CVE List - 2025 / December
Showing 2201 - 2300 of 3706 CVEs for December 2025 (Page 23 of 38)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-67779 | 2025-12-11 | It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components... |
| CVE-2023-29144 | 2025-12-12 | Malwarebytes 1.0.14 for Linux doesn't properly compute signatures in some scenarios. This allows a bypass of detection. |
| CVE-2025-64011 | 2025-12-12 | Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference (IDOR) in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files belonging to other users by... |
| CVE-2025-65530 | 2025-12-12 | An eval injection in the malware de-obfuscation routines of CloudLinux ai-bolit before v32.7.4 allows attackers to overwrite arbitrary files as root via scanning a crafted file. |
| CVE-2025-65854 | 2025-12-12 | Insecure permissions in the scheduled tasks feature of MineAdmin v3.x allows attackers to execute arbitrary commands and execute a full account takeover. |
| CVE-2025-66430 | 2025-12-12 | Plesk 18.0 has Incorrect Access Control. |
| CVE-2025-67341 | 2025-12-12 | jshERP versions 3.5 and earlier are affected by a stored XSS vulnerability. This vulnerability allows attackers to upload PDF files containing XSS payloads. Additionally, these PDF files can be accessed... |
| CVE-2025-67342 | 2025-12-12 | RuoYi versions 4.8.1 and earlier is affected by a stored XSS vulnerability in the /system/menu/edit endpoint. While the endpoint is protected by an XSS filter, the protection can be bypassed.... |
| CVE-2025-67344 | 2025-12-12 | jshERP v3.5 and earlier is affected by a stored Cross Site Scripting (XSS) vulnerability via the /msg/add endpoint. |
| CVE-2025-67818 | 2025-12-12 | An issue was discovered in Weaviate OSS before 1.33.4. An attacker with access to insert data into the database can craft an entry name with an absolute path (e.g., /etc/...)... |
| CVE-2025-67819 | 2025-12-12 | An issue was discovered in Weaviate OSS before 1.33.4. Due to a lack of validation of the fileName field in the transfer logic, an attacker who can call the GetFile... |
| CVE-2025-10451 | 2025-12-12 | H19Int15CallbackSmm: SMM memory corruption vulnerability in combined DXE/SMM (SMRAM write) |
| CVE-2025-13665 | 2025-12-12 | Quartus Prime Standard Security Advisory |
| CVE-2025-13839 | 2025-12-12 | LJUsers <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'name' Shortcode Attribute |
| CVE-2025-13886 | 2025-12-12 | LT Unleashed <= 1.1.1 - Authenticated (Contributor+) Local File Inclusion via 'template' Parameter |
| CVE-2025-13669 | 2025-12-12 | High Level Synthesis Compiler Security Advisory |
| CVE-2025-13052 | 2025-12-12 | An improper certificates validation vulnerability was found in the Notification settings of ADM |
| CVE-2025-13670 | 2025-12-12 | High Level Synthesis Compiler Security Advisory |
| CVE-2025-13053 | 2025-12-12 | A missing encryption of sensitive data vulnerability was found in the UPS settings of ADM |
| CVE-2025-14162 | 2025-12-12 | BMLT WordPress Plugin <= 3.11.4 - Cross-Site Request Forgery to Settings Creation and Deletion |
| CVE-2025-13866 | 2025-12-12 | Flow-Flow Social Feed Stream 3.0.0 - 4.7.5 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via flow_flow_social_auth AJAX action |
| CVE-2025-14170 | 2025-12-12 | Vimeo SimpleGallery <= 0.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Modification |
| CVE-2025-13889 | 2025-12-12 | Simple Nivo Slider <= 0.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
| CVE-2025-14467 | 2025-12-12 | WP Job Portal <= 2.3.9 - Authenticated (Editor+) Stored Cross-Site Scripting via Job Description Field |
| CVE-2025-14064 | 2025-12-12 | BuddyTask <= 1.3.0 - Missing Authorization to Authenticated (Subscriber+) Cross-Group Task Board Access and Manipulation |
| CVE-2025-13972 | 2025-12-12 | WatchTowerHQ <= 3.15.0 - Authenticated (Administrator+) Arbitrary File Read via 'wht_download_big_object_origin' Parameter |
| CVE-2025-14143 | 2025-12-12 | Ayo Shortcodes <= 0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'color' Shortcode Attribute |
| CVE-2025-14393 | 2025-12-12 | Wpik WordPress Basic Ajax Form <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-14125 | 2025-12-12 | Complag <= 1.0.2 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] |
| CVE-2025-13989 | 2025-12-12 | WP Dropzone <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'callback' Shortcode Attribute |
| CVE-2025-14129 | 2025-12-12 | Like DisLike Voting <= 1.0.1 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] |
| CVE-2025-14048 | 2025-12-12 | SimplyConvert <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'simplyconvert_hash' Option |
| CVE-2025-12883 | 2025-12-12 | Campay Woocommerce Payment Gateway <= 1.2.2 - Unauthenticated Payment Bypass |
| CVE-2025-14344 | 2025-12-12 | Multi Uploader for Gravity Forms <= 1.1.7 - Unauthenticated Arbitrary File Deletion |
| CVE-2025-13408 | 2025-12-12 | Foxtool All-in-One: Contact chat button, Custom login, Media optimize images <= 2.5.2 - Cross-Site Request Forgery to Google OAuth Connection |
| CVE-2025-12824 | 2025-12-12 | Player Leaderboard 1.0.0 - 1.0.2 - Authenticated (Contributor+) Local File Inclusion |
| CVE-2025-12968 | 2025-12-12 | Infility Global <= 2.14.23 - Authenticated (Subscriber+) Arbitrary File Upload |
| CVE-2025-14045 | 2025-12-12 | URL Media Uploader <= 1.0.1 - Missing Authorization to Authenticated (Contributor+) Safe File Upload |
| CVE-2025-13904 | 2025-12-12 | WPGancio <= 1.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
| CVE-2025-14158 | 2025-12-12 | Coding Blocks <= 1.1.0 - Cross-Site Request Forgery to Settings Update |
| CVE-2025-14119 | 2025-12-12 | App Landing Template Blocks for WPBakery Page Builder <= 2.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
| CVE-2025-14166 | 2025-12-12 | WPMasterToolKit (WPMTK) <= 2.13.0 - Authenticated (Contributor+) Code Injection |
| CVE-2025-14044 | 2025-12-12 | Visitor Logic Lite <= 1.0.3 - Unauthenticated PHP Object Injection via 'lpblocks' Cookie |
| CVE-2025-12783 | 2025-12-12 | Premmerce Brands for WooCommerce <= 1.2.13 - Missing Authorization To Authenticated (Subscriber+) Brand Permalink Settings Update |
| CVE-2025-13363 | 2025-12-12 | IMAQ Core <= 1.2.1 - Cross-Site Request Forgery to URL Structure Update |
| CVE-2025-13846 | 2025-12-12 | Easy Map Creator <= 3.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
| CVE-2025-14165 | 2025-12-12 | Kirim.Email WooCommerce Integration <= 1.2.9 - Cross-Site Request Forgery to Settings Update |
| CVE-2025-14354 | 2025-12-12 | Resource Library for Logged In Users <= 1.4 - Cross-Site Request Forgery to Multiple Administrative Actions |
| CVE-2025-14161 | 2025-12-12 | Truefy Embed <= 1.1.0 - Cross-Site Request Forgery to 'truefy_embed_options_update' Settings Update |
| CVE-2025-13969 | 2025-12-12 | Reviews Sorted <= 2.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'space' Shortcode Attribute |
| CVE-2025-14032 | 2025-12-12 | Bold Timeline Lite <= 1.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Parameter in 'bold_timeline_group' Shortcode |
| CVE-2025-14392 | 2025-12-12 | Simple Theme Changer <= 1.0. - Missing Authorization to Plugin Settings Update via AJAX Actions |
| CVE-2025-13440 | 2025-12-12 | Premmerce Wishlist for WooCommerce <= 1.1.10 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Wishlist Deletion |
| CVE-2025-13320 | 2025-12-12 | WP User Manager <= 2.9.12 - Authenticated (Subscriber+) Arbitrary File Deletion via 'current_user_avatar' Parameter |
| CVE-2025-13960 | 2025-12-12 | GPXpress <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
| CVE-2025-13840 | 2025-12-12 | BUKAZU Search widget <= 3.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'shortcode' Shortcode Attribute |
| CVE-2025-14035 | 2025-12-12 | DebateMaster <= 1.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Color Options via 'debate' Shortcode |
| CVE-2025-13884 | 2025-12-12 | Hide Email Address <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
| CVE-2025-13961 | 2025-12-12 | Data Visualizer <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
| CVE-2025-13966 | 2025-12-12 | Paypal Payment Shortcode <= 1.01 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'buttom_image' Shortcode Attribute |
| CVE-2025-13988 | 2025-12-12 | 评论小秘书 <= 1.3.2 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] |
| CVE-2025-13906 | 2025-12-12 | WP Flot <= 0.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
| CVE-2025-13971 | 2025-12-12 | TWW Protein Calculator <= 1.0.24 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Header' Setting |
| CVE-2025-14132 | 2025-12-12 | Category Dropdown List <= 1.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] |
| CVE-2025-12963 | 2025-12-12 | LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart <= 1.2.29 - Missing Authorization to Uanuthenticated Privilege Escalation |
| CVE-2025-14062 | 2025-12-12 | Animated Pixel Marquee Creator <= 1.0.0 - Cross-Site Request Forgery via 'marquee' Parameter |
| CVE-2025-13885 | 2025-12-12 | Zenost Shortcodes <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
| CVE-2025-13314 | 2025-12-12 | Product Filtering by Categories, Tags, Price Range for WooCommerce <= 1.1.5 - Missing Authorization to Unauthenticated Plugin Settings Modification |
