CVE List - 2025 / February
Showing 2201 - 2300 of 3676 CVEs for February 2025 (Page 23 of 37)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-1510 | 2025-02-22 | Custom Post Type Date Archives <= 2.7.1 - Missing Authorization to Unauthenticated Arbitrary Shortcode Execution |
| CVE-2024-13899 | 2025-02-22 | Mambo Importer <= 1.0 - Authenticated (Administrator+) PHP Object Injection |
| CVE-2024-13474 | 2025-02-22 | LTL Freight Quotes – Purolator Edition <= 2.2.3 - Unauthenticated SQL Injection |
| CVE-2024-13798 | 2025-02-22 | Post Grid and Gutenberg Blocks – ComboBlocks <= 2.3.5 - Unauthenticated Paid Order Creation |
| CVE-2024-12467 | 2025-02-22 | Pago por Redsys <= 1.0.12 - Reflected Cross-Site Scripting |
| CVE-2024-12038 | 2025-02-22 | Frontend Content Forms for User Submissions (UGC) <= 2.8.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'buddyforms_nav' Shortcode |
| CVE-2024-13564 | 2025-02-22 | Rife Elementor Extensions & Templates <= 1.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Writing Effect Headline Shortcode |
| CVE-2025-1361 | 2025-02-22 | IP2Location Country Blocker <= 2.38.8 - Missing Authorization to Unauthenticated Information Exposure via admin_init Function |
| CVE-2025-1553 | 2025-02-22 | pankajindevops scale project cross site scripting |
| CVE-2025-21704 | 2025-02-22 | usb: cdc-acm: Check control transfer buffer size before access |
| CVE-2025-1556 | 2025-02-22 | westboy CicadasCMS Template Management system deserialization |
| CVE-2024-13869 | 2025-02-22 | Migration, Backup, Staging – WPvivid <= 0.9.112 - Authenticated (Admin+) Arbitrary File Upload via wpvivid_upload_file |
| CVE-2025-0918 | 2025-02-22 | SMTP for SendGrid – YaySMTP <= 1.3.1 - Unauthenticated Stored Cross-Site Scripting via Email Logs |
| CVE-2025-0953 | 2025-02-22 | SMTP for Sendinblue – YaySMTP <= 1.1.1 - Unauthenticated Stored Cross-Site Scripting via Email Logs |
| CVE-2025-1557 | 2025-02-22 | OFCMS cross-site request forgery |
| CVE-2025-0957 | 2025-02-22 | Vulnerability: SMTP for Amazon SES <= 1.7.1 - Unauthenticated Stored Cross-Site Scripting via Email Logs |
| CVE-2024-46975 | 2025-02-22 | GPU DDK - rgxfw_write_robustness_buffer allows arbitrary catreg set mapping |
| CVE-2024-47896 | 2025-02-22 | GPU DDK - rgxfw_hwr_log_info OOB write via psHWRInfoBuf->ui32WriteIndex |
| CVE-2024-52939 | 2025-02-22 | GPU DDK - RGXFWIF_HWPERF_CTL_BLK.uiNumCounters OOB write |
| CVE-2024-12577 | 2025-02-22 | GPU DDK - rgxfw_pcset_ungrab OOB write via psFWMemContext->uiPageCatBaseRegSet |
| CVE-2025-26750 | 2025-02-22 | WordPress Vitepos Plugin <= 3.1.3 - Broken Access Control vulnerability |
| CVE-2025-26756 | 2025-02-22 | WordPress Magic the Gathering Card Tooltips plugin <= 3.5.0 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-26973 | 2025-02-22 | WordPress Social Warfare Plugin <= 4.5.4 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-27012 | 2025-02-22 | WordPress A1POST.BG Shipping for Woo plugin <= 1.5.1 - CSRF to Privilege Escalation vulnerability |
| CVE-2025-26757 | 2025-02-22 | WordPress FULL – Cliente plugin <= 3.1.26 - Local File Inclusion vulnerability |
| CVE-2025-26760 | 2025-02-22 | WordPress Calculator Builder plugin <= 1.6.2 - Local File Inclusion vulnerability |
