Latest Vulnerabilities

Over the past week, several noteworthy vulnerabilities have come to light, highlighting ongoing security challenges across various platforms. Coolify has been identified with multiple vulnerabilities, including command injection issues and OAuth secret leaks. Meanwhile, several WordPress themes and plugins, such as Jobify and the WooCommerce Product Size Charts plugin, revealed serious weaknesses in access controls. Additionally, multiple installations from USBXpress and other tools have been found susceptible to DLL hijacking due to misconfigured search paths. These findings underscore the importance of vigilance and prompt action to address security flaws across diverse applications and devices.

IBM PowerHA SystemMirror for IBM iIBM-7180036

First published (updated )

IBM WebSphere AutomationIBM-7179994

First published (updated )

CVE-2025-22607Coolify Vulnerable to GitHub / GitLab OAuth Secrets Leak

First published (updated )

CVE-2025-22606Coolify Command Injection Vulnerability in Project Name

First published (updated )

theDotstore Product Size Charts Plugin for WooCommerceWordPress Product Size Charts Plugin for WooCommerce plugin <= 2.4.5 - Broken Access Control vulnerability

medium
4.3
First published (updated )

JoeyBling bootplusJoeyBling bootplus list sql injection

medium
6.5
First published (updated )

JoeyBling bootplusJoeyBling bootplus list sql injection

medium
6.5
First published (updated )

CVE-2024-13698Jobify - Job Board WordPress Theme <= 4.2.7 - Missing Authorization to Unauthenticated Server-Side Request Forgery, Arbitrary Image Upload, and Image Generation

medium
6.5
First published (updated )

Telstra Smart Modem Gen 2Telstra Smart Modem Gen 2 HTTP Header injection

medium
5.3
First published (updated )

CVE-2025-22605Coolify OS Command Injection Vulnerability in SSH Command Generation

First published (updated )

CVE-2024-9499Uncontrolled search path can lead to DLL hijacking in USBXpress Win 98SE Dev Kit installer

high
8.6
First published (updated )

CVE-2024-9498Uncontrolled search path can lead to DLL hijacking in USBXpress SDK installer

high
8.6
First published (updated )

CVE-2024-9497Uncontrolled search path can lead to DLL hijacking in USBXpress 4 SDK installer

high
8.6
First published (updated )

CVE-2024-9496Uncontrolled search path can lead to DLL hijacking in USBXpress Dev Kit installer

high
8.6
First published (updated )

CVE-2024-9495Uncontrolled search path can lead to DLL hijacking in CP210x VCP Windows installer

high
8.6
First published (updated )

CVE-2024-9494Uncontrolled search path can lead to DLL hijacking in CP210 VCP Win 2k installer

high
8.6
First published (updated )

CVE-2024-9493Uncontrolled search path can lead to DLL hijacking in ToolStick installer

high
8.6
First published (updated )

CVE-2024-9492Uncontrolled search path can lead to DLL hijacking in Flash Programming Utility installer

high
8.6
First published (updated )

CVE-2024-9491Uncontrolled search path can lead to DLL hijacking in Configuration Wizard 2 installer

high
8.6
First published (updated )

CVE-2024-9490Uncontrolled search path can lead to DLL hijacking in Silicon Labs IDE installer

high
8.6
First published (updated )

Rometheme RomethemeKit For ElementorRomethemeKit For Elementor <= 1.5.2 - Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates

medium
4.3
First published (updated )

CVE-2024-11913Activity Plus Reloaded for BuddyPress <= 1.1.1 - Authenticated (Subscriber+) Blind Server-Side Request Forgery

medium
5.4
First published (updated )

IBM Cognos DashboardsIBM Cognos Dashboards on Cloud Pak for Data privilege escalation

high
8.8
First published (updated )

CVE-2024-13408Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget <= 1.6.10 - Authenticated (Contributor+) Local File Inclusion

high
7.5
First published (updated )

CVE-2024-13354Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates <= 1.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

medium
6.4
First published (updated )

