particular, on Linux systems, you often use a system user to connect via FTP. Any credentials working via FTP will also work for telnet or SSH. Keep that in mind when configuring a user for FTP access, and of course, FTP should not be your first choice for backing up sensitive data, but we all know it does happen ,,,

Read the full entry: https://isc.sans.edu/diary/It+isnt+always+defaults+Scans+for+3CX+usernames/32464/

Binary Breadcrumbs: Correlating Malware Samples with Honeypot Logs Using PowerShell [Guest Diary]

Published: 2025-11-05

Last Updated: 2025-11-06 02:27:25 UTC

by David Hammond (Version: 1)

[This is a Guest Diary by David Hammond, an ISC intern as part of the SANS.edu BACS program]

My last college credit on my way to earning a bachelor's degree was an internship opportunity at the Internet Storm Center. A great opportunity, but one that required the care and feeding of a honeypot. The day it arrived I plugged the freshly imaged honeypot into my home router and happily went about my day. I didn’t think too much about it until the first attack observation was due. You see, I travel often, but my honeypot does not. Furthermore, the administrative side of the honeypot was only accessible through the internal network. I wasn’t about to implement a whole remote solution just to get access while on the road. Instead, I followed some very good advice. I started downloading regular backups of the honeypot logs on a Windows laptop I frequently had with me.

The internship program encouraged us to at least initially review our honeypot logs with command line utilities, such as jq and all its flexibility with filtering. Combined with other standard Unix-like operating system tools, such as wc (word count), less, head, and cut, it was possible to extract exactly what I was looking for. I initially tried using more graphical tools but found I enjoy "living" in the command line better. When I first start looking at logs, I was not always sure of what I’m looking for. Command line tools allow me to quickly look for outliers in the data. I can see what sticks out by negating everything that looks the same.

So, what’s the trouble? None of these tools were available on my Windows laptop. Admittedly, most of what I mention above are available for Windows, but my ability to install software was restricted on this machine, and I knew that native alternatives existed. At the time I had several directories of JSON logs, and a long list of malware hash values corresponding to an attack I was interested in understanding better. Here’s how a few lines of PowerShell can transform scattered honeypot logs into a clear picture of what really happened ...

Read the full entry: https://isc.sans.edu/diary/Binary+Breadcrumbs+Correlating+Malware+Samples+with+Honeypot+Logs+Using+PowerShell+Guest+Diary/32454/

Honeypot: Requests for (Code) Repositories (2025.11.08)

https://isc.sans.edu/diary/Honeypot+Requests+for+Code+Repositories/32460/

Apple Patches Everything, Again (2025.11.04)

https://isc.sans.edu/diary/Apple+Patches+Everything+Again/32448/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2025-59396 - WatchGuard Firebox devices have a vulnerability that allows administrative access through SSH on port 4118 using the readwrite password for the admin account until 2025-09-10.

Product: WatchGuard Firebox devices

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59396

ISC Podcast: https://isc.sans.edu/podcastdetail/9694

CVE-2025-12480 - Triofox is vulnerable to an Improper Access Control flaw, allowing access to initial setup pages post-completion in versions before 16.7.10368.56560.

Product: Triofox

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12480

ISC Podcast: https://isc.sans.edu/podcastdetail/9696

NVD References:

- https://access.triofox.com/releases_history/

- https://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480

- https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2025/MNDT-2025-0008.md

CVE-2025-60724 - Heap-based buffer overflow in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network.

Product: Microsoft Graphics Component

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60724

ISC Diary: https://isc.sans.edu/diary/32468

ISC Podcast: https://isc.sans.edu/podcastdetail/9696

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-60724

CVE-2025-54863 - Radiometrics VizAir is vulnerable to remote exposure of its REST API key, enabling attackers to manipulate weather data, disrupt airport operations, and engage in denial-of-service attacks.

Product: Radiometrics VizAir

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54863

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-25-308-04

CVE-2025-61945 - Radiometrics VizAir is vulnerable to remote attackers through unauthorized access to the admin panel, allowing manipulation of critical weather parameters and potentially endangering aircraft safety.

