CVE-2025-1289
published 2025-05-15CVE-2025-1289: The Plugin Oficial WordPress plugin through 1.7.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to…
PriorityP418medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.22%
12.2th percentile
The Plugin Oficial WordPress plugin through 1.7.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| coffee-code | plugin_oficial | < 1.8.1 | 1.8.1 |
| linux | linux_kernel | >= 2.6.19 < 5.10.248 | 5.10.248 |
| linux | linux_kernel | >= 5.11.0 < 5.15.198 | 5.15.198 |
| linux | linux_kernel | >= 5.16.0 < 6.1.160 | 6.1.160 |
| linux | linux_kernel | >= 6.13.0 < 6.17.12 | 6.17.12 |
| linux | linux_kernel | >= 6.18.0 < 6.18.1 | 6.18.1 |
| linux | linux_kernel | >= 6.2.0 < 6.6.120 | 6.6.120 |
| linux | linux_kernel | >= 6.7.0 < 6.12.62 | 6.12.62 |
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
vendor_redhat9.3CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted
osv·2025-12-22
CVE-2025-68337 jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted
jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted
In the Linux kernel, the following vulnerability has been resolved:
jbd2: avoid bug_on in jbd2_journal_get_create_access() when file system corrupted
There's issue when file system corrupted:
------------[ cut here ]------------
kernel BUG at fs/jbd2/transaction.c:1289!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 5 UID: 0 PID: 2031 Comm: mkdir Not tainted 6.18.0-rc1-next
RIP: 0010:jbd2_journal_get_create_access+0x3b6/0x4d0
RSP: 0018:ffff888117aafa30 EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffff88811a86b000 RCX: ffffffff89a63534
RDX: 1ffff110200ec602 RSI: 0000000000000004 RDI: ffff888100763010
RBP: ffff888100763000 R08: 0000000000000001 R09: ffff888100763028
R10: 0000000000000003 R11: 000000000000
GHSA
GHSA-f87f-4wg8-gxhp: The Plugin Oficial WordPress plugin through 1
ghsa_unreviewed·2025-05-15
CVE-2025-1289 [MEDIUM] CWE-79 GHSA-f87f-4wg8-gxhp: The Plugin Oficial WordPress plugin through 1
The Plugin Oficial WordPress plugin through 1.7.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Red Hat
axios: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization
vendor_redhat·2026-04-09·CVSS 9.3
CVE-2025-62718 [CRITICAL] CWE-1289 axios: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization
axios: Axios: Server-Side Request Forgery and proxy bypass due to improper hostname normalization
A flaw was found in Axios, a promise-based HTTP client. This vulnerability occurs because Axios does not correctly handle hostname normalization when evaluating NO_PROXY rules. An attacker can exploit this by crafting requests to loopback addresses (e.g., localhost. or [::1]) which bypass the NO_PROXY configuration and are routed through the configured proxy. This can lead to Server-Side Request Forgery (SSRF) vulnerabilities, enabling attackers to access sensitive internal or loopback services that should otherwise be protected.
Statement: This flaw has limited impact due to combination of non-default conditions to exploit: the attacker must be able to control or influence URLs passed to ax
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-05-15
Published