Security Vulnerabilities - CVEs Published In January 2025
The MDTF – Meta Data and Taxonomies Filter plugin for WordPress is vulnerable to SQL Injection via the 'key' attribute of the 'mdf_value' shortcode in all versions up to, and including, 1.3.3.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Score
6.5
EPSS Score
0.004
Published
2025-01-08
The Themesflat Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the TF E Slider Widget in all versions up to, and including, 2.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Score
6.4
EPSS Score
0.002
Published
2025-01-08
The WordPress Webinar Plugin – WebinarPress plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check on the 'sync-import-imgs' function and missing file type validation in all versions up to, and including, 1.33.24. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary files that can lead to remote code execution.
CVSS Score
8.8
EPSS Score
0.093
Published
2025-01-08
Vulnerability of input parameters not being verified during glTF model loading in the 3D engine module
Impact: Successful exploitation of this vulnerability may affect availability.
CVSS Score
5.5
EPSS Score
0.0
Published
2025-01-08
Vulnerability of input parameters not being verified during glTF model loading in the 3D engine module
Impact: Successful exploitation of this vulnerability may affect availability.
CVSS Score
5.5
EPSS Score
0.0
Published
2025-01-08
Vulnerability of input parameters not being verified during glTF model loading in the 3D engine module
Impact: Successful exploitation of this vulnerability may affect availability.
CVSS Score
6.8
EPSS Score
0.0
Published
2025-01-08
Startup control vulnerability in the ability module
Impact: Successful exploitation of this vulnerability may cause features to perform abnormally.
CVSS Score
6.2
EPSS Score
0.001
Published
2025-01-08
Vulnerability of improper access control in the home screen widget module
Impact: Successful exploitation of this vulnerability may affect availability.
CVSS Score
6.7
EPSS Score
0.001
Published
2025-01-08
Privilege escalation vulnerability in the Account module
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVSS Score
6.6
EPSS Score
0.001
Published
2025-01-08
Buffer overflow vulnerability in the component driver module
Impact: Successful exploitation of this vulnerability may affect availability.
CVSS Score
6.3
EPSS Score
0.0
Published
2025-01-08