29 new CVEs published on 2025-04-19 (CVSS: 7.1 - 9.8)
CybersecurityVulnerabilitiesWordPressExploits
This content is an AI-generated summary. If you encounter any misinformation or problematic content, please report it to cyb.hub@proton.me.
| CVE ID | CVSS | Description |
|---|---|---|
| CVE-2025-1093 | 9.8 | The AIHub theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the generate_image function in all versions. |
| CVE-2021-4455 | 9.8 | The Smart Product Review plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions. |
| CVE-2025-3404 | 8.8 | The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the savePackage function. |
| CVE-2025-29625 | 7.8 | A buffer overflow vulnerability in Astrolog v7.70 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via an overly long environment variable. |
| CVE-2025-24914 | 7.8 | When installing Nessus to a non-default location on a Windows host,
Nessus versions prior to 10.8.4 did not enforce secure permissions for sub-directories. |
| CVE-2025-3278 | 9.8 | The UrbanGo Membership plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.0.4. |
| CVE-2025-2111 | 7.5 | The Insert Headers And Footers plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.1. |
| CVE-2025-30357 | 7.3 | NamelessMC is a free, easy to use & powerful website software for Minecraft servers.
In version 2.1.4 and prior, if a malicious user is leaving spam comments, it can lead to privilege escalation. |
| CVE-2025-32442 | 7.5 | Fastify is a fast and low overhead web framework for Node.js. In versions 5.0.0 to 5.3.0, applications that specify different validation strategies for different routes may be vulnerable to authentication bypass. |
| CVE-2025-29784 | 7.5 | NamelessMC is a free, easy to use & powerful website software for Minecraft servers.
In version 2.1.4 and prior, the s parameter in GET requests for forum posts is vulnerable to Denial of Service attacks. |
| CVE-2025-30158 | 7.1 | NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, the forum allows users to post iframe tags, leading to potential Denial of Service attacks. |
| CVE-2025-2010 | 7.5 | The JobWP – Job Board, Job Listing, Career Page and Recruitment Plugin plugin for WordPress is vulnerable to SQL Injection via the 'jobwp_upload_resume' parameter. |
| CVE-2025-3799 | 7.3 | A vulnerability, which was classified as critical, was found in WCMS 11.
Affected is an unknown function of the file app/controllers/AnonymousController.php. |
| CVE-2025-3800 | 7.3 | A vulnerability has been found in WCMS 11 and classified as critical. Affected by this vulnerability is an unknown functionality of the file app/controllers/AnonymousController.php. |
| CVE-2025-3809 | 7.2 | The Debug Log Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the auto-refresh debug log in all versions up to, and including, 1.0. |
| CVE-2025-32953 | 8.7 | z80pack is a mature emulator of multiple platforms with 8080 and Z80 CPU.
In version 1.38 and prior, the |