The WoodMart plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.2.3 via the 'layout' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php files can be uploaded and included.

CVE Database V5

Detailed information about CVE-2025-6746: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in xTem

CVE-2025-6746: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in xTemos Woodmart - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-6746: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in xTemos Woodmart

The Woodmart theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'multiple_markers' attribute in all versions up to, and including, 8.2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Detailed information about CVE-2025-6743: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in xTemos Woodmart affecti

CVE-2025-6743: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in xTemos Woodmart - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-6743: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in xTemos Woodmart

A vulnerability was found in PHPGurukul/Campcodes Cyber Cafe Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /forgot-password.php. The manipulation of the argument email leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-7165 is a SQL Injection vulnerability identified in version 1.0 of the PHPGurukul/Campcodes Cyber Cafe Management System, specifically in the /forgot-password.php script. The vulnerability arises from improper sanitization or validation of the 'email' parameter, which is directly used in SQL queries. An attacker can manipulate this parameter to inject malicious SQL code, potentially allowing unauthorized access to the underlying database. This can lead to unauthorized data disclosure, modification, or deletion. The vulnerability is remotely exploitable without any authentication or user interaction, increasing its risk profile. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low complexity, no privileges or user interaction required, but limited impact on confidentiality, integrity, and availability. Although no known exploits are currently observed in the wild, the public disclosure of the exploit code increases the likelihood of exploitation. The vulnerability affects only version 1.0 of the product, which is a niche cyber cafe management system used to manage customer sessions, billing, and related services in cyber cafes.

Detailed information about CVE-2025-7165: SQL Injection in PHPGurukul Cyber Cafe Management System affecting PHPGurukul Cyber Cafe Management System. Get real-t

CVE-2025-7165: SQL Injection in PHPGurukul Cyber Cafe Management System - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-7165: SQL Injection in PHPGurukul Cyber Cafe Management System

The Widget for Google Reviews plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.0.15 via the layout parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. This is limited to just PHP files.

CVE-2025-7327 is a high-severity vulnerability affecting the 'Widget for Google Reviews' WordPress plugin developed by techlabpro1. This vulnerability is classified under CWE-98, which pertains to improper control of filenames used in include or require statements in PHP programs, commonly known as a Remote File Inclusion (RFI) or Local File Inclusion (LFI) vulnerability. Specifically, the flaw exists in all versions up to and including 1.0.15 of the plugin and is triggered via the 'layout' parameter. An authenticated attacker with Subscriber-level privileges or higher can exploit this vulnerability to perform directory traversal, allowing them to include and execute arbitrary PHP files on the server. This means that even users with minimal access rights can escalate their privileges by injecting PHP code through files that the plugin includes. The vulnerability enables attackers to bypass access controls, access sensitive data, and execute arbitrary code, potentially leading to full server compromise. The attack vector is remote network-based (AV:N), requires low attack complexity (AC:L), and only requires privileges equivalent to a Subscriber role (PR:L) without any user interaction (UI:N). The scope remains unchanged (S:U), but the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). No patches have been published yet, and no known exploits are currently observed in the wild, but the high CVSS score of 8.8 indicates a critical need for remediation. This vulnerability is particularly dangerous because WordPress plugins are widely used, and the ability to execute arbitrary PHP code can lead to complete takeover of the affected web server.

Detailed information about CVE-2025-7327: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in tech

CVE-2025-7327: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in techlabpro1 Widget for Google Reviews - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-7327: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in techlabpro1 Widget for Google Reviews

A vulnerability was found in code-projects Responsive Blog Site 1.0. It has been classified as critical. This affects an unknown part of the file /single.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Detailed information about CVE-2025-7166: SQL Injection in code-projects Responsive Blog Site affecting code-projects Responsive Blog Site. Get real-time update

CVE-2025-7166: SQL Injection in code-projects Responsive Blog Site

CVE-2025-7166: SQL Injection in code-projects Responsive Blog Site

Description

Technical Details

Related Threats

CVE-2025-6746: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in xTemos Woodmart

CVE-2025-6743: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in xTemos Woodmart

CVE-2025-7165: SQL Injection in PHPGurukul Cyber Cafe Management System

CVE-2025-7327: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in techlabpro1 Widget for Google Reviews

CVE-2025-7164: SQL Injection in PHPGurukul Cyber Cafe Management System

Actions

External Links

Need enhanced features?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility