CVE-2025-9113
published 2025-09-08CVE-2025-9113: The Doccure Core plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'doccure_temp_upload_to_media'…
PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.57%
43.0th percentile
The Doccure Core plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'doccure_temp_upload_to_media' function in all versions up to, and including, 1.5.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dreamstechnologies | doccure_core | <= 1.5.3 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2p85-7vwf-q4fq: The Doccure theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'doccure_temp_upload_to_media' func
ghsa_unreviewed·2025-09-08
CVE-2025-9113 [CRITICAL] CWE-434 GHSA-2p85-7vwf-q4fq: The Doccure theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'doccure_temp_upload_to_media' func
The Doccure theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'doccure_temp_upload_to_media' function in all versions up to, and including, 1.4.8. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
GHSA
Eclipse Jetty affected by MadeYouReset HTTP/2 vulnerability
ghsa·2025-08-20
CVE-2025-5115 [HIGH] CWE-400 Eclipse Jetty affected by MadeYouReset HTTP/2 vulnerability
Eclipse Jetty affected by MadeYouReset HTTP/2 vulnerability
## Technical Details
Below is a technical explanation of a newly discovered vulnerability in HTTP/2, which we refer to as “MadeYouReset.”
### MadeYouReset Vulnerability Summary
The MadeYouReset DDoS vulnerability is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service.
### Mechanism
The vulnerability uses malformed HTTP/2 control frames, or malformed flow, in order to make the server reset streams created by the client (using the RST_STREAM frame).
The vulnerability could be triggered by several primitives, defined by the RFC of HTTP/2 (RFC 9113). The Primitives are:
1.
GHSA
Netty affected by MadeYouReset HTTP/2 DDoS vulnerability
ghsa·2025-08-13
CVE-2025-55163 [HIGH] CWE-770 Netty affected by MadeYouReset HTTP/2 DDoS vulnerability
Netty affected by MadeYouReset HTTP/2 DDoS vulnerability
Below is a technical explanation of a newly discovered vulnerability in HTTP/2, which we refer to as “MadeYouReset.”
### MadeYouReset Vulnerability Summary
The MadeYouReset DDoS vulnerability is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service.
### Mechanism
The vulnerability uses malformed HTTP/2 control frames, or malformed flow, in order to make the server reset streams created by the client (using the RST_STREAM frame).
The vulnerability could be triggered by several primitives, defined by the RFC of HTTP/2 (RFC 9113). The Primitives are:
1. WINDOW_UPDATE frame wit
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-09-08
Published