CVE-2025-22225

CVE-2025-22225

Título es
CVE-2025-22225

Mar, 04/03/2025 – 12:15

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-22225

Descripción en
VMware ESXi contains an arbitrary write vulnerability. A malicious actor with privileges within the VMX process may trigger an arbitrary kernel write leading to an escape of the sandbox.

04/03/2025

04/03/2025

Vector CVSS:3.1
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Gravedad 3.1 (CVSS 3.1 Base Score)
8.20

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
HIGH

Referencias


  • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390

    • Enviar en el boletín
    Off

    CVE-2025-22224

    CVE-2025-22224

    Título es
    CVE-2025-22224

    Mar, 04/03/2025 – 12:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-22224

    Descripción en
    VMware ESXi, and Workstation contain a TOCTOU (Time-of-Check Time-of-Use) vulnerability that leads to an out-of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.

    04/03/2025

    04/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    9.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    CRITICAL

    Referencias


  • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390

    • Enviar en el boletín
    Off

    CVE-2024-13682

    CVE-2024-13682

    Título es
    CVE-2024-13682

    Mar, 04/03/2025 – 09:15

    Tipo
    CWE-352

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-13682

    Descripción en
    The Wallet System for WooCommerce – Wallet, Wallet Cashback, Refunds, Partial Payment, Wallet Restriction plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.2. This is due to missing or incorrect nonce validation in class-wallet-user-table.php. This makes it possible for unauthenticated attackers to modify wallet balances via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

    04/03/2025

    04/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    4.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3244479%40wallet-system-for-woocommerce/trunk&old=3231275%40wallet-system-for-woocommerce/trunk

  • https://www.wordfence.com/threat-intel/vulnerabilities/id/779a9f7a-4582-4d5e-bd9a-9ff7f14b452a?source=cve

    • Enviar en el boletín
    Off

    CVE-2025-26849

    CVE-2025-26849

    Título es
    CVE-2025-26849

    Mar, 04/03/2025 – 09:15

    Tipo
    CWE-1394

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-26849

    Descripción en
    There is a Hard-coded Cryptographic Key in Docusnap 13.0.1440.24261, and earlier and later versions.

    04/03/2025

    04/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    4.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://docs.docusnap.com/en/release-notes/changelog/

  • https://www.redteam-pentesting.de/en/advisories/rt-sa-2024-012/

    • Enviar en el boletín
    Off

    CVE-2025-0512

    CVE-2025-0512

    Título es
    CVE-2025-0512

    Mar, 04/03/2025 – 09:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-0512

    Descripción en
    The Structured Content (JSON-LD) #wpsc plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sc_fs_local_business shortcode in all versions up to, and including, 6.4.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

    04/03/2025

    04/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.40

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://plugins.trac.wordpress.org/browser/structured-content/trunk/templates/shortcodes/local-business.php#L10

  • https://plugins.trac.wordpress.org/changeset/3248930/

  • Structured Content (JSON-LD) #wpsc



  • https://www.wordfence.com/threat-intel/vulnerabilities/id/8ac5fe69-7885-4fb7-8107-079216d6955e?source=cve

    • Enviar en el boletín
    Off

    CVE-2025-0433

    CVE-2025-0433

    Título es
    CVE-2025-0433

    Mar, 04/03/2025 – 09:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-0433

    Descripción en
    The Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 2.0.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

    04/03/2025

    04/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.40

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://plugins.trac.wordpress.org/browser/master-addons/trunk/addons/ma-image-hover-effects/ma-image-hover-effects.php#L1117

  • https://plugins.trac.wordpress.org/browser/master-addons/trunk/addons/ma-tabs/ma-tabs.php#L568

  • https://plugins.trac.wordpress.org/changeset/3243199/

  • Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations



  • https://www.wordfence.com/threat-intel/vulnerabilities/id/c693831f-fe60-4548-83aa-4ebd03d134ec?source=cve

