Security Vulnerabilities - CVEs Published In May 2025
The Order Delivery Date WordPress plugin before 12.4.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
CVSS Score
7.1
EPSS Score
0.002
Published
2025-05-20
samlify is a Node.js library for SAML single sign-on. A Signature Wrapping attack has been found in samlify prior to version 2.10.0, allowing an attacker to forge a SAML Response to authenticate as any user. An attacker would need a signed XML document by the identity provider. Version 2.10.0 fixes the issue.
CVSS Score
9.9
EPSS Score
0.002
Published
2025-05-19
Missing Authorization vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Grand Restaurant: from n/a through <= 7.0.
EPSS Score
0.001
Published
2025-05-19
Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Conference grandconference allows Object Injection.This issue affects Grand Conference: from n/a through <= 5.3.
EPSS Score
0.003
Published
2025-05-19
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in FantasticPlugins SUMO Reward Points rewardsystem allows PHP Local File Inclusion.This issue affects SUMO Reward Points: from n/a through <= 30.7.0.
CVSS Score
9.8
EPSS Score
0.007
Published
2025-05-19
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Path Traversal.This issue affects Grand Restaurant: from n/a through <= 7.0.
EPSS Score
0.002
Published
2025-05-19
Deserialization of Untrusted Data vulnerability in Chimpstudio FoodBakery wp-foodbakery allows Object Injection.This issue affects FoodBakery: from n/a through <= 3.3.
CVSS Score
9.8
EPSS Score
0.004
Published
2025-05-19
Deserialization of Untrusted Data vulnerability in ThemeGoods Altair altair allows Object Injection.This issue affects Altair: from n/a through <= 5.2.2.
CVSS Score
9.8
EPSS Score
0.004
Published
2025-05-19
Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Object Injection.This issue affects Grand Restaurant: from n/a through <= 7.0.
CVSS Score
9.8
EPSS Score
0.004
Published
2025-05-19
Deserialization of Untrusted Data vulnerability in Potenzaglobalsolutions CiyaShop ciyashop allows Object Injection.This issue affects CiyaShop: from n/a through <= 4.18.0.
CVSS Score
9.8
EPSS Score
0.004
Published
2025-05-19