Security Vulnerabilities - CVEs Published In January 2025
The Variation Swatches for WooCommerce plugin, in all versions starting at 1.0.8 up until 1.3.2, contains a vulnerability due to improper nonce verification in its settings reset functionality. The issue exists in the settings_init() function, which processes a reset action based on specific query parameters in the URL. The related delete_settings() function performs a faulty nonce validation check, making the reset operation insecure and susceptible to unauthorized access.
CVSS Score
4.3
EPSS Score
0.0
Published
2025-01-23
The BMLT Meeting Map plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.6.0 via the 'bmlt_meeting_map' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
CVSS Score
7.5
EPSS Score
0.001
Published
2025-01-23
The request handling in the core in Apache Wicket 7.0.0 on any platform allows an attacker to create a DOS via multiple requests to server resources.
Users are recommended to upgrade to versions 9.19.0 or 10.3.0, which fixes this issue.
CVSS Score
6.5
EPSS Score
0.003
Published
2025-01-23
IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.5 and 6.2.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Score
4.6
EPSS Score
0.0
Published
2025-01-23
IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.5 and 6.2.0.0 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Score
6.4
EPSS Score
0.0
Published
2025-01-23
lunasvg v3.0.0 was discovered to contain a allocation-size-too-big bug via the component plutovg_surface_create.
CVSS Score
7.5
EPSS Score
0.001
Published
2025-01-23
lunasvg v3.0.0 was discovered to contain a segmentation violation via the component composition_source_over.
CVSS Score
6.5
EPSS Score
0.001
Published
2025-01-23
lunasvg v3.0.0 was discovered to contain a segmentation violation via the component gray_record_cell.
CVSS Score
6.5
EPSS Score
0.001
Published
2025-01-23
lunasvg v3.0.0 was discovered to contain a segmentation violation via the component blend_transformed_tiled_argb.isra.0.
CVSS Score
6.5
EPSS Score
0.0
Published
2025-01-23
lunasvg v3.0.0 was discovered to contain a segmentation violation via the component plutovg_blend.
CVSS Score
6.5
EPSS Score
0.001
Published
2025-01-23