Security Vulnerabilities - CVEs Published In March 2025
The XV Random Quotes WordPress plugin through 1.40 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin reset them via a CSRF attack
CVSS Score
4.3
EPSS Score
0.0
Published
2025-03-11
The Social Share Buttons, Social Sharing Icons, Click to Tweet — Social Media Plugin by Social Snap WordPress plugin through 1.3.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
CVSS Score
3.5
EPSS Score
0.001
Published
2025-03-11
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.6.5 via the 'template' parameter of the woof_text_search AJAX action. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
CVSS Score
9.8
EPSS Score
0.914
Published
2025-03-11
A post-authentication command injection vulnerability in the "DNSServer” parameter of the diagnostic function in the Zyxel VMG8825-T50K firmware version V5.50(ABOM.8.5)C0 and earlier could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device.
CVSS Score
7.2
EPSS Score
0.003
Published
2025-03-11
A post-authentication command injection vulnerability in the "ZyEE" function of the Zyxel EX5601-T1 firmware version V5.70(ACDZ.3.6)C0 and earlier could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device.
CVSS Score
7.2
EPSS Score
0.003
Published
2025-03-11
A post-authentication command injection vulnerability in the ”zyUtilMailSend” function of the Zyxel AX7501-B1 firmware version V5.17(ABPC.5.3)C0 and earlier could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device.
CVSS Score
7.2
EPSS Score
0.003
Published
2025-03-11
SAP BusinessObjects Business Intelligence Platform (Web Intelligence) contains a deprecated web application endpoint that is not properly secured. An attacker could take advantage of this by injecting a malicious url in the data returned to the user. On successful exploitation, there could be a limited impact on confidentiality and integrity within the scope of victim�s browser. There is no impact on availability.
CVSS Score
5.4
EPSS Score
0.001
Published
2025-03-11
IBM Common Cryptographic Architecture 7.0.0 through 7.5.51
could allow a remote attacker to obtain sensitive information during the creation of ECDSA signatures to perform a timing-based attack.
CVSS Score
6.5
EPSS Score
0.001
Published
2025-03-11
IBM Common Cryptographic Architecture 7.0.0 through 7.5.51
could allow an attacker to obtain sensitive information due to a timing attack during certain RSA operations.
CVSS Score
3.7
EPSS Score
0.001
Published
2025-03-11
IBM Common Cryptographic Architecture 7.0.0 through 7.5.51 could allow an authenticated user to cause a denial of service in the Hardware Security Module (HSM) using a specially crafted sequence of valid requests.
CVSS Score
6.5
EPSS Score
0.001
Published
2025-03-11