Post

2025-07-22 Daily Vulns

Posted
By ictsec.pl
3 min read

NEW:

CVEvendor-productdescriptionmetricReferenceurltitleGithubURL 
CVE-2025-30746Oracle Corporation - Oracle iStoreVulnerability in the Oracle iStore product of Oracle E-Business Suite (component: Shopping Cart). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iStore. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle iStore, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle iStore accessible data as well as unauthorized read access to a subset of Oracle iStore accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).CVSS3.1: 6.1 - MEDIUM0Exploitation: noneAutomatable: noTechnical Impact: partialundefinedgithub
CVE-2025-36603Dell - AppSyncDell AppSync, version(s) 4.6.0.0, contains an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure and Information tampering.CVSS3.1: 4.2 - MEDIUM0Exploitation: noneAutomatable: noTechnical Impact: partialundefinedgithub
CVE-2015-10134mywebsiteadvisor - Simple BackupThe Simple Backup plugin for WordPress is vulnerable to Arbitrary File Download in versions up to, and including, 2.7.10. via the download_backup_file function. This is due to a lack of capability checks and file type validation. This makes it possible for attackers to download sensitive files such as the wp-config.php file from the affected site.CVSS3.1: 7.5 - HIGH0 1Exploitation: noneAutomatable: yesTechnical Impact: partialSimple Backup <= 2.7.10 - Arbitrary File Download via Path Traversalgithub
CVE-2012-10019scribu - Front-end EditorThe Front End Editor plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the upload.php file in versions before 2.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.CVSS3.1: 9.8 - CRITICAL0 1 2 3 4Exploitation: noneAutomatable: yesTechnical Impact: totalFront-end Editor < 2.3 - Arbitrary File Uploadgithub
CVE-2015-10138lynton_reed - Work The Flow File UploadThe Work The Flow File Upload plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the jQuery-File-Upload-9.5.0 server and test files in versions up to, and including, 2.5.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.CVSS3.1: 9.8 - CRITICAL0 1 2 3 4 5 6 7 8Exploitation: noneAutomatable: noTechnical Impact: partialWork The Flow File Upload <= 2.5.2 - Arbitrary File Uploadgithub
CVE-2024-13973Sophos - Sophos FirewallA post-auth SQL injection vulnerability in WebAdmin of Sophos Firewall versions older than 21.0 MR1 (21.0.1) can potentially lead to administrators achieving arbitrary code execution.CVSS3.1: 6.8 - MEDIUM0Exploitation: noneAutomatable: noTechnical Impact: totalundefinedgithub
CVE-2025-7354gn_themes - WP Shortcodes Plugin — Shortcodes UltimateThe WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s shortcodes in all versions up to, and including, 7.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.CVSS3.1: 6.4 - MEDIUM0 1 2 3 4 5 6Exploitation: noneAutomatable: noTechnical Impact: partialWP Shortcodes Plugin — Shortcodes Ultimate <= 7.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin Shortcodesgithub
VULNERABILITIES
This post is licensed under CC BY 4.0 by the author.