Security Vulnerabilities - CVEs Published In May 2025
In the Linux kernel, the following vulnerability has been resolved:
mtd: inftlcore: Add error check for inftl_read_oob()
In INFTL_findwriteunit(), the return value of inftl_read_oob()
need to be checked. A proper implementation can be
found in INFTL_deleteblock(). The status will be set as
SECTOR_IGNORE to break from the while-loop correctly
if the inftl_read_oob() fails.
CVSS Score
7.8
EPSS Score
0.0
Published
2025-05-20
Editions of Rapid7 AppSpider Pro before versionĀ 7.5.018 is vulnerable to a stored cross-site scripting vulnerability in the "ScanName" field.
Despite the application preventing the inclusion of special characters within the "ScanName" field, this could be bypassed by modifying the configuration file directly.
This is fixed as of versionĀ 7.5.018
CVSS Score
4.6
EPSS Score
0.0
Published
2025-05-20
The Order Delivery Date WordPress plugin before 12.4.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
CVSS Score
7.1
EPSS Score
0.0
Published
2025-05-20
samlify is a Node.js library for SAML single sign-on. A Signature Wrapping attack has been found in samlify prior to version 2.10.0, allowing an attacker to forge a SAML Response to authenticate as any user. An attacker would need a signed XML document by the identity provider. Version 2.10.0 fixes the issue.
CVSS Score
7.5
EPSS Score
0.0
Published
2025-05-19
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in FantasticPlugins SUMO Reward Points allows PHP Local File Inclusion.This issue affects SUMO Reward Points: from n/a through 30.7.0.
CVSS Score
8.3
EPSS Score
0.001
Published
2025-05-19
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ThemeGoods Grand Restaurant WordPress allows Path Traversal.This issue affects Grand Restaurant WordPress: from n/a through 7.0.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-05-19
Deserialization of Untrusted Data vulnerability in Chimpstudio FoodBakery allows Object Injection.This issue affects FoodBakery: from n/a through 3.3.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-05-19
Deserialization of Untrusted Data vulnerability in ThemeGoods Altair allows Object Injection.This issue affects Altair: from n/a through 5.2.2.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-05-19
Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Restaurant WordPress allows Object Injection.This issue affects Grand Restaurant WordPress: from n/a through 7.0.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-05-19
Deserialization of Untrusted Data vulnerability in Potenzaglobalsolutions CiyaShop allows Object Injection.This issue affects CiyaShop: from n/a through 4.18.0.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-05-19