
CVE-2025-34069 – GFI Kerio Control GFIAgent Authentication Bypass via Proxy Forwarding
https://notcve.org/view.php?id=CVE-2025-34069
02 Jul 2025 — An authentication bypass vulnerability exists in GFI Kerio Control 9.4.5 due to insecure default proxy configuration and weak access control in the GFIAgent service. The non-transparent proxy on TCP port 3128 can be used to forward unauthenticated requests to internal services such as GFIAgent, bypassing firewall restrictions and exposing internal management endpoints. This enables unauthenticated attackers to access the GFIAgent service on ports 7995 and 7996, retrieve the appliance UUID, and issue adminis... • https://ssd-disclosure.com/ssd-advisory-kerio-control-authentication-bypass-and-rce • CWE-306: Missing Authentication for Critical Function •

CVE-2025-34067 – Hikvision HikCentral (formerly "Integrated Security Management Platform") Remote Command Execution via applyCT Fastjson
https://notcve.org/view.php?id=CVE-2025-34067
02 Jul 2025 — An unauthenticated remote command execution vulnerability exists in the applyCT component of the Hikvision Integrated Security Management Platform due to the use of a vulnerable version of the Fastjson library. ... By referencing a malicious class via an LDAP URL, an attacker can achieve remote code execution on the underlying system. • https://s4e.io/tools/hikvision-applyct-remote-code-execution • CWE-502: Deserialization of Untrusted Data CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •

CVE-2025-47812 – Wing FTP Server 7.4.3 - Unauthenticated Remote Code Execution (RCE)
https://notcve.org/view.php?id=CVE-2025-47812
https://packetstorm.news/files/id/204883 •

CVE-2025-2932 – JKDEVKIT <= 1.9.4 - Authenticated (Subscriber+) Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-2932
02 Jul 2025 — This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVE-2025-4946 – Vikinger <= 1.9.32 - Authenticated (Subscriber+) Arbitrary File Deletion via vikinger_delete_activity_media_ajax Function
https://notcve.org/view.php?id=CVE-2025-4946
01 Jul 2025 — This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://themeforest.net/item/vikinger-buddypress-and-gamipress-social-community/28612259 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVE-2025-53107 – @cyanheads/git-mcp-server vulnerable to command injection in several tools
https://notcve.org/view.php?id=CVE-2025-53107
01 Jul 2025 — Successful exploitation can lead to remote code execution under the server process's privileges. ... An MCP Client can be instructed to execute additional actions for example via indirect prompt injection when asked to read git logs. • https://github.com/cyanheads/git-mcp-server/commit/0dbd6995ccdf76ab770b58013034365b2d06c4d9 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •

CVE-2025-6463 – Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.44.2 - Unauthenticated Arbitrary File Deletion Triggered via Administrator Form Submission Deletion
https://notcve.org/view.php?id=CVE-2025-6463
01 Jul 2025 — This can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://plugins.trac.wordpress.org/browser/forminator/trunk/library/model/class-form-entry-model.php#L1249 • CWE-73: External Control of File Name or Path •

CVE-2025-5014 – Home Villas | Real Estate WordPress Theme <= 2.8 - Authenticated (Subscriber+) Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-5014
01 Jul 2025 — This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • http://localhost:1337/wp-content/themes/homevillas-real-estate/include/backend/cs-widgets/import/cs-class-widget-data.php#L384 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVE-2025-4689 – Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.89 - Unauthenticated Local File Inclusion to Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-4689
01 Jul 2025 — The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion which leads to Remote Code Execution in all versions up to, and including, 4.89. This is due to the presence of a SQL Injection vulnerability and Local File Inclusion vulnerability that can be chained with an image upload. This makes it possible for unauthenticated attackers to execute code on the server upload image files on the server than ca... • https://codecanyon.net/item/ads-pro-plugin-multipurpose-wordpress-advertising-manager/10275010 • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •

CVE-2025-4380 – Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.89 - Unauthenticated Local File Inclusion
https://notcve.org/view.php?id=CVE-2025-4380
01 Jul 2025 — This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases .php files can can be uploaded and included, or already exist on the site. • https://codecanyon.net/item/ads-pro-plugin-multipurpose-wordpress-advertising-manager/10275010 • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •