Overview A critical Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Broken Link Manager WordPress plugin, affecting versions up to and including 0.6.5. This vulnerability, tracked as CVE-2025-12629, could allow attackers to inject malicious scripts into websites using the plugin, potentially compromising sensitive user data or gaining administrative control. Technical Details The vulnerability stems from the plugin’s failure to properly sanitize and escape a specific parameter before outputting it back into the web page. This lack of proper input validation allows an attacker to craft a malicious URL containing JavaScript code. When a user, particularly one with high…
-
-
Overview CVE-2025-12569 is an Open Redirect vulnerability affecting the “Guest posting / Frontend Posting / Front Editor” WordPress plugin in versions prior to 5.0.0. This vulnerability allows attackers to redirect users to arbitrary websites by exploiting a lack of input validation in a redirect parameter. This can be used in phishing attacks or to trick users into visiting malicious websites that appear legitimate. Technical Details The vulnerability stems from the plugin’s failure to properly validate a parameter before redirecting the user to its value. Specifically, the plugin uses a user-supplied input (likely through a GET or POST request) without sanitizing…
-
Overview CVE-2025-12394 is a critical vulnerability affecting versions of the Backup Migration WordPress plugin prior to 2.0.0. This vulnerability allows unauthenticated attackers to download sensitive backup files due to improper backup path generation in specific server configurations. The plugin’s flawed logic exposes a log file containing the backup filename, which can then be used to directly access the backup archive without requiring any authentication. Technical Details The root cause of this vulnerability lies in how the Backup Migration plugin generates and manages backup file paths. Under certain server configurations (likely those with predictable or insufficiently randomized temporary directory structures), the…
-
Overview CVE-2024-14015 identifies a reflected Cross-Site Scripting (XSS) vulnerability found in the WordPress eCommerce Plugin, affecting versions up to and including 2.9.0. This flaw allows attackers to inject malicious scripts into the plugin’s pages, potentially impacting high-privilege users like administrators. Technical Details The vulnerability stems from the plugin’s failure to properly sanitize and escape a specific parameter before rendering it within the page’s HTML. An attacker can craft a malicious URL containing a JavaScript payload within this unsanitized parameter. When a user, particularly an administrator, clicks on this link, the injected script will execute in their browser, operating within the…
-
Overview CVE-2025-7402 identifies a high-severity time-based SQL Injection vulnerability affecting the Ads Pro Plugin – Multi-Purpose WordPress Advertising Manager plugin for WordPress. This vulnerability exists in all versions up to, and including, 4.95. An unauthenticated attacker can exploit this flaw to inject malicious SQL code via the ‘site_id’ parameter, potentially leading to sensitive data extraction from the WordPress database. Technical Details The vulnerability lies in the insufficient input sanitization of the ‘site_id’ parameter. Specifically, the Ads Pro plugin lacks proper escaping of user-supplied input within the vulnerable versions. Furthermore, the existing SQL query does not sufficiently prepare the query, creating…
-
Overview A security vulnerability identified as CVE-2025-13584 has been discovered in Eigenfocus versions up to 1.4.0. This flaw exposes the application to a stored Cross-Site Scripting (XSS) attack through manipulation of the entry.description or time_entry.description arguments within the Description Handler component. Successfully exploiting this vulnerability allows attackers to inject malicious scripts into the application, potentially compromising user data and system integrity. An upgrade to version 1.4.1 is crucial to remediate this issue. Technical Details The vulnerability stems from insufficient sanitization of user-supplied input in the Description Handler. An attacker can craft a malicious payload containing JavaScript code and inject it…
-
Overview CVE-2025-13583 identifies a high-severity SQL injection vulnerability present in version 1.0 of code-projects Question Paper Generator. This vulnerability allows a remote attacker to potentially execute arbitrary SQL commands by manipulating the ‘Fname’ parameter within the /signupscript.php file. This exploit has been publicly disclosed, increasing the risk of active exploitation. Technical Details The vulnerability resides within the /signupscript.php file, specifically within the handling of POST parameters. The application fails to properly sanitize or validate user-supplied input passed via the ‘Fname’ parameter. This lack of input validation allows an attacker to inject malicious SQL code into the query, potentially leading to:…
-
Overview CVE-2025-13589 details a Reflected Cross-site Scripting (XSS) vulnerability affecting FMS, a product developed by Otsuka Information Technology. This vulnerability allows unauthenticated remote attackers to inject and execute arbitrary JavaScript code within a user’s browser. This is typically achieved through carefully crafted URLs, making it a prime candidate for phishing attacks. Technical Details The reflected XSS vulnerability arises due to insufficient input sanitization and output encoding within the FMS application. Specifically, user-supplied data within a request is reflected back in the response without proper filtering. This allows an attacker to inject malicious JavaScript code into a parameter of a URL.…
-
Overview A critical security vulnerability, identified as CVE-2025-13582, has been discovered in Jonny’s Liquor 1.0. This flaw allows for SQL injection attacks, potentially enabling malicious actors to access, modify, or delete sensitive data. The vulnerability exists within the /detail.php file, specifically in how the application handles the Product GET parameter. Due to the public availability of exploit code, immediate action is crucial to mitigate the risk. Technical Details The vulnerability resides in the /detail.php script of Jonny’s Liquor 1.0. The application fails to properly sanitize the Product GET parameter before using it in a SQL query. By manipulating this parameter,…
-
Overview CVE-2025-13581 is a medium severity SQL injection vulnerability identified in the itsourcecode Student Information System version 1.0. This flaw allows a remote attacker to execute arbitrary SQL commands by manipulating the schedule_id parameter in the /schedule_edit1.php file. The vulnerability is publicly known and actively exploitable, posing a significant risk to systems running the affected version. Technical Details The vulnerability exists due to insufficient sanitization of user-supplied input within the /schedule_edit1.php file. Specifically, the schedule_id parameter, intended to identify a specific schedule record, is directly incorporated into an SQL query without proper escaping or validation. An attacker can inject malicious…