Security Vulnerabilities - CVEs Published In May 2025
vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025.
CVSS Score
10.0
EPSS Score
0.738
Published
2025-05-27
The installer in SIGB PMB before and fixed in v.8.0.1.2 allows remote code execution.
CVSS Score
5.4
EPSS Score
0.002
Published
2025-05-27
Gibbon before 29.0.00 allows CSRF.
CVSS Score
3.7
EPSS Score
0.0
Published
2025-05-27
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the create_blog function in all versions up to, and including, 4.17.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new posts.
CVSS Score
4.3
EPSS Score
0.0
Published
2025-05-27
A vulnerability was found in FreeFloat FTP Server 1.0.0. It has been classified as critical. This affects an unknown part of the component QUOTE Command Handler. The manipulation leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVSS Score
7.3
EPSS Score
0.001
Published
2025-05-27
A vulnerability classified as critical has been found in Campcodes Online Hospital Management System 1.0. Affected is an unknown function of the file /admin/add-doctor.php. The manipulation of the argument Doctorspecialization leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
CVSS Score
7.3
EPSS Score
0.0
Published
2025-05-27
A vulnerability, which was classified as critical, was found in Campcodes Advanced Online Voting System 1.0. This affects an unknown part of the file /index.php. The manipulation of the argument voter leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVSS Score
7.3
EPSS Score
0.0
Published
2025-05-27
A vulnerability has been found in PHPGurukul Small CRM 3.0 and classified as critical. This vulnerability affects unknown code of the file /admin/change-password.php. The manipulation of the argument oldpass leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
CVSS Score
7.3
EPSS Score
0.0
Published
2025-05-27
SIGB PMB before 8.0.1.2 allows SQL injection.
CVSS Score
5.3
EPSS Score
0.0
Published
2025-05-27
In SIGB PMB before 8.0.1.2, attackers can achieve Local File Inclusion and remote code execution.
CVSS Score
6.4
EPSS Score
0.002
Published
2025-05-27