CVE-2025-2205

CVE-2025-2205

Título es
CVE-2025-2205

Mié, 12/03/2025 – 04:15

Tipo
CWE-79

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2025-2205

Descripción en
The GDPR Cookie Compliance – Cookie Banner, Cookie Consent, Cookie Notice – CCPA, DSGVO, RGPD plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.15.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

12/03/2025

12/03/2025

Vector CVSS:3.1
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
4.40

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

  • CVE-2025-1622 – GDPR Cookie Compliance – Stored XSS to JS Backdoor Creation – POC



  • https://wpscan.com/vulnerability/7a903d61-2792-4fe0-a26b-f400f4a3124b/

  • https://www.wordfence.com/threat-intel/vulnerabilities/id/37da32e4-48a1-4830-a47c-c454d60c9811?source=cve

    • Enviar en el boletín
    Off

    CVE-2025-2078

    CVE-2025-2078

    Título es
    CVE-2025-2078

    Mié, 12/03/2025 – 04:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-2078

    Descripción en
    The BlogBuzzTime for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

    12/03/2025

    12/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    4.40

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://wordpress.org/plugins/blogbuzztime-for-wp/

  • https://www.wordfence.com/threat-intel/vulnerabilities/id/746e47f2-3fe3-439c-bd54-a9bba9c86271?source=cve

    • Enviar en el boletín
    Off

    CVE-2025-2077

    CVE-2025-2077

    Título es
    CVE-2025-2077

    Mié, 12/03/2025 – 04:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2025-2077

    Descripción en
    The Simple Amazon Affiliate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'msg' parameter in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

    12/03/2025

    12/03/2025

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.10

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://wordpress.org/plugins/simple-amazon-affiliate/

  • https://www.wordfence.com/threat-intel/vulnerabilities/id/ecd48e2c-343f-4bae-9d9e-260d003ef87c?source=cve

    • Enviar en el boletín
    Off

    CVE-2025-2214

    CVE-2025-2214

    Título es
    CVE-2025-2214

    Mié, 12/03/2025 – 00:15

    Tipo
    CWE-79

    Gravedad v2.0
    4.00

    Gravedad 2.0 Txt
    MEDIUM

    Título en

    CVE-2025-2214

    Descripción en
    A vulnerability was found in Microweber 2.0.19. It has been rated as problematic. This issue affects some unknown processing of the file userfiles/modules/settings/group/website_group/index.php of the component Settings Handler. The manipulation of the argument group leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

    12/03/2025

    12/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

    Vector CVSS:2.0
    AV:N/AC:L/Au:S/C:N/I:P/A:N

    Gravedad 4.0
    5.10

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 (CVSS 3.1 Base Score)
    3.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    LOW

    Referencias


  • https://github.com/Fewword/Poc/blob/main/microweber/mwb-poc1.md

  • https://vuldb.com/?ctiid_299285=

  • https://vuldb.com/?id_299285=

  • https://vuldb.com/?submit_512032=

    • Enviar en el boletín
    Off

    CVE-2025-2216

    CVE-2025-2216

    Título es
    CVE-2025-2216

    Mié, 12/03/2025 – 00:15

    Tipo
    CWE-284

    Gravedad v2.0
    6.50

    Gravedad 2.0 Txt
    MEDIUM

    Título en

    CVE-2025-2216

    Descripción en
    A vulnerability, which was classified as critical, has been found in zzskzy Warehouse Refinement Management System 1.3. Affected by this issue is the function UploadCrash of the file /crash/log/SaveCrash.ashx. The manipulation of the argument file leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

    12/03/2025

    12/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

    Vector CVSS:2.0
    AV:N/AC:L/Au:S/C:P/I:P/A:P

    Gravedad 4.0
    5.30

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://github.com/f14g-orz/tmp/blob/main/3_.md

  • https://vuldb.com/?ctiid_299288=

  • https://vuldb.com/?id_299288=

  • https://vuldb.com/?submit_512330=

    • Enviar en el boletín
    Off

    CVE-2025-2215

    CVE-2025-2215

    Título es
    CVE-2025-2215

    Mié, 12/03/2025 – 00:15

    Tipo
    CWE-22

    Gravedad v2.0
    5.80

    Gravedad 2.0 Txt
    MEDIUM

    Título en

    CVE-2025-2215

    Descripción en
    A vulnerability classified as critical was found in Doufox up to 0.2.0. Affected by this vulnerability is an unknown functionality of the file /?s=doudou&c=file&a=list. The manipulation of the argument dir leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

    12/03/2025

    12/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

    Vector CVSS:2.0
    AV:N/AC:L/Au:M/C:P/I:P/A:P

    Gravedad 4.0
    5.10

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 (CVSS 3.1 Base Score)
    4.70

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://github.com/sate10/11/issues/1

  • https://vuldb.com/?ctiid_299287=

  • https://vuldb.com/?id_299287=

  • https://vuldb.com/?submit_512316=

    • Enviar en el boletín
    Off

    CVE-2025-2217

    CVE-2025-2217

    Título es
    CVE-2025-2217

    Mié, 12/03/2025 – 00:15

    Tipo
    CWE-74

    Gravedad v2.0
    6.50

    Gravedad 2.0 Txt
    MEDIUM

    Título en

    CVE-2025-2217

    Descripción en
    A vulnerability, which was classified as critical, was found in zzskzy Warehouse Refinement Management System 1.3. This affects the function ProcessRequest of the file /getAdyData.ashx. The manipulation of the argument showid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

    12/03/2025

    12/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

    Vector CVSS:2.0
    AV:N/AC:L/Au:S/C:P/I:P/A:P

    Gravedad 4.0
    5.30

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://github.com/Rain1er/report/blob/main/skWMX/5.md

  • https://vuldb.com/?ctiid_299289=

  • https://vuldb.com/?id_299289=

  • https://vuldb.com/?submit_512333=

    • Enviar en el boletín
    Off

    CVE-2025-2219

    CVE-2025-2219

    Título es
    CVE-2025-2219

    Mié, 12/03/2025 – 01:15

    Tipo
    CWE-284

    Gravedad v2.0
    7.50

    Gravedad 2.0 Txt
    HIGH

    Título en

    CVE-2025-2219

    Descripción en
    A vulnerability was found in LoveCards LoveCardsV2 up to 2.3.2 and classified as critical. This issue affects some unknown processing of the file /api/upload/image. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

    12/03/2025

    12/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

    Vector CVSS:2.0
    AV:N/AC:L/Au:N/C:P/I:P/A:P

    Gravedad 4.0
    6.90

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias


  • https://ctf-n0el4kls.notion.site/LoveCardsV2-Unauthentication-to-RCE-Vulnerability-19841990f44780de8263c1f77a007a83

  • https://vuldb.com/?ctiid_299291=

  • https://vuldb.com/?id_299291=

    • Enviar en el boletín
    Off

    CVE-2025-2218

    CVE-2025-2218

    Título es
    CVE-2025-2218

    Mié, 12/03/2025 – 01:15

    Tipo
    CWE-266

    Gravedad v2.0
    5.00

    Gravedad 2.0 Txt
    MEDIUM

    Título en

    CVE-2025-2218

    Descripción en
    A vulnerability has been found in LoveCards LoveCardsV2 up to 2.3.2 and classified as critical. This vulnerability affects unknown code of the file /api/system/other of the component Setting Handler. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

    12/03/2025

    12/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

    Vector CVSS:2.0
    AV:N/AC:L/Au:N/C:N/I:P/A:N

    Gravedad 4.0
    6.90

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 (CVSS 3.1 Base Score)
    5.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias


  • https://ctf-n0el4kls.notion.site/LoveCardsV2-Unauthentication-to-RCE-Vulnerability-19841990f44780de8263c1f77a007a83?pvs=4

  • https://vuldb.com/?ctiid_299290=

  • https://vuldb.com/?id_299290=

  • https://vuldb.com/?submit_512351=

    • Enviar en el boletín
    Off

    CVE-2025-2220

    CVE-2025-2220

    Título es
    CVE-2025-2220

    Mié, 12/03/2025 – 02:15

    Tipo
    CWE-320

    Gravedad v2.0
    1.70

    Gravedad 2.0 Txt
    LOW

    Título en

    CVE-2025-2220

    Descripción en
    A vulnerability was found in Odyssey CMS up to 10.34. It has been classified as problematic. Affected is an unknown function of the file /modules/odyssey_contact_form/odyssey_contact_form.php of the component reCAPTCHA Handler. The manipulation of the argument g-recaptcha-response leads to key management error. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

    12/03/2025

    12/03/2025

    Vector CVSS:4.0
    CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

    Vector CVSS:2.0
    AV:L/AC:L/Au:S/C:P/I:N/A:N

    Gravedad 4.0
    4.80

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 (CVSS 3.1 Base Score)
    3.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    LOW

    Referencias


  • https://github.com/secuserx/CVE/blob/main/%5BHardcoded%20reCAPTCHA%20secret%20key%5D%20found%20in%20Odyssey%20CMS%2010.35%20-%20(odyssey_contact_form.php).md

  • https://vuldb.com/?ctiid_299292=

  • https://vuldb.com/?id_299292=

  • https://vuldb.com/?submit_512367=

    • Enviar en el boletín
    Off