VULNMAP - Security Vulnerabilities

CVE List - 2025 / December

Showing 3501 - 3600 of 3706 CVEs for December 2025 (Page 36 of 38)

CVE ID Date Title
CVE-2025-66074 2025-12-18 WordPress WP Webhooks plugin <= 3.3.8 - Arbitrary File Upload vulnerability
CVE-2025-66078 2025-12-18 WordPress Hotel Booking Lite plugin <= 5.2.3 - Remote Code Execution (RCE) vulnerability
CVE-2025-66088 2025-12-18 WordPress PropertyHive plugin <= 2.1.12 - Broken Access Control vulnerability
CVE-2025-66100 2025-12-18 WordPress RestroPress plugin <= 3.2.3.5 - Broken Access Control vulnerability
CVE-2025-66102 2025-12-18 WordPress FV Antispam plugin <= 2.7 - Cross Site Scripting (XSS) vulnerability
CVE-2025-66104 2025-12-18 WordPress Offload, AI & Optimize with Cloudflare Images plugin <= 1.9.5 - Broken Access Control vulnerability
CVE-2025-66116 2025-12-18 WordPress Ultimate Member Widgets for Elementor plugin <= 2.3 - Sensitive Data Exposure vulnerability
CVE-2025-66117 2025-12-18 WordPress Easy Form plugin <= 2.7.8 - Broken Access Control vulnerability
CVE-2025-66118 2025-12-18 WordPress Sprout Clients plugin <= 3.2.1 - Cross Site Scripting (XSS) vulnerability
CVE-2025-66119 2025-12-18 WordPress Hostel plugin <= 1.1.5.9 - Cross Site Scripting (XSS) vulnerability
CVE-2025-67546 2025-12-18 WordPress WP ERP plugin <= 1.16.6 - Sensitive Data Exposure vulnerability
CVE-2025-14318 2025-12-18 Improper access validation in M-Files Server
CVE-2025-14874 2025-12-18 Nodemailer: nodemailer: denial of service via crafted email address header
CVE-2025-64997 2025-12-18 Insufficient permission validation when showing agent information
CVE-2025-13641 2025-12-18 Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery <= 3.59.12 - Authenticated (Contributor+) Local File Inclusion via 'template'
CVE-2025-13730 2025-12-18 OpenID Connect Generic Client <= 3.10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
CVE-2025-14364 2025-12-18 Demo Importer Plus <= 2.0.8 - Missing Authorization to Authenticated (Subscriber+) Site Reset and Privilege Escalation
CVE-2025-40602 2025-12-18 A local privilege escalation vulnerability due to insufficient authorization in the SonicWall SMA1000 appliance management console (AMC).
CVE-2025-10910 2025-12-18 Gaining remote control over Govee devices
CVE-2025-14277 2025-12-18 Prime Slider – Addons for Elementor <= 4.0.9 - Authenticated (Subscriber+) Server-Side Request Forgery
CVE-2025-14618 2025-12-18 Sweet Energy Efficiency <= 1.0.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Graph Deletion
CVE-2025-14437 2025-12-18 Hummingbird <= 3.18.0 - Unauthenticated Sensitive Information Exposure via Log File
CVE-2025-13110 2025-12-18 HUSKY – Products Filter Professional for WooCommerce <= 1.3.7.3 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'woof_add_subscr'
CVE-2025-40891 2025-12-18 HTML injection in in Time Machine functionality in Guardian/CMC before 25.5.0
CVE-2025-40892 2025-12-18 Stored Cross-Site Scripting (XSS) in Reports in Guardian/CMC before 25.5.0
CVE-2025-40893 2025-12-18 HTML injection in Asset List in Guardian/CMC before 25.5.0
CVE-2025-40898 2025-12-18 Path traversal in Import Arc data archive functionality in Guardian/CMC before 25.5.0
CVE-2025-65000 2025-12-18 Exposure of SSH Private Keys in Remote Alert Handlers (Linux) Rule
CVE-2025-9787 2025-12-18 Stored XSS