Product: Radiometrics VizAir

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61945

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-25-308-04

CVE-2025-61956 - Radiometrics VizAir lacks authentication mechanisms, enabling attackers to manipulate settings, mislead air traffic control, pilots, and forecasters.

Product: Radiometrics VizAir

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61956

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-25-308-04

CVE-2025-47776 - Mantis Bug Tracker (MantisBT) is vulnerable to a type juggling issue in authentication code, allowing attackers to login without knowing the victim's password in versions 2.27.1 and below.

Product: MantisBT

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-47776

CVE-2025-52910 - Samsung Mobile Processor and Wearable Processor Exynos 1280, 2200, 1330, 1380, 1480, 2400 are vulnerable to a Use-After-Free leading to privilege escalation.

Product: Samsung Exynos 1280

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-52910

CVE-2025-12735 - The expr-eval library is vulnerable to arbitrary code execution due to insufficient input validation in the evaluate() function.

Product: expr-eval library JavaScript expression parser

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12735

CVE-2025-55108 - Control-M/Agent is vulnerable to unauthenticated remote code execution and unauthorized file access if mutual SSL/TLS authentication is not enabled.

Product: BMC Control-M/Agent

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-55108

CVE-2025-47151 - Entr'ouvert Lasso 2.5.1 and 2.8.2 are vulnerable to type confusion, allowing attackers to execute arbitrary code through specially crafted SAML responses.

Product: Entrouvert Lasso

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-47151

CVE-2025-64459 - Django is vulnerable to SQL injection in versions 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8 due to a flaw in QuerySet methods and the class Q().

Product: Djangoproject

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64459

CVE-2025-61304 - OS command injection vulnerability in Dynatrace ActiveGate ping extension up to 1.016 via crafted ip address.

Product: Dynatrace ActiveGate ping extension

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61304

CVE-2025-63601 - Snipe-IT is vulnerable to authenticated remote attackers uploading and executing system commands via a malicious backup file prior to version 8.3.3.

Product: Snipe-IT app

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63601

CVE-2025-20354 - Cisco Unified CCX is vulnerable to arbitrary file upload and command execution due to inadequate authentication mechanisms, enabling an attacker to gain root access on affected systems.

Product: Cisco Unified Contact Center Express

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-20354

NVD References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cc-unauth-rce-QeN8h7mQ

CVE-2025-20358 - Cisco Unified CCX Contact Center Express Editor application is vulnerable to authentication bypass, granting unauthenticated attackers administrative permissions for script creation and execution.

Product: Cisco Unified Contact Center Express

CVSS Score: 9.4

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-20358

NVD References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cc-unauth-rce-QeN8h7mQ

CVE-2025-45378 - Dell CloudLink versions 8.0 through 8.1.2 are vulnerable to unauthorized access and privilege escalation through a restricted shell exploit.

Product: Dell CloudLink

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-45378

NVD References: https://www.dell.com/support/kbdoc/en-us/000384363/dsa-2025-374-security-update-for-dell-cloudlink-multiple-security-vulnerabilities

CVE-2025-46364 - Dell CloudLink versions prior to 8.1.1 are vulnerable to a privilege escalation attack via CLI Escape Vulnerability.

Product: Dell CloudLink

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-46364

NVD References: https://www.dell.com/support/kbdoc/en-us/000384363/dsa-2025-374-security-update-for-dell-cloudlink-multiple-security-vulnerabilities

CVE-2025-56231 - Tonec Internet Download Manager 6.42.41.1 and earlier suffers from Missing SSL Certificate Validation, which allows attackers to bypass update protections.

Product: Tonec Internet Download Manager

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-56231

CVE-2025-55343 - Quipux 4.0.1 through e1774ac allows authenticated users to conduct SQL injection attacks in multiple parameters.

Product: Quipux 4.0.1 through e1774ac

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-55343

CVE-2025-63416 - SelfBest platform 2023.3 has a Stored Cross-Site Scripting vulnerability in its chat functionality that allows attackers to execute arbitrary JavaScript in other users' sessions, leading to privilege escalation and sensitive data compromise.