| CVE-2025-26763 | 2025-02-22 | WordPress Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider Plugin <= 3.94.0 - PHP Object Injection vulnerability |
| CVE-2025-26764 | 2025-02-22 | WordPress Distance Based Shipping Calculator plugin <= 2.0.22 - Settings Change vulnerability |
| CVE-2025-26774 | 2025-02-22 | WordPress Responsive Modal Builder for High Conversion – Easy Popups plugin <= 1.5.0 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-26776 | 2025-02-22 | WordPress Chaty Pro Plugin <= 3.3.3 - Arbitrary File Upload vulnerability |
| CVE-2022-28339 | 2025-02-22 | Trend Micro HouseCall for Home Networks version 5.3.1302 and below contains an uncontrolled search patch element vulnerability that could allow an attacker with low user privileges to create a malicious... |
| CVE-2025-1575 | 2025-02-23 | Harpia DiagSystem atualatendimento_jpeg.php resource injection |
| CVE-2025-1576 | 2025-02-23 | code-projects Real Estate Property Management System ajax_state.php sql injection |
| CVE-2024-13728 | 2025-02-23 | Accept Donations with PayPal & Stripe <= 1.4.4 - Reflected Cross-Site Scripting |
| CVE-2025-1577 | 2025-02-23 | code-projects Blood Bank System prostatus.php cross site scripting |
| CVE-2025-1578 | 2025-02-23 | PHPGurukul/Campcodes Online Shopping Portal search-result.php sql injection |
| CVE-2025-1579 | 2025-02-23 | code-projects Blood Bank System user.php cross site scripting |
| CVE-2025-1580 | 2025-02-23 | PHPGurukul Nipah Virus Testing Management System search-report-result.php sql injection |
| CVE-2025-1581 | 2025-02-23 | PHPGurukul Online Nurse Hiring System book-nurse.php sql injection |
| CVE-2025-1582 | 2025-02-23 | PHPGurukul Online Nurse Hiring System all-request.php sql injection |
| CVE-2025-1583 | 2025-02-23 | PHPGurukul Online Nurse Hiring System search-report-details.php sql injection |
| CVE-2025-1584 | 2025-02-23 | opensolon Solon StaticMappings.java path traversal |
| CVE-2025-1585 | 2025-02-23 | otale header.html OptionsService cross site scripting |
| CVE-2025-1586 | 2025-02-23 | code-projects Blood Bank System A-.php cross site scripting |
| CVE-2025-1587 | 2025-02-23 | SourceCodester Telecom Billing Management System Add New Record main.cpp addrecords buffer overflow |
| CVE-2025-1467 | 2025-02-23 | Versions of the package tarteaucitronjs before 1.17.0 are vulnerable to Cross-site Scripting (XSS) via the getElemWidth() and getElemHeight(). This is related to [SNYK-JS-TARTEAUCITRONJS-8366541](https://security.snyk.io/vuln/SNYK-JS-TARTEAUCITRONJS-8366541) |
| CVE-2025-1588 | 2025-02-23 | PHPGurukul Online Nurse Hiring System manage-nurse.php path traversal |
| CVE-2025-1589 | 2025-02-23 | SourceCodester E-Learning System User Registration register.php cross site scripting |
| CVE-2025-1590 | 2025-02-23 | SourceCodester E-Learning System List of Lessons Page index.php unrestricted upload |
| CVE-2025-1591 | 2025-02-23 | SourceCodester Employee Management System Department Page department.php cross site scripting |
| CVE-2025-1592 | 2025-02-23 | SourceCodester Best Employee Management System Add Role Page Role.php cross site scripting |
| CVE-2025-1593 | 2025-02-23 | SourceCodester Best Employee Management System Profile Picture unrestricted upload |
| CVE-2025-1594 | 2025-02-23 | FFmpeg AAC Encoder aacenc_tns.c ff_aac_search_for_tns stack-based overflow |
