| CVE-2025-48422 | Rejected reason: Not used | No Score |
| CVE-2025-48421 | Rejected reason: Not used | No Score |
| CVE-2025-48420 | Rejected reason: Not used | No Score |
| CVE-2025-48419 | Rejected reason: Not used | No Score |
| CVE-2025-48417 | The certificate and private key used for providing transport layer security for connections to the web interface (TCP port 443) is hard-coded in the firmware and are shipped with the update files. An attacker can use the private key to perform man-in-the-middle attacks against users of the admin interface. The files are located in /etc/ssl (e.g. salia.local.crt, salia.local.key and salia.local.pem). There is no option to upload/configure custom TLS certificates. | medium |
| CVE-2025-48415 | A USB backdoor feature can be triggered by attaching a USB drive that contains specially crafted "salia.ini" files. The .ini file can contain several "commands" that could be exploited by an attacker to export or modify the device configuration, enable an SSH backdoor or perform other administrative actions. Ultimately, this backdoor also allows arbitrary execution of OS commands. | medium |
| CVE-2025-48414 | There are several scripts in the web interface that are accessible via undocumented hard-coded credentials. The scripts provide access to additional administrative/debug functionality and are likely intended for debugging during development and provides an additional attack surface. | medium |
| CVE-2025-48413 | The `/etc/passwd` and `/etc/shadow` files reveal hard-coded password hashes for the operating system "root" user. The credentials are shipped with the update files. There is no option for deleting or changing their passwords for an enduser. An attacker can use the credentials to log into the device. Authentication can be performed via SSH backdoor or likely via physical access (UART shell). | high |
| CVE-2025-48391 | In JetBrains YouTrack before 2025.1.76253 deletion of issues was possible due to missing permission checks in API | high |
| CVE-2025-48346 | Missing Authorization vulnerability in Etsy360 Embed and Integrate Etsy Shop allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Embed and Integrate Etsy Shop: from n/a through 1.0.4. | medium |
| CVE-2025-48344 | Cross-Site Request Forgery (CSRF) vulnerability in ed4becky Rootspersona allows Cross Site Request Forgery. This issue affects Rootspersona: from n/a through 3.7.5. | medium |
| CVE-2025-48342 | Cross-Site Request Forgery (CSRF) vulnerability in RedefiningTheWeb Dynamic Pricing & Discounts Lite for WooCommerce allows Cross Site Request Forgery. This issue affects Dynamic Pricing & Discounts Lite for WooCommerce: from n/a through 2.0.3. | medium |
| CVE-2025-48341 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 10Web Form Maker by 10Web allows Stored XSS. This issue affects Form Maker by 10Web: from n/a through 1.15.33. | medium |
| CVE-2025-48340 | Cross-Site Request Forgery (CSRF) vulnerability in Danny Vink User Profile Meta Manager allows Privilege Escalation.This issue affects User Profile Meta Manager: from n/a through 1.02. | critical |
| CVE-2025-48288 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Element Invader ElementInvader Addons for Elementor allows Stored XSS. This issue affects ElementInvader Addons for Elementor: from n/a through 1.3.5. | medium |
| CVE-2025-48285 | Cross-Site Request Forgery (CSRF) vulnerability in sbouey Falang multilanguage allows Cross Site Request Forgery. This issue affects Falang multilanguage: from n/a through 1.3.61. | medium |
| CVE-2025-48284 | Cross-Site Request Forgery (CSRF) vulnerability in shohei.tanaka Japanized For WooCommerce allows Cross Site Request Forgery. This issue affects Japanized For WooCommerce: from n/a through 2.6.40. | medium |
| CVE-2025-48282 | Missing Authorization vulnerability in Majestic Support Majestic Support allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Majestic Support: from n/a through 1.1.0. | medium |
| CVE-2025-48280 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ruben Garcia AutomatorWP allows Blind SQL Injection. This issue affects AutomatorWP: from n/a through 5.2.1.3. | high |
| CVE-2025-48278 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in davidfcarr RSVPMarker allows SQL Injection. This issue affects RSVPMarker : from n/a through 11.5.6. | high |
| CVE-2025-48277 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Stylemix Cost Calculator Builder allows Stored XSS. This issue affects Cost Calculator Builder: from n/a through 3.2.74. | medium |
| CVE-2025-48276 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Visual Composer Visual Composer Website Builder allows Stored XSS. This issue affects Visual Composer Website Builder: from n/a through 45.11.0. | medium |
| CVE-2025-48270 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Blocks allows DOM-Based XSS. This issue affects SKT Blocks: from n/a through 2.2. | medium |
| CVE-2025-48269 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Greg Winiarski WPAdverts allows DOM-Based XSS. This issue affects WPAdverts: from n/a through 2.2.3. | medium |
| CVE-2025-48268 | Missing Authorization vulnerability in Guru Team Bot for Telegram on WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Bot for Telegram on WooCommerce: from n/a through 1.2.6. | medium |
