CVE-2025-2008
published 2025-04-01CVE-2025-2008: The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the…
PriorityP259high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.06%
60.2th percentile
The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import_single_post_as_csv() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Please note this vulnerability was reintroduced in 7.20, and subsequently patched again in 7.20.1.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_10_version_1809 | — | — |
| msrc | windows_10_version_21h2 | — | — |
| msrc | windows_10_version_22h2 | — | — |
| msrc | windows_11_version_22h2 | — | — |
| msrc | windows_11_version_23h2 | — | — |
| msrc | windows_11_version_24h2 | — | — |
| msrc | windows_11_version_25h2 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_for_32-bit_systems_service_pack_2 | — | — |
| msrc | windows_server_2008_for_x64-based_systems_service_pack_2 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2008_r2_for_x64-based_systems_service_pack_1 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
| msrc | windows_server_2019 | — | — |
| msrc | windows_server_2022 | — | — |
| msrc | windows_server_2022_23h2_edition | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_msrc8.8HIGH
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rvhm-r43q-vxvx: The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in t
ghsa_unreviewed·2025-04-01
CVE-2025-2008 [HIGH] CWE-434 GHSA-rvhm-r43q-vxvx: The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in t
The Import Export Suite for CSV and XML Datafeed plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import_single_post_as_csv() function in all versions up to, and including, 7.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Red Hat
kernel: spufs: fix a leak in spufs_create_context()
vendor_redhat·2025-04-16·CVSS 5.5
CVE-2025-22071 [MEDIUM] kernel: spufs: fix a leak in spufs_create_context()
kernel: spufs: fix a leak in spufs_create_context()
In the Linux kernel, the following vulnerability has been resolved:
spufs: fix a leak in spufs_create_context()
Leak fixes back in 2008 missed one case - if we are trying to set affinity
and spufs_mkdir() fails, we need to drop the reference to neighbor.
Package: kernel (Red Hat Enterprise Linux 10) - Not affected
Package: kernel (Red Hat Enterprise Linux 6) - Not affected
Package: kernel (Red Hat Enterprise Linux 7) - Not affected
Package: kernel-rt (Red Hat Enterprise Linux 7) - Not affected
Package: kernel (Red Hat Enterprise Linux 8) - Not affected
Package: kernel-rt (Red Hat Enterprise Linux 8) - Not affected
Package: kernel (Red Hat Enterprise Linux 9) - Not affected
Package: kernel-rt (Red Hat Enterprise Linux 9) - Not aff
Microsoft
MapUrlToZone Security Feature Bypass Vulnerability
vendor_msrc·2025-01-14·CVSS 4.3
CVE-2025-21332 [MEDIUM] CWE-41 MapUrlToZone Security Feature Bypass Vulnerability
MapUrlToZone Security Feature Bypass Vulnerability
FAQ: The Security Updates table indicates that this vulnerability affects all supported versions of Microsoft Windows. Why are IE Cumulative updates listed for Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2?
While Microsoft has announced retirement of the Internet Explorer 11 application on certain platforms and the Microsoft Edge Legacy application is deprecated, the underlying MSHTML, EdgeHTML, and scripting platforms are still supported. The MSHTML platform is used by Internet Explorer mode in Microsoft Edge as well as other applications through WebBrowser control. The EdgeHTML platform is used by WebView and some UWP applications. The scripting platforms are used by MSHTML and EdgeHTML but
Citrix
Citrix Security Bulletin CTX116930
vendor_citrix·CVSS 10.0
CVE-2008-2528 [CRITICAL] Citrix Security Bulletin CTX116930
Citrix Security Bulletin CTX116930
CVE References: CVE-2008-2528, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
Citrix
Citrix Security Bulletin CTX116310
vendor_citrix·CVSS 6.8
CVE-2008-4676 [MEDIUM] Citrix Security Bulletin CTX116310
Citrix Security Bulletin CTX116310
CVE References: CVE-2008-4676, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
Citrix
Citrix Security Bulletin CTX116227
vendor_citrix·CVSS 1.9
CVE-2008-6561 [LOW] Citrix Security Bulletin CTX116227
Citrix Security Bulletin CTX116227
CVE References: CVE-2008-6561, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
Citrix
Citrix Security Bulletin CTX114487
vendor_citrix·CVSS 10.0
CVE-2008-0356 [CRITICAL] Citrix Security Bulletin CTX114487
Citrix Security Bulletin CTX114487
CVE References: CVE-2008-0356, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
Citrix
Citrix Security Bulletin CTX117751
vendor_citrix·CVSS 7.2
CVE-2008-5121 [HIGH] Citrix Security Bulletin CTX117751
Citrix Security Bulletin CTX117751
CVE References: CVE-2008-5121, CVE-2025-12101, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-22071 kernel: spufs: fix a leak in spufs_create_context()
bugzilla·2025-04-16·CVSS 5.5
CVE-2025-22071 [MEDIUM] CVE-2025-22071 kernel: spufs: fix a leak in spufs_create_context()
CVE-2025-22071 kernel: spufs: fix a leak in spufs_create_context()
In the Linux kernel, the following vulnerability has been resolved:
spufs: fix a leak in spufs_create_context()
Leak fixes back in 2008 missed one case - if we are trying to set affinity
and spufs_mkdir() fails, we need to drop the reference to neighbor.
Discussion:
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025041610-CVE-2025-22071-ca32@gregkh/T
Tenable
Tenable updates plugin subscription model for Nessus Vulnerability Scanner
blogs_tenable·2008-05-14·CVSS 5.3
[MEDIUM] Tenable updates plugin subscription model for Nessus Vulnerability Scanner
Blog /
Subscribe
# Tenable updates plugin subscription model for Nessus Vulnerability Scanner
Ron Gula
May 14, 2008
0 Min Read
Tenable Network Security Inc. today announced an update to its Nessus subscription model that will benefit home users and qualifying charities around the world. We've posted a letter and a FAQ about the changes at nessus.org.
I was also recently interviewed about the license change for the Network Security Podcast by Rich Mogull and Martin Mckeay. The direct url for the interview is:
- http://netsecpodcast.com/?p=41
## Related articles
May 13, 2025
## CVE-2025-4427, CVE-2025-4428: Ivanti Endpoint Manager Mobile (EPMM) Remote Code Execution
Remote code execution vulnerability in a popular mobile device management solution from Ivanti has been exploited in
2025-04-01
Published