Product: SelfBest

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63416

CVE-2025-63334 - PocketVJ CP version 3.9.1 is susceptible to unauthenticated remote code execution via the opacityValue POST parameter in submit_opacity.php.

Product: PocketVJ-CP-v3 pvj

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63334

CVE-2025-62161 - Youki is vulnerable to a container escape attack in versions 0.5.6 and below due to insufficient validation of the source /dev/null, fixed in version 0.5.7.

Product: Youki-Dev

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62161

CVE-2025-62596 - Youki is vulnerable to a write-target validation flaw in versions 0.5.6 and below, allowing for writes to unintended procfs locations through shared-mount race exploitation.

Product: Youki-Dev

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62596

CVE-2025-64163 - DataEase has an SSRF vulnerability in versions 2.10.14 and below due to omission of protection for the dns:// protocol, but it is fixed in version 2.10.15.

Product: DataEase

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64163

CVE-2025-64164 - DataEase version 2.10.14 and below is vulnerable to JNDI injection when establishing JDBC connections to Oracle.

Product: DataEase

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64164

CVE-2025-27918 - AnyDesk before 9.0.0 is vulnerable to a heap-based buffer overflow due to an integer overflow in UDP packet processing.

Product: Anydesk

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27918

CVE-2025-64180 - Manager-io/Manager accounting software is vulnerable to unauthorized access to internal network resources due to a flaw in its DNS validation mechanism, allowing attackers to bypass network isolation and access internal services and protected network segments.

Product: Manager-io Manager

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64180

NVD References: https://github.com/Manager-io/Manager/security/advisories/GHSA-j2xj-xhph-p74j

CVE-2025-63689 - Ycf1998 money-pos system before commit 11f276bd20a41f089298d804e43cb1c39d041e59 (2025-09-14) is vulnerable to multiple SQL injection attacks, enabling remote attackers to execute arbitrary code through the orderby parameter.

Product: ycf1998 money-pos system

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63689

CVE-2025-63690 - Pig-mesh Pig versions 3.8.2 and below suffer from a remote code execution vulnerability due to insecure handling of scheduled tasks in the Quartz management function.

Product: pig-mesh Pig

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63690

CVE-2025-63691 - In pig-mesh In Pig version 3.8.2 and below, there is an improper permission verification vulnerability in the Token Management function, allowing ordinary users to gain administrator access and takeover the system.

Product: pig-mesh Pig

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-63691

CVE-2025-10230 - Samba is vulnerable to remote code execution due to unsanitized NetBIOS name data being passed to a shell command without proper validation.

Product: Samba Active Directory Domain Controller

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10230

CVE-2025-12866 - EIP Plus developed by Hundred Plus is vulnerable to a Weak Password Recovery Mechanism, allowing remote attackers to predict or brute-force the 'forgot password' link and reset any user's password.

Product: Hundred Plus EIP Plus

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12866

NVD References: https://www.twcert.org.tw/en/cp-139-10491-004b0-2.html

CVE-2025-12868 - New Site Server developed by CyberTutor is vulnerable to unauthenticated remote attackers exploiting a Use of Client-Side Authentication flaw to gain administrator privileges on the website.

Product: CyberTutor New Site Server

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12868

NVD References: https://www.twcert.org.tw/en/cp-139-10492-84a10-2.html

CVE-2025-64689 - In JetBrains YouTrack before 2025.3.104432 misconfiguration in the Junie could lead to exposure of the global Junie token

Product: JetBrains YouTrack

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64689

NVD References: https://www.jetbrains.com/privacy-security/issues-fixed/

CVE-2025-64522 - Soft Serve 0.11.1 and earlier versions are vulnerable to SSRF attacks due to inadequate validation of webhook URLs, enabling repository admins to target internal services and cloud metadata endpoints.

