
CVE-2025-7697 – Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 - Unauthenticated PHP Object Injection via verify_field_val Function
https://notcve.org/view.php?id=CVE-2025-7697
18 Jul 2025 — The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted. • https://plugins.trac.wordpress.org/browser/integration-for-contact-form-7-and-google-sheets/tags/1.1.1/integration-for-contact-form-7-and-google-sheets.php#L923 • CWE-502: Deserialization of Untrusted Data •

CVE-2025-7696 – Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.2.3 - Unauthenticated PHP Object Injection via verify_field_val Function
https://notcve.org/view.php?id=CVE-2025-7696
18 Jul 2025 — The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted. • https://plugins.trac.wordpress.org/browser/integration-for-contact-form-7-and-pipedrive/tags/1.2.3/integration-for-contact-form-7-and-pipedrive.php#L953 • CWE-502: Deserialization of Untrusted Data •

CVE-2025-54079 – WeGIA vulnerable to SQL Injection (Blind Time-Based) in endpoint 'Profile_Atendido.php' parameter 'idatendido'
https://notcve.org/view.php?id=CVE-2025-54079
18 Jul 2025 — A SQL Injection vulnerability was identified in versions prior to 3.4.6 in the endpoint `/html/atendido/Profile_Atendido.php`, in the `idatendido` parameter. This vulnerability allow an authorized attacker to execute arbitrary SQL queries, allowing access to sensitive information. • https://github.com/LabRedesCefetRJ/WeGIA/security/advisories/GHSA-g4v3-j8w5-33v3 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVE-2025-54073 – mcp-package-docs vulnerable to command injection in several tools
https://notcve.org/view.php?id=CVE-2025-54073
18 Jul 2025 — The vulnerability is caused by the unsanitized use of input parameters within a call to `child_process.exec`, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. • https://equixly.com/blog/2025/03/29/mcp-server-new-security-nightmare • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •

CVE-2025-49484 – Extension - joomsky.com - SQL injection in JS jobs component version 1.1.5 - 1.4.1 for Joomla
https://notcve.org/view.php?id=CVE-2025-49484
18 Jul 2025 — A SQL injection vulnerability in the JS Jobs plugin versions 1.0.0-1.4.1 for Joomla allows low-privilege users to execute arbitrary SQL commands via the 'cvid' parameter in the employee application feature. • https://github.com/AdamWallwork/CVEs/tree/main/2025/CVE-2025-49484 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVE-2025-49485 – Extension - balbooa.com - SQL injection in Balbooa Forms component version 1.0.0 - 2.3.1.1 for Joomla
https://notcve.org/view.php?id=CVE-2025-49485
18 Jul 2025 — A SQL injection vulnerability in the Balbooa Forms plugin 1.0.0-2.3.1.1 for Joomla allows privileged users to execute arbitrary SQL commands via the 'id' parameter. • https://extensions.joomla.org/extension/forms • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVE-2025-26855 – Extension - joomcar.net - SQL injection in Articles Calendar 1.0.0 - 1.0.1.0007 for Joomla
https://notcve.org/view.php?id=CVE-2025-26855
18 Jul 2025 — A SQL injection in Articles Calendar extension 1.0.0 - 1.0.1.0007 for Joomla allows attackers to execute arbitrary SQL commands. • https://joomcar.net • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVE-2025-26854 – Extension - joomcar.net - SQL injection in Articles Good Search 1.0.0 - 1.2.4.0011 for Joomla
https://notcve.org/view.php?id=CVE-2025-26854
18 Jul 2025 — A SQL injection in Articles Good Search extension 1.0.0 - 1.2.4.0011 for Joomla allows attackers to execute arbitrary SQL commands. • https://joomcar.net • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVE-2025-46000
https://notcve.org/view.php?id=CVE-2025-46000
18 Jul 2025 — An arbitrary file upload vulnerability in the component /rsc/filemanager.rsc.class.php of Filemanager commit c75b914 v.2.5.0 allows attackers to execute arbitrary code via uploading a crafted SVG file. • https://github.com/simogeo/Filemanager • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVE-2025-46001
https://notcve.org/view.php?id=CVE-2025-46001
18 Jul 2025 — An arbitrary file upload vulnerability in the is_allowed_file_type() function of Filemanager v2.3.0 allows attackers to execute arbitrary code via uploading a crafted PHP file. • https://github.com/simogeo/Filemanager •