Overview CVE-2025-59026 is a medium-severity vulnerability affecting Open-Xchange (OX) AppSuite. This vulnerability allows an attacker to upload malicious content as a file. When a user follows an attacker-controlled link, this malicious content can be executed as script code within the user’s browser. This can lead to unintended actions being performed in the context of the user’s account, including the potential exfiltration of sensitive information. Technical Details The vulnerability stems from insufficient sanitization and validation of uploaded files. An attacker can craft a file containing malicious script code (e.g., JavaScript) and upload it to the Open-Xchange AppSuite. By then enticing a…
-
-
Overview CVE-2025-59025 describes a medium-severity security vulnerability affecting the Open-Xchange App Suite. This vulnerability allows attackers to execute arbitrary script code by crafting malicious email content. Successfully exploiting this flaw can lead to unintended actions being performed within the context of the user’s account, including the exfiltration of sensitive information. Technical Details The vulnerability stems from insufficient sanitization of email content within the Open-Xchange App Suite. Specifically, the App Suite fails to properly neutralize potentially malicious scripts embedded within the HTML body of an email. By crafting a specially designed email, an attacker can bypass existing security measures and inject…
-
Overview CVE-2025-30190 is a medium severity vulnerability affecting office documents. This flaw allows malicious actors to inject script code when a user edits a document. Successfully exploiting this vulnerability can lead to the execution of unintended actions within the context of the user’s account, potentially including the exfiltration of sensitive information. This advisory outlines the technical details, potential impact, and necessary mitigation steps to secure your systems. Technical Details The vulnerability stems from insufficient sanitization of input when handling specific elements within office documents. By crafting a malicious document with specially designed content, an attacker can inject script code that…
-
Overview CVE-2025-30186 is a medium severity vulnerability affecting Open-Xchange AppSuite. This vulnerability allows attackers to upload malicious content as a file, which can then be used to execute script code when a user follows an attacker-controlled link. This can lead to unintended actions being executed within the context of the user’s account, potentially including the exfiltration of sensitive information. Technical Details The vulnerability stems from insufficient sanitization and validation of uploaded file content within the Open-Xchange AppSuite. An attacker can craft a file containing malicious script code and upload it to the system. By then crafting a link that, when…
-
Overview CVE-2025-13381 is a medium severity vulnerability affecting the “AI ChatBot with ChatGPT and Content Generator by AYS” WordPress plugin. This vulnerability allows unauthenticated attackers to upload media files to the WordPress server, potentially leading to various security risks. All versions up to and including 2.7.0 are affected. A patch has been released in version 2.7.1 to address this issue. It is crucial to update the plugin immediately if you are running a vulnerable version. Technical Details The vulnerability stems from a missing capability check on the ays_chatgpt_save_wp_media function within the plugin. This function, responsible for handling media uploads triggered…
-
Overview A Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2025-13378, has been discovered in the AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress. This vulnerability affects all versions up to and including 2.7.0. The flaw resides within the ays_chatgpt_pinecone_upsert function, potentially allowing unauthenticated attackers to make arbitrary web requests from the vulnerable server. This can be exploited to query or modify internal services, potentially leading to data breaches and other severe consequences. Technical Details The vulnerability exists within the ays_chatgpt_pinecone_upsert function. Due to insufficient input validation, an attacker can manipulate the parameters passed to this function…
-
Overview CVE-2025-12584 is a medium-severity vulnerability affecting the Quick View for WooCommerce plugin for WordPress. This vulnerability allows unauthenticated attackers to potentially access and extract data from private products that they should not have access to. This is due to insufficient access control checks on the wqv_popup_content AJAX endpoint. This vulnerability affects all versions of the plugin up to and including version 2.2.17. Website owners using this plugin are strongly advised to update to the latest version as soon as possible. Technical Details The vulnerability resides in the way the wqv_popup_content AJAX endpoint handles requests for product data. Prior to…
-
Overview A high-severity vulnerability, identified as CVE-2025-13536, has been discovered in the Blubrry PowerPress plugin for WordPress. This flaw allows authenticated attackers with Contributor-level access or higher to upload arbitrary files to the server, potentially leading to remote code execution. This vulnerability affects all versions up to and including 11.15.2. Technical Details The vulnerability stems from insufficient file type validation within the ‘powerpress_edit_post’ function. While the plugin attempts to validate file extensions, it fails to halt execution when validation fails. This allows attackers to bypass security checks and upload malicious files. Specifically, the issue lies within the file upload handling…
-
Overview CVE-2025-13441 is a medium severity vulnerability affecting the “Hide Category by User Role for WooCommerce” plugin for WordPress. This vulnerability allows unauthenticated attackers to flush the site’s object cache, potentially leading to performance degradation or other unintended consequences. The vulnerability exists in all versions up to and including 2.3.1. Technical Details The vulnerability stems from a missing authorization check on the admin_init hook within the plugin. Specifically, the wp_cache_flush() function is executed without verifying if the user has the necessary capabilities. This means that an unauthenticated attacker can craft a malicious request to trigger the admin_init hook, leading to…
-
Published: 2025-11-27T07:15:54.943 Overview CVE-2025-13157 is a medium severity vulnerability affecting the QODE Wishlist for WooCommerce plugin for WordPress. This plugin, in versions up to and including 1.2.7, is susceptible to an Insecure Direct Object Reference (IDOR) vulnerability. This flaw allows unauthenticated attackers to modify the publicly displayed information of arbitrary wishlists on a vulnerable WooCommerce store. Technical Details The vulnerability lies within the qode_wishlist_for_woocommerce_wishlist_table_item_callback function in the inc/wishlist/shortcodes/wishlist-table/helper-ajax.php file. The plugin fails to properly validate user-supplied input, specifically a user-controlled key, when updating wishlist items. This lack of validation enables attackers to directly reference and modify wishlist data without proper…