| CVE-2025-13987 | 2025-12-12 | Purchase and Expense Manager <= 1.1.2 - Cross-Site Request Forgery to Arbitrary Purchase Record Deletion |
| CVE-2025-13962 | 2025-12-12 | Divelogs Widget <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
| CVE-2025-13963 | 2025-12-12 | FX Currency Converter <= 0.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
| CVE-2025-14160 | 2025-12-12 | Upcoming for Calendly <= 1.2.4 - Cross-Site Request Forgery to Settings Update |
| CVE-2025-12830 | 2025-12-12 | Better Elementor Addons <= 1.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Slider Widget |
| CVE-2025-13334 | 2025-12-12 | Blaze Demo Importer 1.0.0 - 1.0.13 - Missing Authorization to Authenticated (Subscriber+) Database Reset and File Deletion |
| CVE-2025-12834 | 2025-12-12 | Accept Stripe Payments Using Contact Form 7 <= 3.1 - Reflected Cross-Site Scripting via failure_message |
| CVE-2025-12650 | 2025-12-12 | Simple post listing <= 0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode |
| CVE-2025-14137 | 2025-12-12 | Simple AL Slider <= 1.2.10 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] |
| CVE-2025-13850 | 2025-12-12 | LS Google Map Router <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
| CVE-2025-13747 | 2025-12-12 | NewStatPress <= 1.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-13366 | 2025-12-12 | Rabbit Hole <= 1.1 - Cross-Site Request Forgery to Settings Reset |
| CVE-2025-14391 | 2025-12-12 | Simple Theme Changer <= 1.0 - Cross-Site Request Forgery to Arbitrary Theme Switcher Configuration Update |
| CVE-2025-13843 | 2025-12-12 | VigLink SpotLight By ShortCode <= 1.0.a - Authenticated (Contributor+) Stored Cross-Site Scripting via 'float' Shortcode Attribute |
| CVE-2025-13975 | 2025-12-12 | Contact Form 7 with ChatWork <= 1.1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'api_token' and 'roomid' Settings |
| CVE-2025-14138 | 2025-12-12 | WPLG Default Mail From <= 1.0.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] |
| CVE-2025-66492 | 2025-12-12 | Masa CMS vulnerable to Cross-Site Scripting (XSS) through URL Parameter |
| CVE-2025-54407 | 2025-12-12 | Stored cross-site scripting vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. If a user accesses a crafted page... |
| CVE-2025-53523 | 2025-12-12 | Stored cross-site scripting vulnerabilities exist in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. A logged-in user can prepare a malicious... |
| CVE-2025-66284 | 2025-12-12 | Stored cross-site scripting vulnerabilities exist in GroupSession Free edition prior to ver5.7.1, GroupSession byCloud prior to ver5.7.1, and GroupSession ZION prior to ver5.7.1. A logged-in user can prepare a malicious... |
| CVE-2025-57883 | 2025-12-12 | Reflected cross-site scripting vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. If a user accesses a crafted page... |
| CVE-2025-65120 | 2025-12-12 | Reflected cross-site scripting vulnerability exists in GroupSession Free edition prior to ver5.7.1, GroupSession byCloud prior to ver5.7.1, and GroupSession ZION prior to ver5.7.1. If a user accesses a crafted page... |
| CVE-2025-61950 | 2025-12-12 | In GroupSession, a Circular notice can be created with its memo field non-editable, but the authorization check is improperly implemented. With some crafted request, a logged-in user may alter the... |
| CVE-2025-61987 | 2025-12-12 | GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. do not validate origins in WebSockets. If a user accesses a crafted page,... |
| CVE-2025-58576 | 2025-12-12 | Cross-site request forgery vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. If a user accesses a malicious page... |
| CVE-2025-62192 | 2025-12-12 | SQL Injection vulnerability exists in GroupSession Free edition prior to ver5.3.0, GroupSession byCloud prior to ver5.3.3, and GroupSession ZION prior to ver5.3.2. If exploited, information stored in the database may... |
| CVE-2025-64781 | 2025-12-12 | In GroupSession Free edition prior to ver5.7.1, GroupSession byCloud prior to ver5.7.1, and GroupSession ZION prior to ver5.7.1, "External page display restriction" is set to "Do not limit" in the... |
| CVE-2025-67508 | 2025-12-12 | gardenctl is vulnerable to Command Injection when used with non‑POSIX shells |
| CVE-2025-67724 | 2025-12-12 | Tornado vulnerable to Header Injection and XSS via reason argument |
| CVE-2025-67725 | 2025-12-12 | Tornado is Vulnerable to Quadratic DoS via Repeated Header Coalescing |
| CVE-2025-10684 | 2025-12-12 | Construction Light < 1.6.8 - Subscriber+ Arbitrary Plugin Activation |
| CVE-2025-67726 | 2025-12-12 | Tornado is Vulnerable to Quadratic DoS via Crafted Multipart Parameters |