CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53107 – @cyanheads/git-mcp-server vulnerable to command injection in several tools
https://notcve.org/view.php?id=CVE-2025-53107
01 Jul 2025 — Prior to version 2.1.5, there is a command injection vulnerability caused by the unsanitized use of input parameters within a call to child_process.exec, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. • https://github.com/cyanheads/git-mcp-server/commit/0dbd6995ccdf76ab770b58013034365b2d06c4d9 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-6463 – Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.44.2 - Unauthenticated Arbitrary File Deletion Triggered via Administrator Form Submission Deletion
https://notcve.org/view.php?id=CVE-2025-6463
01 Jul 2025 — The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'entry_delete_upload_files' function in all versions up to, and including, 1.44.2. This makes it possible for unauthenticated attackers to include arbitrary file paths in a form submission. ... This can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://plugins.trac.wordpress.org/browser/forminator/trunk/library/model/class-form-entry-model.php#L1249 • CWE-73: External Control of File Name or Path •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-5014 – Home Villas | Real Estate WordPress Theme <= 2.8 - Authenticated (Subscriber+) Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-5014
01 Jul 2025 — The Home Villas | Real Estate WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'wp_rem_cs_widget_file_delete' function in all versions up to, and including, 2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • http://localhost:1337/wp-content/themes/homevillas-real-estate/include/backend/cs-widgets/import/cs-class-widget-data.php#L384 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-6459 – Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.89 - Cross-Site Request Forgery to PHP Code Injection in bsaCreateAdTemplate
https://notcve.org/view.php?id=CVE-2025-6459
01 Jul 2025 — This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://codecanyon.net/item/ads-pro-plugin-multipurpose-wordpress-advertising-manager/10275010 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-4689 – Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.89 - Unauthenticated Local File Inclusion to Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-4689
01 Jul 2025 — The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion which leads to Remote Code Execution in all versions up to, and including, 4.89. This is due to the presence of a SQL Injection vulnerability and Local File Inclusion vulnerability that can be chained with an image upload. This makes it possible for unauthenticated attackers to execute code on the server upload image files on the server than can be fe... • https://codecanyon.net/item/ads-pro-plugin-multipurpose-wordpress-advertising-manager/10275010 • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-34060 – Monero Forum Remote Code Execution via Arbitrary File Read and Cookie Forgery
https://notcve.org/view.php?id=CVE-2025-34060
01 Jul 2025 — An attacker can extract the APP_KEY from config/app.php, forge encrypted cookies, and trigger unsafe unserialize() calls, leading to reliable remote code execution. • https://vulncheck.com/advisories/monero-forum-rce • CWE-20: Improper Input Validation CWE-502: Deserialization of Untrusted Data CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2025-5746 – Drag and Drop Multiple File Upload (Pro) - WooCommerce <= 1.7.1 and 5.0 - 5.0.5 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-5746
01 Jul 2025 — The Drag and Drop Multiple File Upload (Pro) - WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the dnd_upload_cf7_upload_chunks() function in version 5.0 - 5.0.5 (when bundled with the PrintSpace theme) and all versions up to, and including, 1.7.1 (in the standalone version). This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code exec... • https://www.codedropz.com/woocommerce-drag-drop-multiple-file-upload • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-52718 – WordPress Alone <= 7.8.2 - Arbitrary Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2025-52718
01 Jul 2025 — Improper Control of Generation of Code ('Code Injection') vulnerability in Bearsthemes Alone allows Remote Code Inclusion. ... The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.8.2. This makes it possible for unauthenticated attackers to execute code on the server. • https://patchstack.com/database/wordpress/theme/alone/vulnerability/wordpress-alone-7-8-2-arbitrary-code-execution-vulnerability? • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 2CVE-2025-49029 – WordPress Custom Login And Signup Widget plugin <= 1.0 - Arbitrary Code Execution vulnerability
https://notcve.org/view.php?id=CVE-2025-49029
01 Jul 2025 — Improper Control of Generation of Code ('Code Injection') vulnerability in bitto.Kazi Custom Login And Signup Widget allows Code Injection.This issue affects Custom Login And Signup Widget: from n/a through 1.0. ... The Custom Login And Signup Widget plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Administrator-level access and above, to exec... • https://patchstack.com/database/wordpress/plugin/custom-login-and-signup-widget/vulnerability/wordpress-custom-login-and-signup-widget-plugin-1-0-arbitrary-code-execution-vulnerability? • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 6CVE-2025-6554 – Google Chromium V8 Type Confusion Vulnerability
https://notcve.org/view.php?id=CVE-2025-6554
30 Jun 2025 — Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High) Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure. Google is aware that an exploit for Google Chromium V8 contains a type confusion vulnerability that could allow a remote attacker to perform arbitrary re... • https://packetstorm.news/files/id/206221 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •