
CVE-2025-4689 – Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.89 - Unauthenticated Local File Inclusion to Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-4689
01 Jul 2025 — The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion which leads to Remote Code Execution in all versions up to, and including, 4.89. This is due to the presence of a SQL Injection vulnerability and Local File Inclusion vulnerability that can be chained with an image upload. This makes it possible for unauthenticated attackers to execute code on the server upload image files on the server than can be fe... • https://codecanyon.net/item/ads-pro-plugin-multipurpose-wordpress-advertising-manager/10275010 • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •

CVE-2025-4380 – Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.89 - Unauthenticated Local File Inclusion
https://notcve.org/view.php?id=CVE-2025-4380
01 Jul 2025 — This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases .php files can can be uploaded and included, or already exist on the site. • https://codecanyon.net/item/ads-pro-plugin-multipurpose-wordpress-advertising-manager/10275010 • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •

CVE-2025-34060 – Monero Forum Remote Code Execution via Arbitrary File Read and Cookie Forgery
https://notcve.org/view.php?id=CVE-2025-34060
01 Jul 2025 — An attacker can extract the APP_KEY from config/app.php, forge encrypted cookies, and trigger unsafe unserialize() calls, leading to reliable remote code execution. • https://vulncheck.com/advisories/monero-forum-rce • CWE-20: Improper Input Validation CWE-502: Deserialization of Untrusted Data CWE-829: Inclusion of Functionality from Untrusted Control Sphere •

CVE-2025-5746 – Drag and Drop Multiple File Upload (Pro) - WooCommerce <= 1.7.1 and 5.0 - 5.0.5 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-5746
01 Jul 2025 — The Drag and Drop Multiple File Upload (Pro) - WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the dnd_upload_cf7_upload_chunks() function in version 5.0 - 5.0.5 (when bundled with the PrintSpace theme) and all versions up to, and including, 1.7.1 (in the standalone version). This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code exec... • https://www.codedropz.com/woocommerce-drag-drop-multiple-file-upload • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2025-49029 – WordPress Custom Login And Signup Widget plugin <= 1.0 - Arbitrary Code Execution vulnerability
https://notcve.org/view.php?id=CVE-2025-49029
01 Jul 2025 — Improper Control of Generation of Code ('Code Injection') vulnerability in bitto.Kazi Custom Login And Signup Widget allows Code Injection.This issue affects Custom Login And Signup Widget: from n/a through 1.0. • https://patchstack.com/database/wordpress/plugin/custom-login-and-signup-widget/vulnerability/wordpress-custom-login-and-signup-widget-plugin-1-0-arbitrary-code-execution-vulnerability? • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVE-2025-49521 – Event-driven-ansible: template injection via git branch and refspec in eda projects
https://notcve.org/view.php?id=CVE-2025-49521
30 Jun 2025 — A flaw was found in the EDA component of the Ansible Automation Platform, where user-supplied Git branch or refspec values are evaluated as Jinja2 templates. This vulnerability allows authenticated users to inject expressions that execute commands or access sensitive files on the EDA worker. In OpenShift, it can lead to service account token theft. • https://access.redhat.com/errata/RHSA-2025:9986 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

NotCVE-2025-0003 – Symlink Race in Kubernetes Volume Cleanup Enables Host Filesystem Deletion
https://notcve.org/view.php?id=NotCVE-2025-0003
30 Jun 2025 — This can result in deletion of arbitrary files or directories on the host system, including data from other pods or host volumes, leading to data loss and potential privilege escalation. This NotCVE is distinct from the Go NotCVE-2025-0004 because: - Kubernetes embeds the vulnerable Go code, - Exposes it in a privileged execution context (volume cleanup), - And provides a defined remediation path (rebuild with fixed Go). • https://github.com/kubernetes/kubernetes/issues/132267 • CWE-363: Race Condition Enabling Link Following •

CVE-2025-53415 – File Parsing Deserialization of Untrusted Data in DTM Soft
https://notcve.org/view.php?id=CVE-2025-53415
30 Jun 2025 — Delta Electronics DTM Soft Project File Parsing Deserialization of Untrusted Data Remote Code Execution Delta Electronics DTM Soft Project File Parsing Deserialization of Untrusted Data Remote Code Execution • https://www.deltaww.com/en-US/Cybersecurity_Advisory • CWE-502: Deserialization of Untrusted Data •

CVE-2025-26074
https://notcve.org/view.php?id=CVE-2025-26074
30 Jun 2025 — Orkes Conductor v3.21.11 allows remote attackers to execute arbitrary OS commands through unrestricted access to Java classes. • https://medium.com/@mrcnry/cve-2025-26074-remote-code-execution-in-conductor-oss-via-inline-javascript-injection-5ce3cb651cfb • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVE-2025-45931
https://notcve.org/view.php?id=CVE-2025-45931
30 Jun 2025 — An issue D-Link DIR-816-A2 DIR-816A2_FWv1.10CNB05_R1B011D88210 allows a remote attacker to execute arbitrary code via system() function in the bin/goahead file • http://d-link.com • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •