Overview A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the YouTube Subscribe WordPress plugin, tracked as CVE-2025-12025. This vulnerability affects versions up to and including 3.0.0. Attackers with administrator-level permissions can inject malicious JavaScript code into the plugin’s settings, which will then execute in the browsers of other users accessing the affected pages. This can lead to account compromise, data theft, or other malicious activities. The vulnerability is only exploitable on multi-site installations or when the unfiltered_html capability has been disabled. Technical Details The vulnerability stems from insufficient input sanitization and output escaping within the plugin’s admin settings.…

Overview A path traversal vulnerability, identified as CVE-2025-12003, has been discovered in the WebDAV implementation of certain ASUS router firmware. This vulnerability could potentially allow unauthenticated remote attackers to compromise the integrity of affected devices. This advisory provides details on the vulnerability and recommends mitigation steps. Technical Details CVE-2025-12003 stems from insufficient input validation when handling file paths through the WebDAV interface. By crafting specific HTTP requests, an attacker might be able to traverse directories and access or modify files outside the intended WebDAV root directory. This could lead to unauthorized access to sensitive system files or the modification of…

Overview CVE-2025-13644 is a medium severity vulnerability affecting MongoDB Server. This flaw can cause an invariant failure during batched delete operations, potentially leading to unexpected behavior and data inconsistencies. The vulnerability stems from an incorrect assumption about the number of documents in a batch based on document size exceeding the `BSONObjMaxSize` setting. Technical Details The issue arises during batched delete operations within MongoDB Server. The server, when handling documents for deletion, incorrectly infers the presence of multiple documents in a batch solely based on the document size surpassing the configured `BSONObjMaxSize`. This flawed logic can trigger an invariant failure, interrupting…

Overview This article provides information about a critical security vulnerability identified as CVE-2025-12742 affecting both Looker-hosted and self-hosted instances of Looker. This vulnerability allows a Looker user with a Developer role to potentially execute malicious commands due to insecure processing of Teradata driver parameters. While Looker-hosted instances have already been mitigated, it is imperative that users with self-hosted instances take immediate action to upgrade to a patched version. Technical Details CVE-2025-12742 arises from the insufficient validation and sanitization of input parameters used when Looker connects to Teradata databases. A malicious actor with Developer privileges can craft specific Teradata driver parameters…

Important: This article provides information on a security vulnerability. Please apply the recommended mitigation steps as soon as possible to protect your systems. Overview CVE-2025-64730 describes a cross-site scripting (XSS) vulnerability affecting all versions of the Sony SNC-CX600W IP camera. Successful exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript code within the web browser of a user who accesses a compromised camera’s web interface. This could lead to session hijacking, defacement of the camera’s web interface, or the execution of malicious actions on behalf of the user. Technical Details The vulnerability stems from insufficient sanitization of user-supplied…

Overview CVE-2025-64304 describes a security vulnerability discovered in the FOD (Fuji On Demand) application. This vulnerability stems from the use of hard-coded cryptographic keys within the application. An unauthenticated attacker with local access to the application can potentially retrieve these cryptographic keys, leading to further exploitation. Technical Details The FOD application, developed by Fujitv, utilizes cryptographic keys for security purposes. However, instead of employing a secure key management system, these keys are embedded directly within the application’s code. This hardcoding makes them accessible to anyone with the ability to analyze the application’s binaries or memory. A local attacker without authentication…

Overview This article provides a detailed analysis of CVE-2025-62497, a cross-site request forgery (CSRF) vulnerability affecting Sony SNC-CX600W IP cameras. This vulnerability allows an attacker to perform unauthorized actions on the camera if a logged-in user visits a malicious website. It is crucial for users of the SNC-CX600W to understand the potential impact and take immediate steps to mitigate the risk. Technical Details CVE-2025-62497 is a Cross-Site Request Forgery (CSRF) vulnerability. This means that if a user with administrative privileges on the SNC-CX600W is tricked into visiting a specially crafted webpage while logged into the camera’s web interface, an attacker…

Overview A critical security vulnerability, identified as CVE-2025-13559, has been discovered in the EduKart Pro plugin for WordPress. This vulnerability allows unauthenticated attackers to escalate their privileges to administrator level, potentially leading to complete website takeover. All versions of the plugin up to and including 1.0.3 are affected. Technical Details The vulnerability lies within the edukart_pro_register_user_front_end function. This function fails to properly validate the user role specified during registration. An attacker can exploit this by submitting a registration request with the ‘administrator’ role. Because the function doesn’t restrict allowed roles, the attacker is granted administrator privileges upon successful registration. CVSS…

Overview A security vulnerability, identified as CVE-2025-13558, has been discovered in the Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress. This medium-severity vulnerability allows authenticated attackers with Subscriber-level access (and higher roles) to delete arbitrary posts by changing their status to ‘trash’. This is due to a missing capability check on the deleteUserCcDraftPost function within the plugin. All versions up to and including 8.7.0 are affected. This vulnerability can lead to significant disruption and data loss on affected WordPress sites. Technical Details The vulnerability stems from the absence of proper authorization checks within the deleteUserCcDraftPost function. This function,…

Overview This blog post details a critical vulnerability, CVE-2025-13507, affecting MongoDB’s time series processing functionality. This medium-severity issue can lead to process termination due to inconsistent object size validation. The vulnerability impacts MongoDB Server versions 7.0 prior to 7.0.26, 8.0 prior to 8.0.16, and 8.2 prior to 8.2.1. It is highly recommended that affected users upgrade to a patched version as soon as possible. Technical Details CVE-2025-13507 arises from inconsistent validation of object sizes during time series data processing within MongoDB. Specifically, an oversized BSON document may bypass initial size checks. This leads to the document being processed further down…