CVE-2025-2025
published 2025-03-15CVE-2025-2025: The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on…
PriorityP344high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.58%
43.5th percentile
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the give_reports_earnings() function in all versions up to, and including, 3.22.0. This makes it possible for unauthenticated attackers to disclose sensitive information included within earnings reports.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| contao | core-bundle | >= 4.0.0 < 4.13.57 | 4.13.57 |
| contao | core-bundle | >= 5.0.0-RC1 < 5.3.42 | 5.3.42 |
| contao | core-bundle | >= 5.4.0-RC1 < 5.6.5 | 5.6.5 |
| givewp | givewp | < 3.22.1 | 3.22.1 |
| linux | linux_kernel | >= 0 < 4.15.0-246.258 | 4.15.0-246.258 |
| magento | community-edition | >= 0 < 2.4.5-p13 | 2.4.5-p13 |
| magento | community-edition | >= 2.4.6-p1 < 2.4.6-p11 | 2.4.6-p11 |
| magento | community-edition | >= 2.4.7-beta1 < 2.4.7-p6 | 2.4.7-p6 |
| magento | project-community-edition | 0 – 2.0.2 | — |
| msrc | cbl2_emacs_28.2-4_on_cbl_mariner_2.0 | — | — |
| stellarwp | givewp_donation_plugin_and_fundraising_platform | <= 3.22.0 | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv5.5MEDIUM
cisa7.8HIGH
vendor_msrc7.8HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
linux, linux-aws, linux-aws-hwe, linux-hwe, linux-kvm, linux-oracle vulnerabilities
osv·2026-01-29·CVSS 5.5
CVE-2022-48986 linux, linux-aws, linux-aws-hwe, linux-hwe, linux-kvm, linux-oracle vulnerabilities
linux, linux-aws, linux-aws-hwe, linux-hwe, linux-kvm, linux-oracle vulnerabilities
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
- Media drivers;
- NVME drivers;
- File systems infrastructure;
- Timer subsystem;
- Memory management;
- Packet sockets;
(CVE-2022-48986, CVE-2024-27078, CVE-2024-49959, CVE-2024-50195,
CVE-2024-56606, CVE-2024-56756, CVE-2025-39993)
GHSA
Contao is vulnerable to cross-site scripting in templates
ghsa·2025-11-25
CVE-2025-65961 [LOW] CWE-79 Contao is vulnerable to cross-site scripting in templates
Contao is vulnerable to cross-site scripting in templates
### Impact
It is possible to inject code into the template output that will be executed in the browser in the front end and back end.
### Patches
Update to Contao 4.13.57, 5.3.42 or 5.6.5.
### Workarounds
Do not use the affected templates or patch them manually.
### Refsources
https://contao.org/en/security-advisories/cross-site-scripting-in-templates
GHSA
Magento Improper Authorization leading to security feature bypass
ghsa·2025-06-10
CVE-2025-43585 [HIGH] CWE-285 Magento Improper Authorization leading to security feature bypass
Magento Improper Authorization leading to security feature bypass
Magento versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access leading to a limited impact to confidentiality and a high impact to integrity. Exploitation of this issue does not require user interaction.
GHSA
GHSA-2xfx-2vr5-pf8q: The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability ch
ghsa_unreviewed·2025-03-15
CVE-2025-2025 [MEDIUM] CWE-862 GHSA-2xfx-2vr5-pf8q: The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability ch
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the give_reports_earnings() function in all versions up to, and including, 3.22.0. This makes it possible for unauthenticated attackers to disclose sensitive information included within earnings reports.
Fortinet
Rejected reason: Not used
vendor_fortinet·2025-11-26
CVE-2025-66232 Rejected reason: Not used
CVE-2025-66232: Rejected reason: Not used
Rejected reason: Not used
CISA
Microsoft Windows Untrusted Pointer Dereference Vulnerability
cisa·2025-10-14·CVSS 7.8
CVE-2025-24990 [HIGH] CWE-822 Microsoft Windows Untrusted Pointer Dereference Vulnerability
Vulnerability: Microsoft Windows Untrusted Pointer Dereference Vulnerability
Affected: Microsoft Windows
Microsoft Windows Agere Modem Driver contains an untrusted pointer dereference vulnerability that allows for privilege escalation. An attacker who successfully exploited this vulnerability could gain administrator privileges.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-24990 ; https://nvd.nist.gov/vuln/detail/CVE-2025-24990
Remediation Due Date: 2025-11-04
Microsoft
emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to shell command injections through a crafted mailto: URI. This is related to lack of compliance with the Desktop Entry Specification.
vendor_msrc·2023-03-14·CVSS 7.8
CVE-2023-27985 [HIGH] CWE-78 emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to shell command injections through a crafted mailto: URI. This is related to lack of compliance with the Desktop Entry Specification.
emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to shell command injections through a crafted mailto: URI. This is related to lack of compliance with the Desktop Entry Specification. It is fixed in 29.0.90
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identif
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-43718 poppler: Poppler stack overflow [fedora-42]
bugzilla·2025-10-02·CVSS 2.9
CVE-2025-43718 [LOW] CVE-2025-43718 poppler: Poppler stack overflow [fedora-42]
CVE-2025-43718 poppler: Poppler stack overflow [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that ar
Wiz
CVE-2025-20805 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.7
CVE-2025-20805 [MEDIUM] CVE-2025-20805 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-20805 :
NixOS vulnerability analysis and mitigation
In dpe, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10114696; Issue ID: MSV-4480.
Source : NVD
## 6.7
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 6.7
Affected Technologies
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
android
Sources
NVD
Nix Severity MEDIUM No Fix Added at: Jan 12, 2026
## Get a CVE risk assessment
Get a prioritize
Huntress
CVE-2021-45046 Vulnerability: Analysis, Impact, Mitigation | Huntress
blogs_huntress·CVSS 10.0
CVE-2021-45046 CVE-2021-45046 Vulnerability: Analysis, Impact, Mitigation | Huntress
CVE-2021-45046 Vulnerability
Published: 2/20/2025
Written by: Lizzie Danielson
## What is CVE-2021-45046 vulnerability?
CVE-2021-45046 is a Remote Code Execution (RCE) vulnerability connected to the widely-used Apache Log4j logging library, which allows attackers to manipulate logging data. Initially perceived as a denial-of-service risk, it was later revealed to enable attackers to execute arbitrary code in certain non-default configurations, making it highly critical.
## When was it discovered?
CVE-2021-45046 was disclosed on December 14, 2021, following the initial CVE-2021-44228 ("Log4Shell") vulnerability. The flaw was identified during the response to the first issue, with contributions from Apache maintainers and security researchers.
## Affected products & versions
Product
Wiz
CVE-2025-13652 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-13652 [MEDIUM] CVE-2025-13652 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13652 :
WordPress vulnerability analysis and mitigation
The CBX Bookmark & Favorite plugin for WordPress is vulnerable to generic SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 2.0.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Source : NVD
## 6.5
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
E
Wiz
CVE-2025-52564 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2025-52564 [MEDIUM] CVE-2025-52564 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-52564 :
Chamilo vulnerability analysis and mitigation
Chamilo is a learning management system. Prior to version 1.11.30, the open parameter of help.php fails to properly sanitize user input. This allows an attacker to inject arbitrary HTML, such as underlined text, via a crafted URL. This issue has been patched in version 1.11.30.
Source : NVD
## 6.9
Score
Published March 2, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Chamilo
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:chamilo:chamilo_lms
Sources
Linux Severity MEDIUM Has Fix Added at: Mar 04, 2026
Windows Severity MEDI
2025-03-15
Published