2026-02-24 Daily Vulns
NEW:
| CVE | vendor-product | description | metric | Referenceurl | title | GithubURL | |
|---|---|---|---|---|---|---|---|
| CVE-2025-13563 | BuddhaThemes - Lizza LMS Pro | The Lizza LMS Pro plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the ‘lizza_lms_pro_register_user_front_end’ function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the ‘administrator’ role during registration and gain administrator access to the site. | CVSS3.1: 9.8 - CRITICAL | 0 1 | Exploitation: noneAutomatable: yesTechnical Impact: total | Lizza LMS Pro <= 1.0.3 - Unauthenticated Privilege Escalation | github |
| CVE-2019-25458 | Web-ofisi - Firma Rehberi | Web Ofisi Firma Rehberi v1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through GET parameters. Attackers can send requests to with malicious payloads in the ‘il’, ‘kat’, or ‘kelime’ parameters to extract sensitive database information or perform time-based blind SQL injection attacks. | CVSS4.0: 8.8 - HIGH CVSS3.1: 8.2 - HIGH | 0 1 2 | Exploitation: pocAutomatable: yesTechnical Impact: partial | Web Ofisi Firma Rehberi v1 SQL Injection via firmalar.html | github |
| CVE-2019-25448 | Orientdb - OrientDB | OrientDB 3.0.17 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating users with script payloads in the name parameter. Attackers can send POST requests to the document endpoint with JavaScript code in the name field to execute arbitrary scripts when users view the application. | CVSS4.0: 5.1 - MEDIUM CVSS3.1: 6.4 - MEDIUM | 0 1 2 | Exploitation: pocAutomatable: noTechnical Impact: partial | OrientDB 3.0.17 Stored Cross-Site Scripting via User Creation | github |
| CVE-2025-40701 | SOTE - SOTESHOP | Reflected Cross-Site Scripting vulnerability in SOTESHOP, version 8.3.4. THis vulnerability allows an attacker execute JavaScript code in the victim’s browser when a malicious URL with the ‘id’ parameter in ‘/adsTracker/checkAds’ is sent to the victim. The vulnerability can be exploited to steal sensitive user information such as session cookies, or to perform actions on their behalf. | CVSS4.0: 5.1 - MEDIUM | 0 | Exploitation: noneAutomatable: noTechnical Impact: partial | Reflected Cross-Site scripting (XSS) in SOTE’s SOTESHOP | github |
This post is licensed under CC BY 4.0 by the author.