    • Enviar en el boletín
    Off

    CVE-2024-9618

    CVE-2024-9618

    Título es
    CVE-2024-9618

    Mar, 04/03/2025 – 09:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-9618

    Descripción en
    The Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 2.0.7.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

    04/03/2025

    04/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.40

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://master-addons.com/changelogs/

  • https://plugins.trac.wordpress.org/browser/master-addons/trunk/assets/js/master-addons-scripts.js#L1030

  • https://plugins.trac.wordpress.org/browser/master-addons/trunk/assets/js/master-addons-scripts.js#L1993

  • https://plugins.trac.wordpress.org/browser/master-addons/trunk/assets/js/master-addons-scripts.js#L510

  • https://plugins.trac.wordpress.org/browser/master-addons/trunk/assets/js/master-addons-scripts.js#L535

  • https://plugins.trac.wordpress.org/changeset/3243199/

  • https://plugins.trac.wordpress.org/changeset/3249130/

  • Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations



  • https://www.wordfence.com/threat-intel/vulnerabilities/id/b8d399f3-5517-4c5d-b792-94eb8b0cc0f4?source=cve

    • Enviar en el boletín
    Off

    CVE-2024-13724

    CVE-2024-13724

    Título es
    CVE-2024-13724

    Mar, 04/03/2025 – 09:15

    Tipo
    CWE-285

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-13724

    Descripción en
    The Wallet System for WooCommerce – Wallet, Wallet Cashback, Refunds, Partial Payment, Wallet Restriction plugin for WordPress is vulnerable to unauthorized access to functionality in all versions up to, and including, 2.6.2. This makes it possible for unauthenticated attackers to increase their own wallet balance, transfer balances between arbitrary users and initiate transfer requests from other users' wallets.

    04/03/2025

    04/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    4.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3244479%40wallet-system-for-woocommerce/trunk&old=3231275%40wallet-system-for-woocommerce/trunk

  • https://www.wordfence.com/threat-intel/vulnerabilities/id/bda326b0-9049-496a-a600-fa65151ce98f?source=cve

    • Enviar en el boletín
    Off

    CVE-2025-0958

    CVE-2025-0958

    Título es
    CVE-2025-0958

    Mar, 04/03/2025 – 10:15

    Tipo
    CWE-20

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-0958

    Descripción en
    The Ultimate WordPress Auction Plugin plugin for WordPress is vulnerable to unauthorized access to functionality in all versions up to, and including, 4.2.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary auctions, posts as well as pages and allows them to execute other actions related to auction handling.

    04/03/2025

    04/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    5.40

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://plugins.trac.wordpress.org/browser/ultimate-auction/trunk/ajax-actions/send-private-msg.php#L35

  • https://plugins.trac.wordpress.org/browser/ultimate-auction/trunk/ultimate-auction.php#L219

  • https://plugins.trac.wordpress.org/browser/ultimate-auction/trunk/ultimate-auction.php#L274

  • https://plugins.trac.wordpress.org/changeset/3242416/ultimate-auction/trunk/ultimate-auction.php

  • https://www.wordfence.com/threat-intel/vulnerabilities/id/af3675c9-3a6b-4139-85e8-2fc57f290e82?source=cve

    • Enviar en el boletín
    Off

    CVE-2025-0370

    CVE-2025-0370

    Título es
    CVE-2025-0370

    Mar, 04/03/2025 – 10:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-0370

    Descripción en
    The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘src’ parameter in all versions up to, and including, 7.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

    04/03/2025

    04/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.40

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://plugins.trac.wordpress.org/browser/shortcodes-ultimate/trunk/includes/shortcodes/lightbox.php#L75

  • https://plugins.trac.wordpress.org/changeset/3229060/

  • WP Shortcodes Plugin — Shortcodes Ultimate



  • https://www.wordfence.com/threat-intel/vulnerabilities/id/f0869c35-9ea8-46a5-8bba-23d7ef47355a?source=cve

    • Enviar en el boletín
    Off