Overview CVE-2025-57200 details a critical command injection vulnerability found in AVTECH SECURITY Corporation’s DGM1104 series. Specifically, the vulnerability resides within the test_mail function. An attacker with valid authentication credentials can exploit this flaw to execute arbitrary commands on the underlying system. This vulnerability poses a significant risk to the confidentiality, integrity, and availability of the device and potentially the network it resides on. Technical Details The vulnerability stems from improper input sanitization within the test_mail function. By crafting a malicious input, an authenticated user can inject operating system commands into the function’s parameters. The DGM1104 device, failing to adequately validate…
-
-
Overview A high-severity privilege escalation vulnerability, identified as CVE-2025-53841, has been discovered in the Akamai Guardicore Platform Agent. This vulnerability allows an unprivileged user to elevate their privileges to SYSTEM, potentially leading to complete system compromise. This affects versions before 50.15.0, 51.12.0, and 52.1.1. It is crucial to update your Guardicore agents immediately to mitigate this risk. Technical Details CVE-2025-53841 stems from an unspecified flaw within the Akamai Guardicore Platform Agent’s handling of user privileges. The vulnerability allows a local, unprivileged user to execute arbitrary code with SYSTEM-level permissions. While the specific exploitation method isn’t publicly detailed (likely to prevent…
-
Overview CVE-2025-13949 describes an unrestricted file upload vulnerability identified in ProudMuBai GoFilm versions 1.0.0 and 1.0.1. This vulnerability resides within the SingleUpload function of the /server/controller/FileController.go file. Successful exploitation allows remote attackers to upload arbitrary files to the server, potentially leading to code execution, data exfiltration, or denial-of-service attacks. The vulnerability is considered MEDIUM severity and has a CVSS score of 6.3. Unfortunately, the vendor was contacted regarding this issue but has not provided any response. Technical Details The vulnerability stems from insufficient validation of the File argument passed to the SingleUpload function. Specifically, the application fails to adequately check…
-
Overview CVE-2025-13948 identifies a medium severity vulnerability within the opsre go-ldap-admin project, specifically affecting versions up to 20251011. The issue stems from the potential use of a hardcoded cryptographic key related to JWT handling. An attacker could potentially exploit this by manipulating the ‘secret key’ argument, leading to unauthorized access or data manipulation. The vulnerability is remotely exploitable but considered difficult to exploit. Technical Details The vulnerability resides within the JWT Handler component of go-ldap-admin. The specific area of concern is the docs/docker-compose/docker-compose.yaml file. By manipulating the secret key argument used during JWT creation, an attacker can potentially force the…
-
Overview A stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-13401, has been discovered in the Autoptimize plugin for WordPress. This vulnerability affects all versions up to and including 3.1.13. It allows authenticated attackers with Contributor-level access or higher to inject malicious JavaScript code into website pages. When a user visits a page containing the injected script, the script will execute, potentially leading to account compromise, data theft, or other malicious actions. Technical Details The vulnerability resides within the create_img_preload_tag function related to the LCP (Largest Contentful Paint) Image preloading metabox. Insufficient input sanitization and output escaping of user-supplied image attributes…
-
Overview A critical security vulnerability, identified as CVE-2025-13390, has been discovered in the WP Directory Kit plugin for WordPress. This vulnerability affects all versions up to and including 1.4.4. Due to a flaw in the authentication algorithm, unauthenticated attackers can bypass authentication, gain administrative access, and potentially achieve complete site takeover. This is a high-severity issue that requires immediate attention. Technical Details The vulnerability lies within the wdk_generate_auto_login_link function of the WP Directory Kit plugin. This function is responsible for generating auto-login links, allowing users to access the site without manually entering their credentials. However, the implementation uses a cryptographically…
-
Overview CVE-2025-13359 identifies a significant security vulnerability affecting the “Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI” (TaxoPress) plugin for WordPress. This flaw allows authenticated attackers with Contributor-level access or higher to perform time-based SQL Injection attacks. This vulnerability exists in versions up to and including 3.40.1. Technical Details The vulnerability resides within the getTermsForAjax function. Insufficient input validation and escaping of user-supplied parameters, combined with a lack of adequate preparation in the existing SQL query, enable attackers to inject malicious SQL code. Specifically, an attacker can manipulate parameters passed to this function to inject arbitrary SQL queries.…
-
Overview CVE-2025-13354 describes an authorization bypass vulnerability found in the Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin (TaxoPress) for WordPress. This vulnerability affects all versions up to and including 3.40.1. Due to improper authorization checks within the taxopress_merge_terms_batch function, authenticated attackers with subscriber-level access or higher can potentially merge or delete arbitrary taxonomy terms. This could lead to data corruption, loss of site structure, and potentially further exploitation. Technical Details The vulnerability lies in the taxopress_merge_terms_batch function within the TaxoPress plugin. The plugin fails to adequately verify if a user has the necessary permissions to perform…
-
Overview A critical security vulnerability, identified as CVE-2025-13342, has been discovered in the Frontend Admin plugin by DynamiApps for WordPress. This vulnerability affects all versions up to and including 3.28.20. It allows unauthenticated attackers to remotely modify sensitive WordPress options. If you are using this plugin, it is imperative that you update to the latest version immediately. Technical Details The vulnerability stems from insufficient capability checks and lack of input validation within the ActionOptions::run() save handler. This function, responsible for saving frontend form data, fails to adequately verify user permissions or sanitize input. As a result, an unauthenticated attacker can…
-
Overview CVE-2025-13109 is a medium-severity vulnerability affecting the HUSKY – Products Filter Professional for WooCommerce plugin for WordPress. This Insecure Direct Object Reference (IDOR) flaw allows authenticated attackers, even with subscriber-level access, to manipulate saved search queries associated with other users, including administrators. The vulnerability exists in versions up to and including 1.3.7.2. Technical Details The vulnerability stems from missing validation on a user-controlled key within the woof_add_query and woof_remove_query functions. Specifically, the plugin fails to properly verify if the user initiating the request has the authority to modify the saved search queries associated with the targeted user’s profile. This…