Product: Soft Serve Git server

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-64522

CVE-2025-42887 - SAP Solution Manager is vulnerable to code injection by authenticated attackers through remote-enabled function modules, potentially granting full system control and severely impacting confidentiality, integrity, and availability.

Product: SAP Solution Manager

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-42887

CVE-2025-42890 - SQL Anywhere Monitor (Non-GUI) has baked credentials into the code, allowing unintended users to access resources and potentially execute arbitrary code, posing a high risk to system security.

Product: SAP SQL Anywhere Monitor

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-42890

CVE-2025-8324 - Zohocorp ManageEngine Analytics Plus versions 6170 and below are vulnerable to Unauthenticated SQL Injection due to the improper filter configuration.

Product: Zohocorp ManageEngine Analytics Plus

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8324

CVE-2025-13032 - Avast/AVG Antivirus <25.3 on Windows is vulnerable to a double fetch in the sandbox kernel driver, allowing local attackers to escalate privileges via pool overflow.

Product: Avast AVG Antivirus

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-13032

CVE-2025-60716 - Use after free in Windows DirectX allows an authorized attacker to elevate privileges locally.

Product: Microsoft Windows DirectX

CVSS Score: 7.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60716

ISC Diary: https://isc.sans.edu/diary/32468

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-60716

CVE-2025-62199 - Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.

Product: Microsoft Office

CVSS Score: 7.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62199

ISC Diary: https://isc.sans.edu/diary/32468

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62199

CVE-2025-62215 - Windows Kernel is vulnerable to race conditions that can be exploited by an authorized attacker to locally elevate privileges.

Product: Microsoft Windows Kernel

CVSS Score: 7.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62215

ISC Diary: https://isc.sans.edu/diary/32468

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62215

CVE-2025-11007 & CVE-2025-11008 - The CE21 Suite plugin for WordPress allows unauthenticated attackers to update API settings and create new admin accounts (CVE-2025-11007) and is vulnerable to Sensitive Information Exposure through the log file, allowing unauthenticated attackers to extract sensitive data and potentially take over a site (CVE-2025-11008).

Product: WordPress CE21 Suite plugin

Active Installations: This plugin has been closed as of October 30, 2025 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11007

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11008

NVD References:

- https://www.wordfence.com/threat-intel/vulnerabilities/id/5e24feac-1812-45d7-b3c3-27787eed1cf1?source=cve

- https://www.wordfence.com/threat-intel/vulnerabilities/id/91aa86d9-8e42-4deb-b6ca-c3b388fefcb1?source=cve

CVE-2025-12158 - The Simple User Capabilities plugin for WordPress allows unauthenticated attackers to elevate user roles to administrator due to missing capability checks.

Product: WordPress Simple User Capabilities plugin

Active Installations: This plugin has been closed as of October 30, 2025 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12158

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/dd75b8ec-1961-4a7a-92e6-1517e638974b?source=cve

CVE-2025-12493 - The ShopLentor plugin for WordPress is vulnerable to Local File Inclusion up to version 3.2.5, allowing unauthenticated attackers to execute arbitrary .php files on the server.

Product: ShopLentor WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor)

Active Installations: 100,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12493

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/12bb4bb9-e908-43ad-8fb1-59418580f5e1?source=cve

CVE-2025-12682 - The Easy Upload Files During Checkout plugin for WordPress allows unauthenticated attackers to upload arbitrary JavaScript files, leading to potential remote code execution.

Product: WordPress Easy Upload Files During Checkout plugin

Active Installations: 600+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12682

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/6a050764-0ba6-49a4-bd71-f79e3129fc4c?source=cve

CVE-2025-11749 - The AI Engine plugin for WordPress up to version 3.1.3 is vulnerable to Sensitive Information Exposure via the /mcp/v1/ REST API endpoint, allowing attackers to extract and misuse the bearer token for privilege escalation.

Product: WordPress AI Engine plugin

Active Installations: 100,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11749

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/06eaf624-aedf-453d-8457-d03a572fac0d?source=cve

CVE-2025-12674 - The KiotViet Sync plugin for WordPress allows unauthenticated attackers to upload arbitrary files and potentially achieve remote code execution.

Product: KiotViet Sync plugin for WordPress

Active Installations: This plugin has been closed as of November 4, 2025 and is not available for download. This closure is permanent. Reason: Author Request.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12674

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/7fdd670f-2a71-4c1d-af46-f0fd05352f7e?source=cve

CVE-2025-32222 - Widget Logic plugin for Widgetlogic.org allows attackers to inject malicious code, impacting versions from n/a to <= 6.0.5.

Product: Widgetlogic.org Widget Logic

Active Installations: 100,000+

Update to version 6.0.6 or later.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-32222

NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/widget-logic/vulnerability/wordpress-widget-logic-6-0-5-remote-code-execution-rce-vulnerability

CVE-2025-39463 - Select-Themes Dessau dessau PHP Local File Inclusion vulnerability allows for improper control of filename for include/require statement in PHP program.

Product: Select-Themes Dessau

Active Installations: Unknown. Update to version 1.9 or later.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-39463

NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/dessau/vulnerability/wordpress-dessau-theme-1-9-local-file-inclusion-vulnerability

CVE-2025-39466 - Mikado-Themes Dør dor allows PHP Local File Inclusion due to an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability.

Product: Mikado-Themes Dør

Active Installations: Unknown. Update to version 2.4.1 or later.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-39466

NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/dor/vulnerability/wordpress-doer-2-4-local-file-inclusion-vulnerability

CVE-2025-39467 - Mikado-Themes Wanderland <= 1.7.1 is vulnerable to Path Traversal allowing PHP Local File Inclusion from n/a.

Product: Mikado-Themes Wanderland

Active Installations: Unknown. Update to version 1.7.2 or later.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-39467

NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/wanderland/vulnerability/wordpress-wanderland-1-7-1-local-file-inclusion-vulnerability

CVE-2025-39468 - Modal Survey in pantherius is vulnerable to PHP Remote File Inclusion from n/a through <= 2.0.2.0.1.

Product: Pantherius Modal Survey

Active Installations: Unknown.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-39468

NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/modal-survey/vulnerability/wordpress-modal-survey-plugin-2-0-2-0-1-local-file-inclusion-vulnerability

CVE-2025-47588 - Aco-woo-dynamic-pricing plugin allows code injection in versions from n/a through <= 4.5.9.

Product: Acowebs Dynamic Pricing With Discount Rules for WooCommerce

Active Installations: 6,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-47588

NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/aco-woo-dynamic-pricing/vulnerability/wordpress-dynamic-pricing-with-discount-rules-for-woocommerce-plugin-4-5-9-arbitrary-code-execution-vulnerability

CVE-2025-48086 - Ajax Search Lite plugin is vulnerable to deserialization of untrusted data, allowing object injection from versions n/a to 4.13.3.

Product: wpdreams Ajax Search Lite

Active Installations: 80,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48086

NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/ajax-search-lite/vulnerability/wordpress-ajax-search-lite-plugin-4-13-3-php-object-injection-vulnerability

CVE-2025-48089 - Rainbow-Themes Education WordPress Theme | HiStudy histudy is vulnerable to SQL Injection allowing attackers to execute malicious code.

Product: Rainbow-Themes Education WordPress Theme | HiStudy

Active Installations: Unknown. Update to version 3.1.0 or later.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48089

NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/histudy/vulnerability/wordpress-education-wordpress-theme-histudy-theme-3-1-0-sql-injection-vulnerability

CVE-2025-48290 - bslthemes Kinsley allows remote attackers to include and execute arbitrary files via the filename parameter in a PHP include/require statement, potentially leading to unauthorized access or code execution.

Product: bslthemes Kinsley

Active Installations: Unknown. Update to version 3.4.5 or later.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48290

NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/kinsley/vulnerability/wordpress-kinsley-theme-3-4-4-local-file-inclusion-vulnerability

CVE-2025-48330 - Real Time Validation for Gravity Forms <= 1.7.0 allows PHP Local File Inclusion via an improper control of filename for include/require statement vulnerability.

