Security Vulnerabilities - CVEs Published In February 2025
Trendnet TEW-929DRU 1.0.0.10 contains a Stored Cross-site Scripting (XSS) vulnerability via the The ssid key of wifi_data parameter on the /captive_portal.htm page.
CVSS Score
4.8
EPSS Score
0.0
Published
2025-02-28
wuzhicms v4.1.0 has a Cross Site Scripting (XSS) vulnerability in del function in \coreframe\app\member\admin\group.php.
CVSS Score
5.4
EPSS Score
0.0
Published
2025-02-28
HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/login.
CVSS Score
4.7
EPSS Score
0.001
Published
2025-02-28
HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/register.
CVSS Score
4.7
EPSS Score
0.001
Published
2025-02-28
HTML injection vulnerabilities in OpenCart versions prior to 4.1.0. These vulnerabilities could allow an attacker to modify the HTML of the victim's browser by sending a malicious URL and modifying the parameter name in /account/voucher.
CVSS Score
4.7
EPSS Score
0.001
Published
2025-02-28
Cross-Site Scripting vulnerability in OpenCart versions prior to 4.1.0. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the search in the /product/search endpoint. This vulnerability could be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.
CVSS Score
6.1
EPSS Score
0.001
Published
2025-02-28
The Site Mailer – SMTP Replacement, Email API Deliverability & Email Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Score
6.4
EPSS Score
0.0
Published
2025-02-28
The NextMove Lite – Thank You Page for WooCommerce plugin for WordPress is vulnerable to unauthorized submission of data due to a missing capability check on the _submit_uninstall_reason_action() function in all versions up to, and including, 2.19.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit a deactivation reason on behalf of a site.
CVSS Score
4.3
EPSS Score
0.0
Published
2025-02-28
The WOW Entrance Effects (WEE!) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wee' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Score
6.4
EPSS Score
0.0
Published
2025-02-28
The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 8.1. This is due to the directorist_generate_password_reset_pin_code() and reset_user_password() functions not having enough controls to prevent a successful brute force attack of the OTP to change a password, or verify that a password reset request came from an authorized user. This makes it possible for unauthenticated attackers to generate and brute force an OTP that makes it possible to change any users passwords, including an administrator.
CVSS Score
8.1
EPSS Score
0.001
Published
2025-02-28