CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-48063 – XWiki Platform Security Authorization Bridge allows users with just edit right can enforce required rights with programming right
https://notcve.org/view.php?id=CVE-2025-48063
21 May 2025 — If then a user with programming right edited that document, the content of that document would gain programming right, allowing remote code execution. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rhfv-688c-p6hp • CWE-285: Improper Authorization •
CVSS: 4.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-20267 – Cisco Identity Services Stored Cross-Site Scripting Vulnerability
https://notcve.org/view.php?id=CVE-2025-20267
21 May 2025 — An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-stored-xss-Yff54m73 • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31053 – WordPress KBx Pro Ultimate <= 7.9.8 - Arbitrary File Deletion Vulnerability
https://notcve.org/view.php?id=CVE-2025-31053
21 May 2025 — The KBx Pro Ultimate plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 7.9.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://patchstack.com/database/wordpress/plugin/knowledgebase-helpdesk-pro/vulnerability/wordpress-kbx-pro-ultimate-7-9-8-arbitrary-file-deletion-vulnerability? • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-73: External Control of File Name or Path •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31060 – WordPress Capie <= 1.0.40 - Local File Inclusion Vulnerability
https://notcve.org/view.php?id=CVE-2025-31060
21 May 2025 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Capie allows PHP Local File Inclusion. ... This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file type... • https://patchstack.com/database/wordpress/theme/capie/vulnerability/wordpress-capie-1-0-40-local-file-inclusion-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31064 – WordPress Vizeon - Business Consulting <= 1.1.7 - Local File Inclusion Vulnerability
https://notcve.org/view.php?id=CVE-2025-31064
21 May 2025 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Vizeon - Business Consulting allows PHP Local File Inclusion. ... This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and ot... • https://patchstack.com/database/wordpress/theme/vizeon/vulnerability/wordpress-vizeon-business-consulting-1-1-7-local-file-inclusion-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31423 – WordPress Umberto <= 1.2.8 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-31423
21 May 2025 — If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. • https://patchstack.com/database/wordpress/theme/umberto/vulnerability/wordpress-umberto-1-2-8-php-object-injection-vulnerability?_s_id=cve • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31631 – WordPress Fish House <= 1.2.7 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-31631
21 May 2025 — If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. • https://patchstack.com/database/wordpress/theme/fish-house/vulnerability/wordpress-fish-house-1-2-7-php-object-injection-vulnerability?_s_id=cve • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31632 – WordPress La Boom <= 2.7 - Local File Inclusion Vulnerability
https://notcve.org/view.php?id=CVE-2025-31632
21 May 2025 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SpyroPress La Boom allows PHP Local File Inclusion. ... This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file t... • https://patchstack.com/database/wordpress/theme/laboom/vulnerability/wordpress-la-boom-2-7-local-file-inclusion-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31633 – WordPress Kiamo - Responsive Business Service WordPress Theme <= 1.3.3 - Local File Inclusion Vulnerability
https://notcve.org/view.php?id=CVE-2025-31633
21 May 2025 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Kiamo - Responsive Business Service WordPress Theme allows PHP Local File Inclusion. ... This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in ca... • https://patchstack.com/database/wordpress/theme/kiamo/vulnerability/wordpress-kiamo-responsive-business-service-wordpress-theme-1-3-3-local-file-inclusion-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31634 – Insurance <= 3.5 - Authenticated (Subscriber+) PHP Object Injection
https://notcve.org/view.php?id=CVE-2025-31634
21 May 2025 — If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. • CWE-502: Deserialization of Untrusted Data •