Security Vulnerabilities - CVEs Published In January 2025
The ThemeREX Addons plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'trx_addons_uploads_save_data' function in all versions up to, and including, 2.32.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS Score
9.8
EPSS Score
0.007
Published
2025-01-28
The Infility Global WordPress plugin through 2.9.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-01-28
The Social Share Buttons for WordPress plugin through 2.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
CVSS Score
4.8
EPSS Score
0.0
Published
2025-01-28
The Eventer plugin for WordPress is vulnerable to SQL Injection via the 'event' parameter in the 'eventer_get_attendees' function in all versions up to, and including, 3.9.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Score
7.5
EPSS Score
0.001
Published
2025-01-28
IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.1
is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVSS Score
6.3
EPSS Score
0.001
Published
2025-01-28
IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.5 and 6.2.0.0 through 6.2.0.1 could allow an authenticated user to obtain sensitive information from the dashboard UI using man in the middle techniques.
CVSS Score
5.3
EPSS Score
0.0
Published
2025-01-28
Insecure Permissions vulnerability in CMSimple v.5.16 allows a remote attacker to obtain sensitive information via a crafted script to the Functionality of downloading php backup files.
CVSS Score
7.5
EPSS Score
0.001
Published
2025-01-27
CMSimple 5.16 allows the user to edit log.php file via print page.
CVSS Score
9.1
EPSS Score
0.001
Published
2025-01-27
CMSimple 5.16 allows the user to read cms source code through manipulation of the file name in the file parameter of a GET request.
CVSS Score
7.5
EPSS Score
0.001
Published
2025-01-27
An issue was discovered in Couchbase Server 7.6.x through 7.6.3. A user with the security_admin_local role can create a new user in a group that has the admin role.
CVSS Score
6.5
EPSS Score
0.001
Published
2025-01-27