Product: Daman Jeet Real Time Validation for Gravity Forms

Active Installations: 2,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-48330

NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/real-time-validation-for-gravity-forms/vulnerability/wordpress-real-time-validation-for-gravity-forms-1-7-0-local-file-inclusion-vulnerability

CVE-2025-49386 - Preserve Code Formatting is vulnerable to Object Injection via Deserialization of Untrusted Data in versions n/a through 4.0.1.

Product: Scott Reilly Preserve Code Formatting

Active Installations: 500+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49386

NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/preserve-code-formatting/vulnerability/wordpress-preserve-code-formatting-plugin-4-0-1-php-object-injection-vulnerability

CVE-2025-49393 - Fetch Designs Sign-up Sheets is vulnerable to Object Injection through deserialization of untrusted data, affecting versions from n/a through <= 2.3.2.

Product: Fetch Designs Sign-up Sheets

Active Installations: 1,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49393

NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/sign-up-sheets/vulnerability/wordpress-sign-up-sheets-plugin-2-3-2-php-object-injection-vulnerability

CVE-2025-53242 - Deserialization of Untrusted Data vulnerability in VictorThemes Seil seil allows Object Injection.This issue affects Seil: from n/a through <= 1.7.1.

Product: VictorThemes Seil

Active Installations: Unknown.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53242

NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/seil/vulnerability/wordpress-seil-theme-1-7-1-deserialization-of-untrusted-data-vulnerability

CVE-2025-53252 - Zegen allows PHP Local File Inclusion, presenting a vulnerability in versions from n/a through 1.1.9.

Product: zozothemes Zegen

Active Installations: Unknown.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53252

NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/zegen/vulnerability/wordpress-zegen-theme-1-1-9-local-file-inclusion-vulnerability

CVE-2025-53283 - Drop Uploader for CF7 - Drag&Drop File Uploader Addon allows for unrestricted upload of files with dangerous types, potentially enabling the upload of a web shell to a web server.

Product: borisolhor Drop Uploader for CF7 - Drag&Drop File Uploader Addon

Active Installations: Unknown.

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53283

NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/drop-uploader-for-contact-form-7-dragdrop-file-uploader-addon/vulnerability/wordpress-drop-uploader-for-cf7-drag-drop-file-uploader-addon-plugin-2-4-1-arbitrary-file-upload-vulnerability

CVE-2025-53586 - Deserialization of Untrusted Data vulnerability in NooTheme WeMusic noo-wemusic allows Object Injection.This issue affects WeMusic: from n/a through <= 1.9.1.

Product: NooTheme WeMusic

Active Installations: Unknown. Update to version 1.9.2 or later.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53586

NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/noo-wemusic/vulnerability/wordpress-wemusic-theme-1-9-1-php-object-injection-vulnerability

CVE-2025-58595 - All In One Login allows identity spoofing due to an authentication bypass vulnerability in the Saad Iqbal All In One Login change-wp-admin-login plugin, impacting versions from n/a through 2.0.8.

Product: Saad Iqbal All In One Login

Active Installations: 70,000+

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-58595

NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/change-wp-admin-login/vulnerability/wordpress-all-in-one-login-plugin-2-0-8-bypass-vulnerability-vulnerability

CVE-2025-60195 - Incorrect Privilege Assignment vulnerability in Vito Peleg Atarim atarim-visual-collaboration allows Privilege Escalation.This issue affects Atarim: from n/a through <= 4.2.

Product: Vito Peleg Atarim

Active Installations: Unknown.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60195

NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/atarim-visual-collaboration/vulnerability/wordpress-atarim-plugin-4-2-privilege-escalation-vulnerability

CVE-2025-62016 - Unrestricted Upload of File with Dangerous Type vulnerability in hogash Kallyas kallyas.This issue affects Kallyas: from n/a through <= 4.22.0.

Product: hogash Kallyas

Active Installations: Unknown. Update to version 4.23.0 or later.