CVE-2025-1029 2025-12-18 Hardcoded Credentials in Utarit Informatics' SoliClub
CVE-2025-14744 2025-12-18 Filename spoofing via Unicode Right-to-Left Override in Firefox for iOS
CVE-2025-14860 2025-12-18 Use-after-free in the Disability Access APIs component
CVE-2025-14861 2025-12-18 Memory safety bugs fixed in Firefox 146.0.1
CVE-2025-64461 2025-12-18 Out of Bounds Write in mgocre_SH_25_3!RevBL() in NI LabVIEW
CVE-2025-1030 2025-12-18 Sensitive Data Exposure in Utarit Informatics' SoliClub
CVE-2025-64462 2025-12-18 Out-of-Bounds Read in LVResFile::RGetMemFileHandle() in NI LabVIEW
CVE-2025-1031 2025-12-18 IDOR in Utarit Informatics' SoliClub
CVE-2025-64463 2025-12-18 Out-of-Bounds Read in LVResource::DetachResource() in NI LabVIEW
CVE-2025-64464 2025-12-18 Out-of-Bounds Read in lvre!VisaWriteFromFile() in NI LabVIEW
CVE-2025-64465 2025-12-18 Out-of-Bounds Read in lvre!DataSizeTDR() in NI LabVIEW
CVE-2025-64466 2025-12-18 Out-of-Bounds Read in lvre!ExecPostedProcRecPost() in NI LabVIEW
CVE-2025-64467 2025-12-18 Out-of-Bounds Read in LVResFile::FindRsrcListEntry() in NI LabVIEW
CVE-2025-7047 2025-12-18 Missing Authorization in Utarit Informatics' SoliClub
CVE-2025-7358 2025-12-18 Use of Hard-coded Credentials in Utarit Informatics' SoliClub
CVE-2025-64468 2025-12-18 Use-after-Free in sentry!sentry_span_set_data() in NI LabVIEW
CVE-2025-64469 2025-12-18 Stack-based Buffer Overflow in LVResource::DetachResource() in NI LabVIEW
CVE-2025-68323 2025-12-18 usb: typec: ucsi: fix use-after-free caused by uec->work
CVE-2025-68324 2025-12-18 scsi: imm: Fix use-after-free bug caused by unfinished delayed work
CVE-2025-68325 2025-12-18 net/sched: sch_cake: Fix incorrect qlen reduction in cake_drop
CVE-2025-65007 2025-12-18 Missing Authentication for Critical Function in WODESYS WD-R608U router
CVE-2025-65008 2025-12-18 OS Command Injection in WODESYS WD-R608U router
CVE-2025-65009 2025-12-18 Insecure Password Storage in WODESYS WD-R608U router
CVE-2025-65010 2025-12-18 Missing authorizations for admin panel password change in WODESYS WD-R608U router
CVE-2025-65011 2025-12-18 Unauthorized Access to files in WODESYS WD-R608U router
CVE-2025-64723 2025-12-18 Arduino IDE for macOS has TCC Bypass via Dynamic Library Injection
CVE-2025-64724 2025-12-18 Arduino IDE for macOS has Insecure File Permissions
CVE-2025-68278 2025-12-18 tinacms vulnerable to arbitrary code execution
CVE-2025-68469 2025-12-18 ImageMagick vulnerable to heap-buffer-overflow
CVE-2025-14823 2025-12-18 Certificate Signing Extension Returns Encrypted Values
CVE-2025-14877 2025-12-18 Campcodes Supplier Management System add_retailer.php sql injection
CVE-2025-14878 2025-12-18 Tenda WH450 HTTP Request wirelessRestart stack-based overflow
CVE-2025-66058 2025-12-18 WordPress Post Grid and Gutenberg Blocks plugin <= 2.3.17 - Broken Access Control vulnerability
CVE-2025-64355 2025-12-18 WordPress JetElements For Elementor plugin <= 2.7.12 - Cross Site Scripting (XSS) vulnerability
CVE-2025-64282 2025-12-18 WordPress Radius Blocks plugin <= 2.2.1 - Insecure Direct Object References (IDOR) vulnerability
CVE-2025-14896 2025-12-18 due to insufficient sanitazation in Vega’s `convert()` function when `safeMode` is enabled and the spec variable is an array. An attacker can craft a malicious Vega diagram specification that will...