| CVE-2025-1595 | 2025-02-23 | Anhui Xufan Information Technology EasyCVR getbaseconfig information disclosure |
| CVE-2025-22631 | 2025-02-23 | WordPress Marketing Automation Plugin <= 1.2.6.8 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2025-22632 | 2025-02-23 | WordPress WooCommerce Pricing – Product Pricing plugin <= 1.0.9 - Cross Site Scripting (XSS) vulnerability |
| CVE-2025-22633 | 2025-02-23 | WordPress Give – Divi Donation Modules plugin <= 2.0.0 - Sensitive Data Exposure vulnerability |
| CVE-2025-22635 | 2025-02-23 | WordPress Eventer - WordPress Event & Booking Manager Plugin plugin < 3.9.9 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2025-1596 | 2025-02-23 | SourceCodester Best Church Management Software fpassword.php sql injection |
| CVE-2025-1597 | 2025-02-23 | SourceCodester Best Church Management Software redirect.php cross site scripting |
| CVE-2025-1598 | 2025-02-23 | SourceCodester Best Church Management Software asset_crud.php unrestricted upload |
| CVE-2024-53542 | 2025-02-24 | Incorrect access control in the component /iclock/Settings?restartNCS=1 of NovaCHRON Zeitsysteme GmbH & Co. KG Smart Time Plus v8.x to v8.6 allows attackers to arbitrarily restart the NCServiceManger via a crafted... |
| CVE-2024-53543 | 2025-02-24 | NovaCHRON Zeitsysteme GmbH & Co. KG Smart Time Plus v8.x to v8.6 was discovered to contain a SQL injection vulnerability via the addProject method in the smarttimeplus/MySQLConnection endpoint. |
| CVE-2024-53544 | 2025-02-24 | NovaCHRON Zeitsysteme GmbH & Co. KG Smart Time Plus v8.x to v8.6 was discovered to contain a SQL injection vulnerability via the getCookieNames method in the smarttimeplus/MySQLConnection endpoint. |
| CVE-2024-54820 | 2025-02-24 | XOne Web Monitor v02.10.2024.530 framework 1.0.4.9 was discovered to contain a SQL injection vulnerability in the login page. This vulnerability allows attackers to extract all usernames and passwords via a... |
| CVE-2024-56525 | 2025-02-24 | In Public Knowledge Project (PKP) OJS, OMP, and OPS before 3.3.0.21 and 3.4.x before 3.4.0.8, an XXE attack by the Journal Editor Role can create a new role as super... |
| CVE-2024-56897 | 2025-02-24 | Improper access control in the HTTP server in YI Car Dashcam v3.88 allows unrestricted file downloads, uploads, and API commands. API commands can also be made to make unauthorized modifications... |
| CVE-2024-57026 | 2025-02-24 | TawkTo Widget Version <= 1.3.7 is vulnerable to Cross Site Scripting (XSS) due to processing user input in a way that allows JavaScript execution. |
| CVE-2024-57608 | 2025-02-24 | An issue in Via Browser 6.1.0 allows a a remote attacker to execute arbitrary code via the mark.via.Shell component. |
| CVE-2024-57685 | 2025-02-24 | An issue in sparkshop v.1.1.7 and before allows a remote attacker to execute arbitrary code via a crafted phar file. |
| CVE-2025-22974 | 2025-02-24 | SQL Injection vulnerability in SeaCMS v.13.2 and before allows a remote attacker to execute arbitrary code via the DoTranExecSql parameter in the phome.php component. |
| CVE-2025-23017 | 2025-02-24 | WorkOS Hosted AuthKit before 2025-01-07 allows a password authentication MFA bypass (by enrolling a new authentication factor) when the attacker knows the user's password. No exploitation occurred. |
