CVE List - 2025 / December
Showing 601 - 700 of 3706 CVEs for December 2025 (Page 7 of 38)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-11759 | 2025-12-05 | Backup, Restore and Migrate your sites with XCloner <= 4.8.2 - Cross-Site Request Forgery in Xcloner_Remote_Storage:save() |
| CVE-2025-12804 | 2025-12-05 | Booking Calendar <= 10.14.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via bookingcalendar Shortcode |
| CVE-2025-27389 | 2025-12-05 | Application Installation Source Verification Flaw May Lead to Risk Detection Bypass |
| CVE-2025-13066 | 2025-12-05 | Demo Importer Plus <= 2.0.6 - Authenticated (Author+) Arbitrary File Upload via WXR Upload Bypass |
| CVE-2025-12417 | 2025-12-05 | SurveyFunnel – Survey Plugin for WordPress <= 1.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode |
| CVE-2025-13494 | 2025-12-05 | SSP Debug <= 1.0.0 - Unauthenticated Sensitive Information Exposure |
| CVE-2025-13362 | 2025-12-05 | Norby AI <= 1.0.3 - Cross-Site Request Forgery to Settings Update |
| CVE-2025-13313 | 2025-12-05 | CRM Memberships <= 2.5 - Missing Authorization to Privilege Escalation via Unauthenticated Password Reset in 'ntzcrm_changepassword' AJAX Endpoint |
| CVE-2025-13006 | 2025-12-05 | SurveyFunnel – Survey Plugin for WordPress <= 1.1.5 - Unauthenticated Information Exposure |
| CVE-2025-13312 | 2025-12-05 | CRM Memberships <= 2.5 - Missing Authorization to Unauthenticated 'ntzcrm_add_new_tag' AJAX Action |
| CVE-2025-13144 | 2025-12-05 | ContentStudio <= 1.3.7 - Cross-Site Request Forgery to Settings Update |
| CVE-2025-12124 | 2025-12-05 | FitVids for WordPress <= 4.0.1 - Authenticated (Admin+) Stored Cross-Site Scripting |
| CVE-2025-13512 | 2025-12-05 | CoSign Single Signon <= 0.3.1 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] |
| CVE-2025-12163 | 2025-12-05 | Omnipress <= 1.6.3 - Authenticated (Author+) Stored Cross-Site Scripting |
| CVE-2025-12165 | 2025-12-05 | Webcake – Landing Page Builder <= 1.1 - Missing Authorization to Authenticated (Subscriber+) Settings Update |
| CVE-2025-13621 | 2025-12-05 | dream gallery <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'dreampluginsmain' AJAX Action |
| CVE-2025-12368 | 2025-12-05 | Sermon Manager <= 2.30.0 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-13360 | 2025-12-05 | Quantic Social Image Hover <= 1.0.8 - Cross-Site Request Forgery to Settings Update |
| CVE-2025-13625 | 2025-12-05 | WP-SOS-Donate Donation Sidebar Plugin <= 0.9.2 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] |
| CVE-2025-12181 | 2025-12-05 | ContentStudio <= 1.3.7 - Authenticated (Author+) Arbitrary File Upload |
| CVE-2025-10055 | 2025-12-05 | Time Sheets <= 2.1.3 - Cross-Site Request Forgery |
| CVE-2025-13622 | 2025-12-05 | Jabbernotification <= 0.99-RC2 - Reflected Cross-Site Scripting via admin.php PATH_INFO |
| CVE-2025-13623 | 2025-12-05 | Twitscription <= 0.1.1 - Reflected Cross-Site Scripting via admin.php PATH_INFO |
| CVE-2025-12153 | 2025-12-05 | Featured Image via URL <= 0.1 - Authenticated (Contributor+) Arbitrary FIle Upload |
| CVE-2025-12370 | 2025-12-05 | Takeads <= 1.0.13 - Missing Authorization to Plugin Settings Deletion |
| CVE-2025-12133 | 2025-12-05 | EPROLO Dropshipping <= 2.3.1 - Missing Authorization to Authenticated (Subscriber+) Tracking Data Modification |
| CVE-2025-12128 | 2025-12-05 | Hide Categories Or Products On Shop Page <= 1.0.7 - Cross-Site Request Forgery to Settings Update |
| CVE-2025-12189 | 2025-12-05 | Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents <= 7.10.1321 - Cross-Site Request Forgery to Arbitrary File Upload |
| CVE-2025-12191 | 2025-12-05 | PDF Catalog for WooCommerce <= 1.1.18 - Authenticated (Subscriber+) Stored Cross-Site Scripting |
| CVE-2025-12190 | 2025-12-05 | Image Optimizer by wps.sk <= 1.2.0 - Cross-Site Request Forgery to Bulk Image Optimization |
| CVE-2025-12154 | 2025-12-05 | Auto Thumbnailer <= 1.0 - Authenticated (Contributor+) Arbitrary File Upload |
