Overview CVE-2025-12482 describes a critical SQL Injection vulnerability found in the Booking for Appointments and Events Calendar – Amelia plugin for WordPress. This vulnerability affects all versions up to, and including, 1.2.35. Unauthenticated attackers can exploit this flaw to inject malicious SQL queries, potentially leading to sensitive data extraction from the WordPress database. This vulnerability has been publicly disclosed and a patch is available. Technical Details The vulnerability resides within the handling of the ‘search’ parameter. Specifically, insufficient escaping of user-supplied input and inadequate preparation of the existing SQL query allows an attacker to append arbitrary SQL code. By crafting…

Overview CVE-2025-13236 identifies a medium severity SQL Injection vulnerability present in itsourcecode Inventory Management System version 1.0. This vulnerability allows a remote attacker to execute arbitrary SQL commands by manipulating the `ID` argument in the `index.php?view=edit` file. Successful exploitation can lead to unauthorized data access, modification, or even complete system compromise. Technical Details The vulnerability resides in the `/admin/products/index.php?view=edit` file. Specifically, the application fails to properly sanitize user-supplied input for the `ID` parameter. By injecting malicious SQL code into this parameter, an attacker can bypass authentication and authorization mechanisms, potentially gaining full access to the underlying database. The attack is…

Overview A high-severity SQL injection vulnerability, identified as CVE-2025-13235, has been discovered in itsourcecode Inventory Management System version 1.0. This vulnerability affects the /admin/login.php file and allows remote attackers to execute arbitrary SQL commands by manipulating the user_email parameter. The exploit has been publicly disclosed, making immediate mitigation crucial. Technical Details The vulnerability resides within the login functionality of the application. Specifically, the /admin/login.php script fails to properly sanitize user-supplied input for the user_email parameter. An attacker can craft a malicious SQL query embedded within the user_email field, which is then directly executed against the database. This allows the attacker…

Overview CVE-2025-13234 is a medium-severity SQL injection vulnerability discovered in itsourcecode Inventory Management System version 1.0. This vulnerability allows remote attackers to execute arbitrary SQL commands on the system’s database, potentially leading to data breaches, system compromise, and other malicious activities. The vulnerability exists within the `/index.php?q=product` file, specifically affecting how the `PROID` argument is processed. Technical Details The vulnerability stems from insufficient input sanitization of the `PROID` parameter passed to the `/index.php?q=product` endpoint. An attacker can manipulate this parameter by injecting malicious SQL code. Because the application fails to properly validate and escape user-supplied input, the injected SQL commands…

Overview A high-severity SQL injection vulnerability, identified as CVE-2025-13233, has been discovered in itsourcecode Inventory Management System version 1.0. This vulnerability allows a remote attacker to inject arbitrary SQL code via a specific parameter in the /index.php?q=single-item endpoint. Successful exploitation of this vulnerability could lead to unauthorized access to sensitive data, modification of data, or even complete compromise of the database. The vulnerability was publicly disclosed on November 16, 2025, and proof-of-concept exploit code is readily available, increasing the risk of exploitation. Technical Details The vulnerability resides within the /index.php?q=single-item file of the itsourcecode Inventory Management System 1.0. The application…

Overview CVE-2025-13232 describes a Cross-Site Scripting (XSS) vulnerability discovered in ProjectSend, a popular self-hosted file sharing application. This vulnerability affects versions up to and including r1720. Exploitation of this flaw allows attackers to inject malicious scripts into the application, potentially leading to session hijacking, defacement, or the execution of arbitrary code in the context of the user’s browser. A patch is available and upgrading is strongly recommended. Technical Details The vulnerability resides within the File Editor/Custom Download Aliases component of ProjectSend. Specifically, an unknown function within this component is susceptible to manipulation that allows for XSS attacks. The attack can…

Overview CVE-2025-13221 is a medium severity vulnerability affecting Intelbras UnniTI version 24.07.11. This vulnerability allows for the unprotected storage of user credentials in plaintext, specifically within the /xml/sistema/usuarios.xml file. An attacker can remotely exploit this flaw by manipulating the Usuario/Senha argument. Technical Details The vulnerability resides in an unknown function within the /xml/sistema/usuarios.xml file. By manipulating the Usuario/Senha argument, an attacker can cause the system to store credentials in plaintext within the XML file. The exposed data contains sensitive user authentication information, potentially granting unauthorized access to the affected system. CVSS Analysis The vulnerability has been assigned a CVSS score…

Overview CVE-2025-13210 identifies a medium severity SQL injection vulnerability found in itsourcecode Inventory Management System version 1.0. This vulnerability allows a remote attacker to inject malicious SQL code through the PROMODEL parameter in the /admin/products/index.php?view=add file. The exploit has been publicly disclosed and may be actively exploited. Technical Details The vulnerability resides within the /admin/products/index.php?view=add file of the itsourcecode Inventory Management System 1.0. Specifically, the application fails to properly sanitize user-supplied input provided via the PROMODEL parameter. This lack of sanitization allows an attacker to inject arbitrary SQL commands, potentially leading to unauthorized data access, modification, or deletion. The attack…

Overview CVE-2025-13209 is a medium severity vulnerability identified in bestfeng oa_git_free up to version 9.5. This vulnerability is classified as an XML External Entity (XXE) injection flaw and resides within the updateWriteBack function of the WorkflowPredefineController.java file. A remote attacker can exploit this weakness by manipulating the writeProp argument, potentially leading to information disclosure or other malicious activities. The vulnerability has been publicly disclosed and an exploit is available, making it critical to address this issue promptly. Technical Details The vulnerability is located in yimioa-oa9.5\server\c-flow\src\main\java\com\cloudweb\oa\controller\WorkflowPredefineController.java, specifically within the updateWriteBack function. This function appears to process XML data without proper sanitization…

Overview CVE-2025-13208 describes a SQL Injection vulnerability found in FantasticLBP Hotels Server up to commit 67b44df162fab26df209bd5d5d542875fcbec1d0. This flaw allows a remote attacker to inject malicious SQL code through the subjectId or cityName arguments of the controller/api/hotelList.php file. Exploitation of this vulnerability could lead to unauthorized data access, modification, or deletion. A public exploit is available, increasing the risk of exploitation. Notably, the vendor was contacted but has not responded to the disclosure. Technical Details The vulnerability resides within the controller/api/hotelList.php file of FantasticLBP Hotels Server. Specifically, it’s within an unknown function that processes user-supplied input from the subjectId and cityName…