Gowri Shankar

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Urgent Security Alert: CVE-2025-13922 Exposes WordPress Sites to Blind SQL Injection

by

This article details a medium-severity security vulnerability, CVE-2025-13922, affecting the “Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI” plugin for WordPress. If you use this plugin, it is crucial to understand the risk and take immediate action to protect your website. Overview CVE-2025-13922 is a time-based blind SQL Injection vulnerability found in the … Read more

Apigee-X Under Scrutiny: CVE-2025-13292 Exposes Analytics Data!

by

Overview A significant security vulnerability, identified as CVE-2025-13292, was recently discovered in Apigee-X. This flaw allowed a malicious actor to potentially gain unauthorized read and write access to Apigee Analytics (AX) data and access logs belonging to other Apigee customer organizations. This could have severe implications for data privacy and security. Technical Details CVE-2025-13292 stemmed … Read more

Critical Alert: weDocs WordPress Plugin Vulnerable to Unauthorized Settings Changes (CVE-2025-12505)

by

Overview CVE-2025-12505 is a medium-severity vulnerability affecting the weDocs plugin for WordPress, specifically versions up to and including 2.1.14. This vulnerability allows authenticated attackers with Subscriber-level access or higher to modify global plugin settings without proper authorization. The flaw resides in the inadequate permission checks within the create_item_permissions_check function, enabling unauthorized access and potential misuse … Read more

Urgent: Security Alert – Stored XSS Vulnerability in Widgets for Google Reviews Plugin (CVE-2025-12510)

by

Overview A critical security vulnerability, identified as CVE-2025-12510, has been discovered in the “Widgets for Google Reviews” WordPress plugin. This vulnerability is a Stored Cross-Site Scripting (XSS) flaw affecting all versions up to and including 13.2.4. This allows unauthenticated attackers to inject malicious JavaScript code into the admin panel and potentially the frontend of affected … Read more

CVE-2025-11263: Critical XSS Vulnerability Patched in Link Whisper Free Plugin

by

Overview CVE-2025-11263 identifies a reflected Cross-Site Scripting (XSS) vulnerability found in the Link Whisper Free plugin for WordPress. This vulnerability affects all versions up to and including version 0.8.8. It allows unauthenticated attackers to inject arbitrary web scripts into pages if they can successfully trick a user into clicking a specially crafted link. The vulnerability … Read more

CVE-2025-66629: Unprotected OAuth2 Endpoints in HedgeDoc Expose Users to CSRF Attacks

by

Overview CVE-2025-66629 identifies a Cross-Site Request Forgery (CSRF) vulnerability affecting HedgeDoc, an open-source, real-time collaborative markdown notes application. Specifically, certain OAuth2 endpoints responsible for social login via providers like Google, GitHub, GitLab, Facebook, and Dropbox lacked proper CSRF protection. This flaw existed in versions prior to 1.10.4. By not implementing a “state” parameter and verifying … Read more

Critical Langflow Vulnerability: Account Takeover and Remote Code Execution (CVE-2025-34291)

by

Overview A critical vulnerability, identified as CVE-2025-34291, has been discovered in Langflow, an AI agent workflow platform. This chained vulnerability affects versions up to and including 1.6.9, potentially allowing attackers to gain full control of affected systems through account takeover and remote code execution (RCE). Technical Details The vulnerability stems from a combination of two … Read more

CVE-2025-14116: Critical SSRF Vulnerability Plagues Yuxi-Know

by

Overview A Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2025-14116, has been discovered in Yuxi-Know up to version 0.4.0. This vulnerability allows a remote attacker to potentially manipulate the server into making unintended requests, potentially exposing sensitive internal resources or interacting with external systems on the attacker’s behalf. The vulnerability resides within the OtherEmbedding.aencode function … Read more

CVE-2025-14111: Path Traversal Vulnerability in RAR for Android (Urgent Update Required)

by

Published: 2025-12-05T23:15:46.643 Overview A security vulnerability, identified as CVE-2025-14111, has been discovered in RAR for Android, specifically affecting versions up to 7.11 Build 127. This vulnerability allows for path traversal, potentially enabling attackers to access or manipulate files outside of the intended application directory. It’s crucial to update your RAR for Android application to version … Read more

CVE-2025-14108: Critical Command Injection Vulnerability Plagues ZSPACE Q2C NAS Devices

by

Overview CVE-2025-14108 describes a critical command injection vulnerability found in ZSPACE Q2C NAS devices up to version 1.1.0210050. This flaw allows a remote attacker to execute arbitrary commands on the affected system. The vendor was notified but has not responded to the disclosure, making prompt mitigation crucial for users of these devices. Technical Details The … Read more