CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31927 – WordPress Acerola <= 1.6.5 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-31927
22 May 2025 — Deserialization of Untrusted Data vulnerability in themeton Acerola allows Object Injection. This issue affects Acerola: from n/a through 1.6.5. The Acerola theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.6.5 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. • https://patchstack.com/database/wordpress/theme/acerola/vulnerability/wordpress-acerola-1-6-5-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48140 – MetalpriceAPI <= 1.1.4 - Authenticated (Contributor+) Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-48140
22 May 2025 — The MetalpriceAPI plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.1.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-36535 – AutomationDirect MB-Gateway Missing Authentication for Critical Function
https://notcve.org/view.php?id=CVE-2025-36535
21 May 2025 — This could lead to configuration changes, operational disruption, or arbitrary code execution depending on the environment and exposed functionality. • https://www.automationdirect.com/adc/shopping/catalog/communications/protocol_gateways/modbus_gateways/eki-1221-ce • CWE-306: Missing Authentication for Critical Function •
CVSS: 5.3EPSS: 0%CPEs: -EXPL: 1CVE-2025-5013 – HkCms Search index.html cross site scripting
https://notcve.org/view.php?id=CVE-2025-5013
21 May 2025 — A vulnerability, which was classified as problematic, was found in HkCms up to 2.3.2.240702. This affects an unknown part of the file /index.php/search/index.html of the component Search. The manipulation of the argument keyword leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. • https://vuldb.com/?id.309729 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2025-5011 – moonlightL hexo-boot Dynamic List Page index.html cross site scripting
https://notcve.org/view.php?id=CVE-2025-5011
21 May 2025 — A vulnerability classified as problematic was found in moonlightL hexo-boot 4.3.0. This vulnerability affects unknown code of the file /admin/home/index.html of the component Dynamic List Page. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/trengh222/hexo-boot-xss2.0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.3EPSS: 0%CPEs: -EXPL: 0CVE-2025-45752
https://notcve.org/view.php?id=CVE-2025-45752
21 May 2025 — A vulnerability in SeedDMS 6.0.32 allows an attacker with admin privileges to execute arbitrary PHP code by exploiting the zip import functionality in the Extension Manager. • https://www.simonjuguna.com/cve-2025-45752-authenticated-remote-code-execution-vulnerability-in-seeddms-v6-0-32 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.3EPSS: 0%CPEs: -EXPL: 0CVE-2025-45753
https://notcve.org/view.php?id=CVE-2025-45753
21 May 2025 — A vulnerability in Vtiger CRM Open Source Edition v8.3.0 allows an attacker with admin privileges to execute arbitrary PHP code by exploiting the ZIP import functionality in the Module Import feature. Una vulnerabilidad en Vtiger CRM Open Source Edition v8.3.0 permite a un atacante con privilegios de administrador ejecutar código PHP arbitrario explotando la funcionalidad de importación ZIP en la función de importación de módulos. • https://www.simonjuguna.com/cve-2025-45753-authenticated-remote-code-execution-vulnerability-in-vtiger-open-source-edition-v8-3-0 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.4EPSS: 0%CPEs: -EXPL: 0CVE-2025-27998
https://notcve.org/view.php?id=CVE-2025-27998
21 May 2025 — An issue in Valvesoftware Steam Client Steam Client 1738026274 allows attackers to escalate privileges via a crafted executable or DLL. • https://gist.github.com/sornram9254/e8d10efcf246cc50ff3d4f837b261616 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48123 – Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light <= 2.4.37 - Unauthenticated Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-48123
21 May 2025 — The Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.37. This makes it possible for unauthenticated attackers to execute code on the server. • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2025-5010 – moonlightL hexo-boot Blog Backend index.html cross site scripting
https://notcve.org/view.php?id=CVE-2025-5010
20 May 2025 — A vulnerability classified as problematic has been found in moonlightL hexo-boot 4.3.0. This affects an unknown part of the file /admin/home/index.html of the component Blog Backend. The manipulation of the argument Description leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/trengh222/hexo-boot-xss1.0/blob/yhtt/README.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •