CVE Brief - July 6, 2025

Sunday, July 6, 2025

Today's Security Snapshot

Critical vulnerabilities, curated daily for security professionals

🎯 SSCV Profile

See how vulnerabilities affect your specific environment

CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework

Select your system profile:

Risk scores will be adjusted based on your selected environment

Today's Security Brief

Today's brief includes 3 actively exploited vulnerabilities and 0 additional critical issues requiring immediate attention.

🚨 High threat activity: 3 vulnerabilities under active exploitation
184 total vulnerabilities disclosed in last 24 hours
3 actively exploited in the wild (CISA KEV)
WordPress ecosystem significantly impacted: 15 plugin/theme vulnerabilities

Immediate action: Review and patch all CISA KEV vulnerabilities per federal deadlines

💡 Tip: Swipe CVE cards left to ⭐ star, right to ❌ remove

CISA Known Exploited Vulnerabilities

⚠️ CISA KEV

CVE-2025-6543

9.5

Citrix NetScaler ADC and Gateway June 29, 2025

⏰ Federal Deadline: July 20, 2025 (15 days remaining)

Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability - Recently added to CISA KEV.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV

CVE-2025-48928

9.5

TeleMessage TM SGNL June 30, 2025

⏰ Federal Deadline: July 21, 2025 (16 days remaining)

TeleMessage TM SGNL Exposure of Core Dump File to an Unauthorized Control Sphere Vulnerability - Recently added to CISA KEV.

CVSS Base 9.5

→

CRS Select profile

⚠️ CISA KEV

CVE-2025-48927

9.5

TeleMessage TM SGNL June 30, 2025

⏰ Federal Deadline: July 21, 2025 (16 days remaining)

TeleMessage TM SGNL Initialization of a Resource with an Insecure Default Vulnerability - Recently added to CISA KEV.

CVSS Base 9.5

→

CRS Select profile

High Priority Updates

⚠️ CISA KEV

CVE-2025-6554

8.1

Google Multiple Products July 6, 2025

⏰ Federal Deadline: July 22, 2025 (17 days remaining)

Type confusion in V8 in Google Chrome prior to 138

CVSS Base 8.1

→

CRS Select profile

CVE-2025-5692

8.8

WordPress Multiple Products July 6, 2025

The Lead Form Data Collection to CRM plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the doFieldAjaxAction() function in all versions up to, and including, 3

CVSS Base 8.8

→

CRS Select profile

CVE-2025-3848

8.8

WordPress Multiple Products July 6, 2025

The Download Manager and Payment Form WordPress Plugin – WP SmartPay plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 1

CVSS Base 8.8

→

CRS Select profile

CVE-2025-5953

8.8

WordPress Multiple Products July 6, 2025

The WP Human Resource Management plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization in the ajax_insert_employee() and update_empoyee() functions in versions 2

CVSS Base 8.8

→

CRS Select profile

CVE-2025-5014

8.8

WordPress Multiple Products July 6, 2025

The Home Villas | Real Estate WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'wp_rem_cs_widget_file_delete' function in all versions up to, and including, 2

CVSS Base 8.8

→

CRS Select profile

CVE-2025-6459

8.8

WordPress Multiple Products July 6, 2025

The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4

CVSS Base 8.8

→

CRS Select profile

CVE-2025-6463

8.8

WordPress Multiple Products July 6, 2025

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'entry_delete_upload_files' function in all versions up to, and including, 1

CVSS Base 8.8

→

CRS Select profile

CVE-2025-49713

8.8

Microsoft Multiple Products July 6, 2025

Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network

CVSS Base 8.8

→

CRS Select profile

CVE-2025-2932

8.8

WordPress Multiple Products July 6, 2025

The JKDEVKIT plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'font_upload_handler' function in all versions up to, and including, 1

CVSS Base 8.8

→

CRS Select profile

CVE-2025-4381

7.5

WordPress Multiple Products July 6, 2025

The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to SQL Injection via the ‘$id’ variable of the getSpace() function in all versions up to, and including, 4

CVSS Base 7.5

→

CRS Select profile

CVE-2025-5339

7.5

WordPress Multiple Products July 6, 2025

The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to time-based SQL Injection via the ‘bsa_pro_id’ parameter in all versions up to, and including, 4

CVSS Base 7.5

→

CRS Select profile

CVE-2025-6437

7.5

WordPress Multiple Products July 6, 2025

The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to SQL Injection via the ‘oid’ parameter in all versions up to, and including, 4

CVSS Base 7.5

→

CRS Select profile

CVE-2025-6782

7.5

WordPress Multiple Products July 6, 2025

The GoZen Forms plugin for WordPress is vulnerable to SQL Injection via the 'forms-id' parameter of the dirGZActiveForm() function in all versions up to, and including, 1

CVSS Base 7.5

→

CRS Select profile

CVE-2025-6783

7.5

WordPress Multiple Products July 6, 2025

The GoZen Forms plugin for WordPress is vulnerable to SQL Injection via the 'forms-id' parameter of the emdedSc() function in all versions up to, and including, 1

CVSS Base 7.5

→

CRS Select profile

CVE-2025-1708

8.6

application Multiple Products July 6, 2025

The application is vulnerable to SQL injection attacks

CVSS Base 8.6

→

CRS Select profile

CVE-2025-4380

8.1

WordPress Multiple Products July 6, 2025

The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4

CVSS Base 8.1

→

CRS Select profile

CVE-2025-4946

8.1

WordPress Multiple Products July 6, 2025

The Vikinger theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the vikinger_delete_activity_media_ajax() function in all versions up to, and including, 1

CVSS Base 8.1

→

CRS Select profile

CVE-2025-52807

8.1

WordPress Multiple Products July 6, 2025

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusWP Kossy - Minimalist eCommerce WordPress Theme allows PHP Local File Inclusion

CVSS Base 8.1

→

CRS Select profile

CVE-2025-24748

8.5

LambertGroup All In Multiple Products July 6, 2025

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup All In One Slider Responsive allows SQL Injection

CVSS Base 8.5

→

CRS Select profile

CVE-2025-28967

8.5

Steve Truman Contact Multiple Products July 6, 2025

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Steve Truman Contact Us page - Contact people LITE allows SQL Injection

CVSS Base 8.5

→

CRS Select profile

CVE Brief Security Intelligence

Today's Security Snapshot

🎯 SSCV Profile

Today's Security Brief

CISA Known Exploited Vulnerabilities

CVE-2025-6543

CVE-2025-48928

CVE-2025-48927

Critical Vulnerabilities

High Priority Updates

CVE-2025-6554

CVE-2025-5692

CVE-2025-3848

CVE-2025-5953

CVE-2025-5014

CVE-2025-6459

CVE-2025-6463

CVE-2025-49713

CVE-2025-2932

CVE-2025-4381

CVE-2025-5339

CVE-2025-6437

CVE-2025-6782

CVE-2025-6783

CVE-2025-1708

CVE-2025-4380

CVE-2025-4946

CVE-2025-52807

CVE-2025-24748

CVE-2025-28967

Today's Security Snapshot

🎯 SSCV Profile

📊 Today's Security Brief

Section Navigation

⚠️ CISA Known Exploited Vulnerabilities

🚨 Critical Vulnerabilities

⚠️ High Priority Updates

Today's Security Brief

CISA Known Exploited Vulnerabilities

Critical Vulnerabilities

High Priority Updates