| CVE-2025-25460 | 2025-02-24 | A stored Cross-Site Scripting (XSS) vulnerability was identified in FlatPress 1.3.1 within the "Add Entry" feature. This vulnerability allows authenticated attackers to inject malicious JavaScript payloads into blog posts, which... |
| CVE-2025-25513 | 2025-02-24 | Seacms <=13.3 is vulnerable to SQL Injection in admin_members.php. |
| CVE-2025-26200 | 2025-02-24 | SQL injection in SLIMS v.9.6.1 allows a remote attacker to escalate privileges via the month parameter in the visitor_report_day.php component. |
| CVE-2025-26201 | 2025-02-24 | Credential disclosure vulnerability via the /staff route in GreaterWMS <= 2.1.49 allows a remote unauthenticated attackers to bypass authentication and escalate privileges. |
| CVE-2025-26803 | 2025-02-24 | The http parser in Phusion Passenger 6.0.21 through 6.0.25 before 6.0.26 allows a denial of service during parsing of a request with an invalid HTTP method. |
| CVE-2025-27364 | 2025-02-24 | In MITRE Caldera through 4.2.0 and 5.0.0 before 35bc06e, a Remote Code Execution (RCE) vulnerability was found in the dynamic agent (implant) compilation functionality of the server. This allows remote... |
| CVE-2025-1599 | 2025-02-24 | SourceCodester Best Church Management Software profile_crud.php path traversal |
| CVE-2025-1606 | 2025-02-24 | SourceCodester Best Employee Management System backups.php information disclosure |
| CVE-2025-1607 | 2025-02-24 | SourceCodester Best Employee Management System salary_slip.php authorization |
| CVE-2025-1608 | 2025-02-24 | LB-LINK AC1900 Router set_manpwd websGetVar os command injection |
| CVE-2025-1609 | 2025-02-24 | LB-LINK AC1900 Router set_cmd websGetVar os command injection |
| CVE-2025-1610 | 2025-02-24 | LB-LINK AC1900 Router set_blacklist websGetVar os command injection |
| CVE-2025-1611 | 2025-02-24 | ShopXO Template ThemeAdminService.php injection |
| CVE-2024-55898 | 2025-02-24 | IBM i privilege escalation |
| CVE-2025-1612 | 2025-02-24 | Edimax BR-6288ACL wireless5g_basic.asp cross site scripting |
| CVE-2025-1613 | 2025-02-24 | FiberHome AN5506-01A ONU GPON URL Filtering Submenu URL_filterCfg cross site scripting |
| CVE-2025-1614 | 2025-02-24 | FiberHome AN5506-01A ONU GPON Port Forwarding Submenu portForwardingCfg cross site scripting |
| CVE-2025-1615 | 2025-02-24 | FiberHome AN5506-01A ONU GPON NAT Submenu cross site scripting |
| CVE-2025-1616 | 2025-02-24 | FiberHome AN5506-01A ONU GPON Diagnosis os command injection |
| CVE-2025-1617 | 2025-02-24 | Netis WF2780 Wireless 2.4G Menu cross site scripting |
| CVE-2025-1618 | 2025-02-24 | vTiger CRM index.php cross site scripting |
| CVE-2025-1629 | 2025-02-24 | Excitel Broadband Private my Excitel App One-Time Password excessive authentication |
| CVE-2024-12308 | 2025-02-24 | Logo Slider < 4.6.0 - Contributor+ Stored XSS |
| CVE-2024-13605 | 2025-02-24 | Form Maker by 10Web < 1.15.33 - Admin+ Stored XSS |
| CVE-2024-13822 | 2025-02-24 | Total Contest Lite <= 2.8.1 - Reflected XSS |
| CVE-2025-24526 | 2025-02-24 | Channel export permitted on archived channel when viewing archived channels is disabled |
| CVE-2025-1412 | 2025-02-24 | Session Persistence After User-to-Bot Conversion |
| CVE-2025-25279 | 2025-02-24 | Arbitrary file read in Mattermost Boards via import & export board archive |