Posts

All the articles we've posted.

• [CVE-2025-12197] The Events Calendar WordPress Plugin Blind SQL Injection Exposes Site Databases

  5 Nov, 2025

  Unauthenticated SQL injection in a widely installed WordPress events plugin lets attackers exfiltrate data through crafted search requests. Updating to version 6.15.10 closes the hole.

• [CVE-2025-12642] lighttpd Trailer Handling Bug Enables HTTP Header Smuggling

  4 Nov, 2025

  lighttpd 1.4.80 merges disallowed HTTP trailer fields into the request header block. Attackers can abuse the flaw for header smuggling that bypasses access controls or poisons backend requests.

• [CVE-2025-62792] Wazuh Buffer Over-Read Lets Compromised Agents Sneak a Peek at Manager Memory

  29 Oct, 2025

  A flaw in Wazuh’s expression-matching routine lets a rogue or already-compromised agent read past the end of a heap buffer on the manager. While the bug stops short of code execution, it can leak log data or configuration secrets that help attackers move laterally.

• [CVE-2025-11372] Unauthenticated REST call in LearnPress lets anyone reshape your WordPress database

  18 Oct, 2025

  All LearnPress versions up to 4.2.9.3 register an admin-only REST endpoint with a permissive permission callback. Any Internet user can drop or create indexes on arbitrary database tables, including wp_options, and grind a site to a halt.