
CVE-2025-6463 – Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.44.2 - Unauthenticated Arbitrary File Deletion Triggered via Administrator Form Submission Deletion
https://notcve.org/view.php?id=CVE-2025-6463
01 Jul 2025 — The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'entry_delete_upload_files' function in all versions up to, and including, 1.44.2. This makes it possible for unauthenticated attackers to include arbitrary file paths in a form submission. ... This can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://plugins.trac.wordpress.org/browser/forminator/trunk/library/model/class-form-entry-model.php#L1249 • CWE-73: External Control of File Name or Path •

CVE-2025-5014 – Home Villas | Real Estate WordPress Theme <= 2.8 - Authenticated (Subscriber+) Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-5014
01 Jul 2025 — The Home Villas | Real Estate WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'wp_rem_cs_widget_file_delete' function in all versions up to, and including, 2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • http://localhost:1337/wp-content/themes/homevillas-real-estate/include/backend/cs-widgets/import/cs-class-widget-data.php#L384 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVE-2025-6459 – Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.89 - Cross-Site Request Forgery to PHP Code Injection in bsaCreateAdTemplate
https://notcve.org/view.php?id=CVE-2025-6459
01 Jul 2025 — This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://codecanyon.net/item/ads-pro-plugin-multipurpose-wordpress-advertising-manager/10275010 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVE-2025-4689 – Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.89 - Unauthenticated Local File Inclusion to Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-4689
01 Jul 2025 — The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion which leads to Remote Code Execution in all versions up to, and including, 4.89. This is due to the presence of a SQL Injection vulnerability and Local File Inclusion vulnerability that can be chained with an image upload. This makes it possible for unauthenticated attackers to execute code on the server upload image files on the server than can be fe... • https://codecanyon.net/item/ads-pro-plugin-multipurpose-wordpress-advertising-manager/10275010 • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •

CVE-2025-4380 – Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.89 - Unauthenticated Local File Inclusion
https://notcve.org/view.php?id=CVE-2025-4380
01 Jul 2025 — This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases .php files can can be uploaded and included, or already exist on the site. • https://codecanyon.net/item/ads-pro-plugin-multipurpose-wordpress-advertising-manager/10275010 • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •

CVE-2025-34060 – Monero Forum Remote Code Execution via Arbitrary File Read and Cookie Forgery
https://notcve.org/view.php?id=CVE-2025-34060
01 Jul 2025 — An attacker can extract the APP_KEY from config/app.php, forge encrypted cookies, and trigger unsafe unserialize() calls, leading to reliable remote code execution. • https://vulncheck.com/advisories/monero-forum-rce • CWE-20: Improper Input Validation CWE-502: Deserialization of Untrusted Data CWE-829: Inclusion of Functionality from Untrusted Control Sphere •

CVE-2025-5746 – Drag and Drop Multiple File Upload (Pro) - WooCommerce <= 1.7.1 and 5.0 - 5.0.5 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-5746
01 Jul 2025 — The Drag and Drop Multiple File Upload (Pro) - WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the dnd_upload_cf7_upload_chunks() function in version 5.0 - 5.0.5 (when bundled with the PrintSpace theme) and all versions up to, and including, 1.7.1 (in the standalone version). This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code exec... • https://www.codedropz.com/woocommerce-drag-drop-multiple-file-upload • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2025-49029 – WordPress Custom Login And Signup Widget plugin <= 1.0 - Arbitrary Code Execution vulnerability
https://notcve.org/view.php?id=CVE-2025-49029
01 Jul 2025 — Improper Control of Generation of Code ('Code Injection') vulnerability in bitto.Kazi Custom Login And Signup Widget allows Code Injection.This issue affects Custom Login And Signup Widget: from n/a through 1.0. ... WordPress Custom Login and Signup Widget plugin versions 1.0 and below suffer from a remote code execution vulnerability. • https://patchstack.com/database/wordpress/plugin/custom-login-and-signup-widget/vulnerability/wordpress-custom-login-and-signup-widget-plugin-1-0-arbitrary-code-execution-vulnerability? • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVE-2025-6554 – Google Chromium V8 Type Confusion Vulnerability
https://notcve.org/view.php?id=CVE-2025-6554
30 Jun 2025 — Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High) Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. Google is aware that an exploit for Google Chromium V8 contains a type confusion vulnerability that could allow a remote attacker to perform arbitrary re... • https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop_30.html • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •

CVE-2025-49521 – Event-driven-ansible: template injection via git branch and refspec in eda projects
https://notcve.org/view.php?id=CVE-2025-49521
30 Jun 2025 — A flaw was found in the EDA component of the Ansible Automation Platform, where user-supplied Git branch or refspec values are evaluated as Jinja2 templates. This vulnerability allows authenticated users to inject expressions that execute commands or access sensitive files on the EDA worker. In OpenShift, it can lead to service account token theft. • https://access.redhat.com/errata/RHSA-2025:9986 • CWE-94: Improper Control of Generation of Code ('Code Injection') •