CVE-2024-13542WP Google Street View (with 360° virtual tour) & Google maps + Local SEO <= 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

medium
6.4
First published (updated )

CVE-2024-13335Sastra Essential Addons for Elementor – Free Elementor Addons, Widgets and Templates <= 1.0.14 - Missing Authorization to Spexo Theme Install

medium
4.3
First published (updated )

CVE-2024-13572Precious Metals Charts and Widgets for WordPress <= 1.2.8 - Authenticated (Contributor+) Stored Cross-site Scripting

medium
6.4
First published (updated )

CVE-2024-13594Simple Downloads List <= 1.4.2 - Authenticated (Contributor+) SQL Injection

medium
6.5
First published (updated )

CVE-2024-13409Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget <= 1.6.10 - Authenticated (Contributor+) Local File Inclusion via post_type_ajax_handler()

high
7.5
First published (updated )

CVE-2025-23889WordPress FooGallery Captions Plugin <= 1.0.2 - Reflected Cross Site Scripting (XSS) vulnerability

high
7.1
First published (updated )

CVE-2025-23885WordPress MJ Contact us Plugin <= 5.2.3 - Reflected Cross Site Scripting (XSS) vulnerability

high
7.1
First published (updated )

MDJM Event ManagementWordPress MDJM Event Management Plugin <= 1.7.5.5 - Reflected Cross Site Scripting (XSS) vulnerability

high
7.1
First published (updated )

CVE-2025-23888WordPress Custom Page Extensions Plugin <= 0.6 - Cross Site Scripting (XSS) vulnerability

high
7.1
First published (updated )

NotFound Sticky ButtonWordPress Sticky Button plugin <= 1.0 - Cross Site Scripting (XSS) vulnerability

high
7.1
First published (updated )

NotFound BauernregelnWordPress Bauernregeln Plugin <= 1.0.1 - Reflected Cross Site Scripting (XSS) vulnerability

high
7.1
First published (updated )

NotFound Quote meWordPress Quote me plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability

high
7.1
First published (updated )

NotFound Network-FavoritesWordPress Network-Favorites plugin <= 1.1 - Reflected Cross Site Scripting (XSS) vulnerability

high
7.1
First published (updated )

Gigaom SphinxWordPress Gigaom Sphinx plugin <= 0.1 - Reflected Cross Site Scripting (XSS) vulnerability

high
7.1
First published (updated )

NotFound One Backend LanguageWordPress One Backend Language Plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability

high
7.1
First published (updated )

CVE-2025-23522WordPress HM Portfolio plugin <= 1.1.1 - Reflected Cross Site Scripting (XSS) vulnerability

high
7.1
First published (updated )

CVE-2025-23621WordPress Causes – Donation plugin <= 1.0.01 - Reflected Cross Site Scripting (XSS) vulnerability

high
7.1
First published (updated )

CBX Accounting & BookkeepingWordPress CBX Accounting & Bookkeeping plugin <= 1.3.14 - Reflected Cross Site Scripting (XSS) vulnerability

high
7.1
First published (updated )

Dovy Paukstys Redux ConverterWordPress Redux Converter plugin <= 1.1.3.1 - Reflected Cross Site Scripting (XSS) vulnerability

high
7.1
First published (updated )

NotFound Store LocatorWordPress Store Locator plugin <= 3.98.10 - Local File Inclusion vulnerability

high
7.5
First published (updated )

CVE-2024-13583Simple Gallery with Filter <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

medium
6.4
First published (updated )

BMLT Meeting MapBMLT Meeting Map <= 2.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

medium
6.4
First published (updated )

Bootstrap UltimateBootstrap Ultimate <= 1.4.9 - Unauthenticated Limited Local File Inclusion

critical
9.8
First published (updated )

CVE-2024-13683Automate Hub Free by Sperse.IO <= 1.7.0 - Cross-Site Request Forgery to Activation Status Update

medium
4.3
First published (updated )

CVE-2024-13680Form Builder CP <= 1.2.41 - Authenticated (Contributor+) SQL Injection

medium
6.5
First published (updated )

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203