CVE-2025-64236 2025-12-18 WordPress Tuturn plugin < 3.6 - Broken Authentication vulnerability
CVE-2025-64235 2025-12-18 WordPress Tuturn plugin < 3.6 - Arbitrary File Download vulnerability
CVE-2025-63043 2025-12-18 WordPress Post Grid and Gutenberg Blocks plugin <= 2.3.19 - Insecure Direct Object References (IDOR) vulnerability
CVE-2025-63002 2025-12-18 WordPress Sermon Manager plugin <= 2.30.0 - Broken Access Control vulnerability
CVE-2025-62998 2025-12-18 WordPress WP AI CoPilot plugin <= 1.2.7 - Sensitive Data Exposure vulnerability
CVE-2025-62961 2025-12-18 WordPress Sparkle FSE theme <= 1.0.9 - Broken Access Control vulnerability
CVE-2025-62960 2025-12-18 WordPress Construction Light theme <= 1.6.7 - Broken Access Control vulnerability
CVE-2025-14879 2025-12-18 Tenda WH450 HTTP Request onSSIDChange stack-based overflow
CVE-2025-14884 2025-12-18 D-Link DIR-605 Firmware Update Service command injection
CVE-2025-14737 2025-12-18 Command Injection Vulnerability in TP-Link WA850RE
CVE-2025-14738 2025-12-18 Configuration Disclosure Vulnerability in TP-Link WA850RE
CVE-2025-14739 2025-12-18 Uninitialized Pointer Vulnerability in TP-Link WR940N and WR941ND
CVE-2025-59949 2025-12-18 FreshRSS has Logout CSRF that Leads to DoS via <track src>
CVE-2025-14885 2025-12-18 SourceCodester Client Database Management System Leads Generation user_leads.php unrestricted upload
CVE-2025-67745 2025-12-18 Myhoard logs backup encryption key in plain text
CVE-2025-64400 2025-12-18 Insufficient permission checks when pre-enrolling users Summary
CVE-2019-25228 2025-12-18 Kentico Xperience <= 12.0.47 Virtual Context Information Disclosure
CVE-2019-25229 2025-12-18 Kentico Xperience <= 12.0.29 MVC Forms Unrestricted File Upload
CVE-2019-25230 2025-12-18 Kentico Xperience <= 12.0.0 User Widget Information Disclosure
CVE-2020-36889 2025-12-18 Kentico Xperience <= 12.0.90 Administration Interface Stored XSS
CVE-2020-36890 2025-12-18 Kentico Xperience <= 10 Administrator Access Control Bypass
CVE-2020-36891 2025-12-18 Kentico Xperience <= 12.0.49 File Upload Stored XSS
CVE-2021-47711 2025-12-18 Kentico Xperience <= 13.0.52 Online Marketing Macros SQL Injection
CVE-2021-47712 2025-12-18 Kentico Xperience <= 12.0.102 URL Hashing Cryptography Vulnerability
CVE-2022-50680 2025-12-18 Kentico Xperience <= 13.0.92 Email Marketing Stored XSS
CVE-2022-50681 2025-12-18 Kentico Xperience <= 13.0.88 Rich Text Editor Reflected XSS
CVE-2022-50682 2025-12-18 Kentico Xperience <= 13.0.79 Routing Engine CRLF Injection
CVE-2022-50683 2025-12-18 Kentico Xperience <= 13.0.74 Form Configuration Stored XSS
CVE-2022-50684 2025-12-18 Kentico Xperience <= 13.0.71 Form Emails HTML Injection
CVE-2022-50685 2025-12-18 Kentico Xperience <= 13.0.56 File Upload Stored XSS
CVE-2022-50686 2025-12-18 Kentico Xperience <= 12.0 Portal Engine Form Control Information Disclosure
CVE-2023-53736 2025-12-18 Kentico Xperience <= 13.0.120 Administration Interface Reflected XSS
CVE-2023-53737 2025-12-18 Kentico Xperience <= 13.0.101 Localization Application Stored XSS
CVE-2023-53738 2025-12-18 Kentico Xperience <= 13.0.109 Page Preview Reflected XSS
CVE-2023-53934 2025-12-18 Kentico Xperience <= 12.0.98 GetResource Handler Denial of Service