| CVE-2025-13860 | 2025-12-05 | Easy Jump Links Menus <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
| CVE-2025-13528 | 2025-12-05 | Feedback Modal for Website <= 1.0.1 - Missing Authorization to Unauthenticated Arbitrary Feedback Data Exfiltration via 'export_data' Parameter |
| CVE-2025-12186 | 2025-12-05 | Weekly Planner <= 1.0 - Authenticated (Admin+) Stored Cross-Site Scripting |
| CVE-2025-12373 | 2025-12-05 | Torod – The smart shipping and delivery portal for e-shops and retailers <= 1.9 - Cross-Site Request Forgery To Plugin's Settings Modification |
| CVE-2025-12354 | 2025-12-05 | Live CSS Preview <= 2.0.0 - Missing Authorization to Authenticated (Subscriber+) Settings Update |
| CVE-2025-12374 | 2025-12-05 | Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification <= 2.0.39 - Authentication Bypass to Account Takeover |
| CVE-2025-12355 | 2025-12-05 | Payaza <= 0.3.8 - Missing Authorization to Unauthenticated Order Status Update |
| CVE-2025-12093 | 2025-12-05 | Voidek Employee Portal <= 1.0.6 - Missing Authorization |
| CVE-2025-13515 | 2025-12-05 | Nouri.sh Newsletter <= 1.0.1.3 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] |
| CVE-2025-12850 | 2025-12-05 | My auctions allegro <= 3.6.32 - Unauthenticated SQL Injection via auction_id |
| CVE-2025-13684 | 2025-12-05 | ARK Related Posts <= 2.19 - Cross-Site Request Forgery to Settings Update |
| CVE-2025-12130 | 2025-12-05 | WC Vendors – WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors <= 2.6.4 - Cross-Site Request Forgery to Vendor Product Deletion |
| CVE-2025-12851 | 2025-12-05 | My auctions allegro <= 3.6.32 - Unauthenticated Local File Inclusion via controller |
| CVE-2025-13739 | 2025-12-05 | CryptX <= 4.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-12879 | 2025-12-05 | User Generator and Importer <= 1.2.2 - Cross-Site Request Forgery to Privilege Escalation via Arbitrary Administrator Account Creation |
| CVE-2025-12876 | 2025-12-05 | Projectopia – WordPress Project Management <= 5.1.19 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion |
| CVE-2025-13678 | 2025-12-05 | Thai Lottery Widget <= 2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes |
| CVE-2025-13614 | 2025-12-05 | Cool Tag Cloud <= 2.29 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-13682 | 2025-12-05 | Trail Manager <= 1.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting |
| CVE-2025-55753 | 2025-12-05 | Apache HTTP Server: mod_md (ACME), unintended retry intervals |
| CVE-2025-59775 | 2025-12-05 | Apache HTTP Server: NTLM Leakage on Windows through UNC SSRF |
| CVE-2025-65082 | 2025-12-05 | Apache HTTP Server: CGI environment variable override |
| CVE-2025-13620 | 2025-12-05 | Wp Social Login and Register Social Counter <= 3.1.3 - Missing Authorization in Cache REST Endpoints to Social Counter Tampering |
| CVE-2025-66200 | 2025-12-05 | Apache HTTP Server: mod_userdir+suexec bypass via AllowOverride FileInfo |
| CVE-2025-13654 | 2025-12-05 | CVE-2025-13654 |
| CVE-2025-6966 | 2025-12-05 | Null-pointer dereference in python-apt TagSection.keys() |
| CVE-2025-58098 | 2025-12-05 | Apache HTTP Server: Server Side Includes adds query string to #exec cmd=... |
| CVE-2025-14085 | 2025-12-05 | youlaitech youlai-mall orders improper control of dynamically-identified variables |
| CVE-2025-14086 | 2025-12-05 | youlaitech youlai-mall openid access control |
| CVE-2025-14088 | 2025-12-05 | ketr JEPaaS load improper authorization |
| CVE-2025-14089 | 2025-12-05 | Himool ERP AdminActionViewSet update_account improper authorization |
| CVE-2025-14090 | 2025-12-05 | AMTT Hotel Broadband Operation System cardmake_down.php sql injection |
| CVE-2025-14091 | 2025-12-05 | TrippWasTaken PHP-Guitar-Shop Product Details product.php sql injection |
| CVE-2025-14092 | 2025-12-05 | Edimax BR-6478AC V3 formDebugDiagnosticRun sub_416898 os command injection |
| CVE-2025-66418 | 2025-12-05 | urllib3 allows an unbounded number of links in the decompression chain |
| CVE-2025-66471 | 2025-12-05 | urllib3 Streaming API improperly handles highly compressed data |
| CVE-2025-65036 | 2025-12-05 | XWiki Remote Macros vulnerable to remote code execution using the confluence details summary macro |
| CVE-2025-66510 | 2025-12-05 | Nextcloud Server Contacts Search allowed users to retrieve contact information of other users beyond their contact list |
| CVE-2025-14104 | 2025-12-05 | Util-linux: util-linux: heap buffer overread in setpwnam() when processing 256-byte usernames |
| CVE-2025-66512 | 2025-12-05 | Nextcloud Server vulnerable to XSS in SVG images when opened outside of Nextcloud |
| CVE-2025-14093 | 2025-12-05 | Edimax BR-6478AC V3 formTracerouteDiagnosticRun sub_416990 os command injection |
| CVE-2025-66547 | 2025-12-05 | Nextcloud Server users can modify tags on files that do not belong to them |
| CVE-2024-9183 | 2025-12-05 | Time-of-check Time-of-use (TOCTOU) Race Condition in GitLab |
| CVE-2025-66552 | 2025-12-05 | Nextcloud Server admin_audit does not log all actions on files in groupfolders |
| CVE-2025-66511 | 2025-12-05 | Nextcloud Calendar app used predictable proposal participant tokens |
| CVE-2025-66546 | 2025-12-05 | Nextcloud Calendar app allowed booking appointments without the generated token |
| CVE-2025-66550 | 2025-12-05 | Nextcloud Calendar attachments of local files are offered to downloaded |
| CVE-2025-14094 | 2025-12-05 | Edimax BR-6478AC V3 formSysCmd sub_44CCE4 os command injection |
| CVE-2025-66513 | 2025-12-05 | Nextcloud Tables app share information not limited to relevant users |
| CVE-2020-36876 | 2025-12-05 | ReQuest Serious Play F3 Media Server <= 7.0.3 Debug Log Disclosure2020 |
| CVE-2025-66551 | 2025-12-05 | Nextcloud Tables is missing an ownership check which allows moving columns into tables of other users |
| CVE-2025-34257 | 2025-12-05 | Advantech WISE-DeviceOn Server < 5.4 Authenticated Stored XSS via action/defined |
| CVE-2025-34260 | 2025-12-05 | Advantech WISE-DeviceOn Server < 5.4 Authenticated Stored XSS via action/schedule |
| CVE-2025-34261 | 2025-12-05 | Advantech WISE-DeviceOn Server < 5.4 Authenticated Stored XSS via devicegroups/ |
| CVE-2025-34259 | 2025-12-05 | Advantech WISE-DeviceOn Server < 5.4 Authenticated Stored XSS via devicemap/building |
| CVE-2025-34258 | 2025-12-05 | Advantech WISE-DeviceOn Server < 5.4 Authenticated Stored XSS via devicemap/plan |
| CVE-2020-36877 | 2025-12-05 | ReQuest Serious Play F3 Media Server <= 7.0.3 code execution |
| CVE-2025-34262 | 2025-12-05 | Advantech WISE-DeviceOn Server < 5.4 Authenticated Stored XSS via devices/name/{agent_id} |
| CVE-2025-34264 | 2025-12-05 | Advantech WISE-DeviceOn Server < 5.4 Authenticated Stored XSS via dog/{agentId} |
| CVE-2025-34266 | 2025-12-05 | Advantech WISE-DeviceOn Server < 5.4 Authenticated Stored XSS via plugin-config/addins/menus |
| CVE-2020-36878 | 2025-12-05 | ReQuest Serious Play F3 Media Player <= 3.0.0 Directory Traversal File Disclosure |
| CVE-2025-34263 | 2025-12-05 | Advantech WISE-DeviceOn Server < 5.4 Authenticated Stored XSS via plugin-config/dashboards/menus |
| CVE-2020-36879 | 2025-12-05 | Flexsense DiskBoss Service Unquoted Service Path Vulnerability |
| CVE-2025-66553 | 2025-12-05 | Nextcloud Tables app allowed users to view columns metadata information of any table |
| CVE-2025-34265 | 2025-12-05 | Advantech WISE-DeviceOn Server < 5.4 Authenticated Stored XSS via rule-engines |
| CVE-2025-34256 | 2025-12-05 | Advantech WISE-DeviceOn Server < 5.4 Hard-coded JWT Key Authentication Bypass |
| CVE-2020-36880 | 2025-12-05 | Flexsense DiskBoss 'Reports and Data Directory' Buffer Overflow |
| CVE-2020-36881 | 2025-12-05 | Flexsense DiskBoss 'Add Input Directory' Buffer Overflow |
| CVE-2025-66548 | 2025-12-05 | Nextcloud Deck app allows to spoof file extensions by using RTLO characters |