Latest Vulnerabilities Over the past week, several noteworthy vulnerabilities have come to light, highlighting ongoing security challenges across various platforms. Coolify has been identified with multiple vulnerabilities, including command injection issues and OAuth secret leaks. Meanwhile, several WordPress themes and plugins, such as Jobify and the WooCommerce Product Size Charts plugin, revealed serious weaknesses in access controls. Additionally, multiple installations from USBXpress and other tools have been found susceptible to DLL hijacking due to misconfigured search paths. These findings underscore the importance of vigilance and prompt action to address security flaws across diverse applications and devices.
IBM PowerHA SystemMirror for IBM i IBM-7180036 More details
First published (updated )
IBM WebSphere Automation IBM-7179994 More details
First published (updated )
CVE-2025-22607 Coolify Vulnerable to GitHub / GitLab OAuth Secrets Leak More details
First published (updated )
CVE-2025-22606 Coolify Command Injection Vulnerability in Project Name More details
First published (updated )
theDotstore Product Size Charts Plugin for WooCommerce WordPress Product Size Charts Plugin for WooCommerce plugin <= 2.4.5 - Broken Access Control vulnerability More details
First published (updated )
JoeyBling bootplus JoeyBling bootplus list sql injection More details
First published (updated )
JoeyBling bootplus JoeyBling bootplus list sql injection More details
First published (updated )
CVE-2024-13698 Jobify - Job Board WordPress Theme <= 4.2.7 - Missing Authorization to Unauthenticated Server-Side Request Forgery, Arbitrary Image Upload, and Image Generation More details
First published (updated )
Telstra Smart Modem Gen 2 Telstra Smart Modem Gen 2 HTTP Header injection More details
First published (updated )
CVE-2025-22605 Coolify OS Command Injection Vulnerability in SSH Command Generation More details
First published (updated )
CVE-2024-9499 Uncontrolled search path can lead to DLL hijacking in USBXpress Win 98SE Dev Kit installer More details
First published (updated )
CVE-2024-9498 Uncontrolled search path can lead to DLL hijacking in USBXpress SDK installer More details
First published (updated )
CVE-2024-9497 Uncontrolled search path can lead to DLL hijacking in USBXpress 4 SDK installer More details
First published (updated )
CVE-2024-9496 Uncontrolled search path can lead to DLL hijacking in USBXpress Dev Kit installer More details
First published (updated )
CVE-2024-9495 Uncontrolled search path can lead to DLL hijacking in CP210x VCP Windows installer More details
First published (updated )
CVE-2024-9494 Uncontrolled search path can lead to DLL hijacking in CP210 VCP Win 2k installer More details
First published (updated )
CVE-2024-9493 Uncontrolled search path can lead to DLL hijacking in ToolStick installer More details
First published (updated )
CVE-2024-9492 Uncontrolled search path can lead to DLL hijacking in Flash Programming Utility installer More details
First published (updated )
CVE-2024-9491 Uncontrolled search path can lead to DLL hijacking in Configuration Wizard 2 installer More details
First published (updated )
CVE-2024-9490 Uncontrolled search path can lead to DLL hijacking in Silicon Labs IDE installer More details
First published (updated )
Rometheme RomethemeKit For Elementor RomethemeKit For Elementor <= 1.5.2 - Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates More details
First published (updated )
CVE-2024-11913 Activity Plus Reloaded for BuddyPress <= 1.1.1 - Authenticated (Subscriber+) Blind Server-Side Request Forgery More details
First published (updated )
IBM Cognos Dashboards IBM Cognos Dashboards on Cloud Pak for Data privilege escalation More details
First published (updated )
CVE-2024-13408 Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget <= 1.6.10 - Authenticated (Contributor+) Local File Inclusion More details
First published (updated )
CVE-2024-13354 Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates <= 1.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting More details
First published (updated )
CVE-2024-13542 WP Google Street View (with 360° virtual tour) & Google maps + Local SEO <= 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting More details
First published (updated )
CVE-2024-13335 Sastra Essential Addons for Elementor – Free Elementor Addons, Widgets and Templates <= 1.0.14 - Missing Authorization to Spexo Theme Install More details
First published (updated )
CVE-2024-13572 Precious Metals Charts and Widgets for WordPress <= 1.2.8 - Authenticated (Contributor+) Stored Cross-site Scripting More details
First published (updated )
CVE-2024-13594 Simple Downloads List <= 1.4.2 - Authenticated (Contributor+) SQL Injection More details
First published (updated )
CVE-2024-13409 Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget <= 1.6.10 - Authenticated (Contributor+) Local File Inclusion via post_type_ajax_handler() More details
First published (updated )
CVE-2025-23889 WordPress FooGallery Captions Plugin <= 1.0.2 - Reflected Cross Site Scripting (XSS) vulnerability More details
First published (updated )
CVE-2025-23885 WordPress MJ Contact us Plugin <= 5.2.3 - Reflected Cross Site Scripting (XSS) vulnerability More details
First published (updated )
MDJM Event Management WordPress MDJM Event Management Plugin <= 1.7.5.5 - Reflected Cross Site Scripting (XSS) vulnerability More details
First published (updated )
CVE-2025-23888 WordPress Custom Page Extensions Plugin <= 0.6 - Cross Site Scripting (XSS) vulnerability More details
First published (updated )
NotFound Sticky Button WordPress Sticky Button plugin <= 1.0 - Cross Site Scripting (XSS) vulnerability More details
First published (updated )
NotFound Bauernregeln WordPress Bauernregeln Plugin <= 1.0.1 - Reflected Cross Site Scripting (XSS) vulnerability More details
First published (updated )
NotFound Quote me WordPress Quote me plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability More details
First published (updated )
NotFound Network-Favorites WordPress Network-Favorites plugin <= 1.1 - Reflected Cross Site Scripting (XSS) vulnerability More details
First published (updated )
Gigaom Sphinx WordPress Gigaom Sphinx plugin <= 0.1 - Reflected Cross Site Scripting (XSS) vulnerability More details
First published (updated )
NotFound One Backend Language WordPress One Backend Language Plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability More details
First published (updated )
CVE-2025-23522 WordPress HM Portfolio plugin <= 1.1.1 - Reflected Cross Site Scripting (XSS) vulnerability More details
First published (updated )
CVE-2025-23621 WordPress Causes – Donation plugin <= 1.0.01 - Reflected Cross Site Scripting (XSS) vulnerability More details
First published (updated )
CBX Accounting & Bookkeeping WordPress CBX Accounting & Bookkeeping plugin <= 1.3.14 - Reflected Cross Site Scripting (XSS) vulnerability More details
First published (updated )
Dovy Paukstys Redux Converter WordPress Redux Converter plugin <= 1.1.3.1 - Reflected Cross Site Scripting (XSS) vulnerability More details
First published (updated )
NotFound Store Locator WordPress Store Locator plugin <= 3.98.10 - Local File Inclusion vulnerability More details
First published (updated )
CVE-2024-13583 Simple Gallery with Filter <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting More details
First published (updated )
BMLT Meeting Map BMLT Meeting Map <= 2.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting More details
First published (updated )
Bootstrap Ultimate Bootstrap Ultimate <= 1.4.9 - Unauthenticated Limited Local File Inclusion More details
First published (updated )
CVE-2024-13683 Automate Hub Free by Sperse.IO <= 1.7.0 - Cross-Site Request Forgery to Activation Status Update More details
First published (updated )
CVE-2024-13680 Form Builder CP <= 1.2.41 - Authenticated (Contributor+) SQL Injection More details
First published (updated )
Contact SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd. ABN: 70 645 966 203, ACN: 645 966 203