2025-11-11 Daily Vulns
NEW:
| CVE | vendor-product | description | metric | Referenceurl | title | GithubURL | |
|---|---|---|---|---|---|---|---|
| CVE-2025-10966 | curl - curl | curl’s code for managing SSH connections when SFTP was done using the wolfSSH powered backend was flawed and missed host verification mechanisms. This prevents curl from detecting MITM attackers and more. | CNA n/a CVSS3.1: 4.3 - MEDIUM | 0 1 2 | Exploitation: noneAutomatable: noTechnical Impact: partial | missing SFTP host verification with wolfSSH | github |
| CVE-2025-12064 | f1logic - WP2Social Auto Publish | The WP2Social Auto Publish plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PostMessage in all versions up to, and including, 2.4.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | CVSS3.1: 6.1 - MEDIUM | 0 1 | Exploitation: noneAutomatable: noTechnical Impact: partial | WP2Social Auto Publish <= 2.4.7 - Reflected Cross-Site Scripting via PostMessage | github |
| CVE-2025-11448 | smub - Gallery Plugin for WordPress – Envira Photo Gallery | The Gallery Plugin for WordPress – Envira Photo Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘/envira-convert/v1/bulk-convert’ REST API endpoint in all versions up to, and including, 1.11.0. This makes it possible for authenticated attackers, with contributor-level access and above, to convert galleries to Envira galleries. | CVSS3.1: 4.3 - MEDIUM | 0 1 | Exploitation: noneAutomatable: noTechnical Impact: partial | Gallery Plugin for WordPress – Envira Photo Gallery <= 1.11.0 - Missing Authorization to Authenticated (Contributor+) Gallery Conversion | github |
This post is licensed under CC BY 4.0 by the author.