CVE-2025-1325
published 2025-03-08CVE-2025-1325: The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to arbitrary shortcode execution due to a missing capability check on…
PriorityP338medium6.3CVSS 3.1
AVNACLPRLUINSUCLILAL
EPSS
0.31%
22.7th percentile
The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to arbitrary shortcode execution due to a missing capability check on the 'rcl_preview_post' AJAX endpoint in all versions up to, and including, 16.26.10. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msrc | azl3_cloud-hypervisor-cvm_38.0.72-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_cloud-hypervisor-cvm_38.0.72.2-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_edk2_20240524git3e722403cd16-8_on_azure_linux_3.0 | — | — |
| msrc | azl3_nodejs_20.10.0-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_nodejs_20.14.0-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_openssl_3.1.4-9_on_azure_linux_3.0 | — | — |
| msrc | azl3_openssl_3.3.0-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_qemu_8.2.0-16_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_cloud-hypervisor-cvm_38.0.72-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_cloud-hypervisor-cvm_38.0.72.2-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_hvloader_1.0.1-5_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_hvloader_1.0.1-6_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_nodejs18_18.18.2-7_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_openssl_1.1.1k-30_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_openssl_1.1.1k-36_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| plechevandrey | wp-recall | < 16.26.12 | 16.26.12 |
CVSS provenance
nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
vendor_redhat7.5HIGH
vendor_msrc5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
SmallRye Fault Tolerance out-of-memory (OOM) issue
ghsa·2025-03-12
CVE-2025-2240 [HIGH] CWE-1325 SmallRye Fault Tolerance out-of-memory (OOM) issue
SmallRye Fault Tolerance out-of-memory (OOM) issue
A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue.
GHSA
GHSA-8h62-g744-gg7g: The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to arbitrary shortcode execution due to a missing capability
ghsa_unreviewed·2025-03-08
CVE-2025-1325 [MEDIUM] CWE-862 GHSA-8h62-g744-gg7g: The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to arbitrary shortcode execution due to a missing capability
The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to arbitrary shortcode execution due to a missing capability check on the 'rcl_preview_post' AJAX endpoint in all versions up to, and including, 16.26.10. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.
GitLab
Improperly Controlled Sequential Memory Allocation in Wireshark
vendor_gitlab·2025-12-03·CVSS 5.5
CVE-2025-13945 [MEDIUM] CWE-1325 Improperly Controlled Sequential Memory Allocation in Wireshark
Improperly Controlled Sequential Memory Allocation in Wireshark
HTTP3 dissector crash in Wireshark 4.6.0 and 4.6.1 allows denial of service
Affected products: Wireshark
Affected versions: >=4.6.0, <4.6.1 (affected)
Solution: Upgrade to version 4.6.2 or above
Credit: Sébastien Féry
Red Hat
smallrye-fault-tolerance: SmallRye Fault Tolerance
vendor_redhat·2025-03-12·CVSS 7.5
CVE-2025-2240 [HIGH] CWE-1325 smallrye-fault-tolerance: SmallRye Fault Tolerance
smallrye-fault-tolerance: SmallRye Fault Tolerance
A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue.
A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue.
Statement: This vulnerability allows a remote attacker to cause an out-of-memory issue when calling the metrics URI, resulting in a denial of service. As this flaw can be triggered via the n
Microsoft
Unbounded memory growth with session handling in TLSv1.3
vendor_msrc·2024-04-09·CVSS 5.9
CVE-2024-2511 [MEDIUM] CWE-1325 Unbounded memory growth with session handling in TLSv1.3
Unbounded memory growth with session handling in TLSv1.3
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
openssl: openssl
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-03-08
Published