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62016

NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/kallyas/vulnerability/wordpress-kallyas-theme-4-22-0-arbitrary-file-upload-vulnerability

CVE-2025-62047 - Case Addons is vulnerable to unrestricted upload of files with dangerous types in versions from n/a through < 1.3.0.

Product: Case-Themes Case Addons

Active Installations: Unknown. Update to version 1.3.0 or later.

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62047

NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/case-addons/vulnerability/wordpress-case-addons-plugin-1-3-0-arbitrary-file-upload-vulnerability

CVE-2025-62064 - Elated-Themes Search & Go allows password recovery exploitation through an alternate path or channel, affecting versions from n/a through 2.7.

Product: Elated-Themes Search & Go

Active Installations: Unknown. Update to version 2.8 or later.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62064

NVD References: https://vdp.patchstack.com/database/Wordpress/Theme/search-and-go/vulnerability/wordpress-search-go-theme-2-7-broken-authentication-vulnerability

CVE-2025-62065 - Unrestricted Upload of File with Dangerous Type vulnerability in Rometheme RTMKit rometheme-for-elementor.This issue affects RTMKit: from n/a through <= 1.6.5.

Product: Rometheme RTMKit

Active Installations: 40,000+

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62065

NVD References: https://vdp.patchstack.com/database/Wordpress/Plugin/rometheme-for-elementor/vulnerability/wordpress-rtmkit-plugin-1-6-5-arbitrary-file-upload-vulnerability

CVE-2025-6325 & CVE-2025-6327 - King Addons for Elementor KingAddons.com allows Privilege Escalation due to Incorrect Privilege Assignment vulnerability, affecting versions from n/a through 51.1.36 (CVE-2025-6325) and also allows the unrestricted upload of dangerous files, potentially allowing a web shell to be uploaded to a web server (CVE-2025-6327).

Product: KingAddons.com King Addons for Elementor

Active Installations: 10,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-6325

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-6327

NVD References:

- https://vdp.patchstack.com/database/Wordpress/Plugin/king-addons/vulnerability/wordpress-king-addons-for-elementor-plugin-51-1-36-privilege-escalation-vulnerability

- https://vdp.patchstack.com/database/Wordpress/Plugin/king-addons/vulnerability/wordpress-king-addons-for-elementor-plugin-51-1-36-arbitrary-file-upload-vulnerability

CVE-2025-12352 - The Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads allowing unauthenticated attackers to potentially execute remote code.

Product: WordPress Gravity Forms

Active Installations: Unknown. Update to version 2.9.21, or a newer patched version

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12352

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/42525101-6196-40b9-90e7-c7f1886ef247?source=cve

CVE-2025-11170 - The cpi-wp-migration plugin for WordPress allows unauthenticated attackers to upload arbitrary files on the server, potentially leading to remote code execution.

Product: cpi-wp-migrationCPI plugin for WordPress

Active Installations: This plugin has been closed as of November 7, 2025 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11170

NVD References:

- https://wordpress.org/plugins/cpi-wp-migration/

- https://www.wordfence.com/threat-intel/vulnerabilities/id/8a96d6d5-a5e3-4648-902b-f9d1f8e57e5c?source=cve

CVE-2025-12813 - The Holiday class post calendar plugin for WordPress is vulnerable to Remote Code Execution up to version 7.1 through the 'contents' parameter, allowing unauthenticated attackers to execute code on the server.

Product: WordPress Holiday class post calendar plugin

Active Installations: This plugin has been closed as of November 7, 2025 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12813

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/7f7968c4-589c-4949-9f69-4a0ba4db4ea9?source=cve

CVE-2025-12539 - The TNC Toolbox: Web Performance plugin for WordPress is vulnerable to Sensitive Information Exposure due to storing cPanel API credentials in unprotected files, allowing attackers to compromise the hosting environment.

Product: TNC Toolbox Web Performance plugin for WordPress

Active Installations: 800+

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-12539

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/2eaa5a5c-c11f-40d0-be69-c3ec8029a819?source=cve