| CVE-2025-48266 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 Active Products Tables for WooCommerce allows Stored XSS. This issue affects Active Products Tables for WooCommerce: from n/a through 1.0.6.8. | medium |
| CVE-2025-48265 | Cross-Site Request Forgery (CSRF) vulnerability in Pektsekye Year Make Model Search for WooCommerce allows Cross Site Request Forgery. This issue affects Year Make Model Search for WooCommerce: from n/a through 1.0.11. | medium |
| CVE-2025-48264 | Cross-Site Request Forgery (CSRF) vulnerability in artiosmedia Product Code for WooCommerce allows Cross Site Request Forgery. This issue affects Product Code for WooCommerce: from n/a through 1.5.0. | medium |
| CVE-2025-48263 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MultiVendorX MultiVendorX allows Stored XSS. This issue affects MultiVendorX: from n/a through 4.2.22. | medium |
| CVE-2025-48262 | Missing Authorization vulnerability in Michael Revellin-Clerc Url Rewrite Analyzer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Url Rewrite Analyzer: from n/a through 1.3.3. | medium |
| CVE-2025-48260 | Missing Authorization vulnerability in Ninja Team GDPR CCPA Compliance Support allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects GDPR CCPA Compliance Support: from n/a through 2.7.3. | medium |
| CVE-2025-48259 | Cross-Site Request Forgery (CSRF) vulnerability in Juan Carlos WP Mapa Politico España allows Cross Site Request Forgery. This issue affects WP Mapa Politico España: from n/a through 3.8.0. | medium |
| CVE-2025-48258 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jetmonsters Mega Menu Block allows Stored XSS. This issue affects Mega Menu Block: from n/a through 1.0.6. | medium |
| CVE-2025-48257 | Missing Authorization vulnerability in Projectopia Projectopia allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Projectopia: from n/a through 5.1.17. | medium |
| CVE-2025-48251 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Additional Custom Emails & Recipients for WooCommerce allows Stored XSS. This issue affects Additional Custom Emails & Recipients for WooCommerce: from n/a through 3.5.1. | medium |
| CVE-2025-48250 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Coupons & Add to Cart by URL Links for WooCommerce allows Stored XSS. This issue affects Coupons & Add to Cart by URL Links for WooCommerce: from n/a through 1.7.7. | medium |
| CVE-2025-48249 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory EAN for WooCommerce allows Stored XSS. This issue affects EAN for WooCommerce: from n/a through 5.4.6. | medium |
| CVE-2025-48248 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Sitewide Discount for WooCommerce: Apply Discount to All Products allows Stored XSS. This issue affects Sitewide Discount for WooCommerce: Apply Discount to All Products: from n/a through 2.2.1. | medium |
| CVE-2025-48247 | Missing Authorization vulnerability in Blair Williams Shortlinks by Pretty Links allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Shortlinks by Pretty Links: from n/a through 3.6.15. | medium |
| CVE-2025-48246 | Missing Authorization vulnerability in The Events Calendar The Events Calendar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects The Events Calendar: from n/a through 6.11.2.1. | medium |
| CVE-2025-48244 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tim Strifler Exclusive Addons Elementor allows Stored XSS. This issue affects Exclusive Addons Elementor: from n/a through 2.7.9. | medium |
| CVE-2025-48243 | Cross-Site Request Forgery (CSRF) vulnerability in Bill Minozzi reCAPTCHA for all allows Cross Site Request Forgery. This issue affects reCAPTCHA for all: from n/a through 2.26. | medium |
| CVE-2025-48242 | Missing Authorization vulnerability in wpWax Legal Pages allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Legal Pages: from n/a through 1.4.5. | medium |
| CVE-2025-48240 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Cost of Goods for WooCommerce allows Stored XSS. This issue affects Cost of Goods for WooCommerce: from n/a through 3.7.0. | medium |
| CVE-2025-48239 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Product Notes Tab & Private Admin Notes for WooCommerce allows Stored XSS. This issue affects Product Notes Tab & Private Admin Notes for WooCommerce: from n/a through 3.1.0. | medium |
| CVE-2025-48238 | Cross-Site Request Forgery (CSRF) vulnerability in awcode AWcode Toolkit allows Stored XSS. This issue affects AWcode Toolkit: from n/a through 1.0.18. | high |
| CVE-2025-48237 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Wishlist for WooCommerce allows Stored XSS. This issue affects Wishlist for WooCommerce: from n/a through 3.2.2. | medium |
| CVE-2025-48236 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bunny.net bunny.net allows Stored XSS. This issue affects bunny.net: from n/a through 2.3.0. | high |
| CVE-2025-48235 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bogdan Bendziukov WP Image Mask allows DOM-Based XSS. This issue affects WP Image Mask: from n/a through 3.1.2. | medium |
| CVE-2025-48234 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ultimate Blocks Ultimate Blocks allows DOM-Based XSS. This issue affects Ultimate Blocks: from n/a through 3.3.0. | medium |
