CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32105
https://notcve.org/view.php?id=CVE-2025-32105
03 Jun 2025 — A buffer overflow in the the Sangoma IMG2020 HTTP server through 2.3.9.6 allows an unauthenticated user to achieve remote code execution. • https://github.com/austin2111/papers/blob/main/Software_Vulnerabilities_in_Telecommunications_Hardware.pdf • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-5474 – 2BrightSparks SyncBackFree Link Following Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2025-5474
03 Jun 2025 — An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. ... By creating a junction, an attacker can abuse the service to delete arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in th... • https://www.zerodayinitiative.com/advisories/ZDI-25-322 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47511 – WordPress Welcart e-Commerce <= 2.11.13 - Arbitrary File Deletion Vulnerability
https://notcve.org/view.php?id=CVE-2025-47511
03 Jun 2025 — The Welcart e-Commerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in a function in all versions up to, and including, 2.11.13. This makes it possible for authenticated attackers, with Editor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://patchstack.com/database/wordpress/plugin/usc-e-shop/vulnerability/wordpress-welcart-e-commerce-2-11-13-arbitrary-file-deletion-vulnerability? • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-5480 – Action1 Uncontrolled Search Path Element Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2025-5480
03 Jun 2025 — An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. ... An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. An attacker can leverage this vulnerability to escalate privileges and ... • https://www.action1.com/blog/acknowledging-zdi-can-26767-high-severity-vulnerability-in-action1-agent • CWE-427: Uncontrolled Search Path Element •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-39473 – WordPress Seofy Core <= 1.4.5 - Local File Inclusion Vulnerability
https://notcve.org/view.php?id=CVE-2025-39473
03 Jun 2025 — This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. • https://patchstack.com/database/wordpress/plugin/seofy-core/vulnerability/wordpress-seofy-core-1-4-5-local-file-inclusion-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47586 – WordPress Motors - Events plugin <= 1.4.7 - Unauthenticated Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2025-47586
03 Jun 2025 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Motors - Events allows PHP Local File Inclusion.This issue affects Motors - Events: from n/a through 1.4.7. ... This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achi... • https://patchstack.com/database/wordpress/plugin/stm-motors-events/vulnerability/wordpress-motors-events-plugin-1-4-7-unauthenticated-local-file-inclusion-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2025-32106
https://notcve.org/view.php?id=CVE-2025-32106
03 Jun 2025 — In Audiocodes Mediapack MP-11x through 6.60A.369.002, a crafted POST request request may result in an unauthenticated remote user's ability to execute unauthorized code. • https://Audiocodes.com • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2025-44148
https://notcve.org/view.php?id=CVE-2025-44148
03 Jun 2025 — Cross Site Scripting (XSS) vulnerability in MailEnable before v10 allows a remote attacker to execute arbitrary code via the failure.aspx component • https://github.com/barisbaydur/CVE-2025-44148 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-39475 – WordPress Arlo <= 6.0.3 - Local File Inclusion Vulnerability
https://notcve.org/view.php?id=CVE-2025-39475
03 Jun 2025 — This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. • https://patchstack.com/database/wordpress/theme/arlo/vulnerability/wordpress-arlo-6-0-3-local-file-inclusion-vulnerability?_s_id=cve • .//' CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31398 – WordPress PIMP - Creative MultiPurpose <= 1.7 - Deserialization of untrusted data Vulnerability
https://notcve.org/view.php?id=CVE-2025-31398
03 Jun 2025 — If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. • https://patchstack.com/database/wordpress/theme/pimp/vulnerability/wordpress-pimp-creative-multipurpose-1-7-deserialization-of-untrusted-data-vulnerability?_s_id=cve • CWE-502: Deserialization of Untrusted Data •