Vulnerabilities

The URLYar URL Shortner plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'urlyar_shortlink' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The WP ViewSTL plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'viewstl' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The WP BookWidgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bw_link' shortcode in all versions up to, and including, 0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Binary MLM Plan plugin for WordPress is vulnerable to limited Privilege Escalation in all versions up to, and including, 3.0. This is due to bmp_user role granting all users with the manage_bmp capability by default upon registration through the plugin's form. This makes it possible for unauthenticated attackers to register and manage the plugin's settings.

The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in thesave_qr_code_to_db() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

The onOffice for WP-Websites plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 5.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

The Demo Import Kit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.1.0 via the import functionality. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> scsi: target: target_core_configfs: Add length check to avoid buffer overflow<br /> <br /> A buffer overflow arises from the usage of snprintf to write into the<br /> buffer "buf" in target_lu_gp_members_show function located in<br /> /drivers/target/target_core_configfs.c. This buffer is allocated with<br /> size LU_GROUP_NAME_BUF (256 bytes).<br /> <br /> snprintf(...) formats multiple strings into buf with the HBA name<br /> (hba-&gt;hba_group.cg_item), a slash character, a devicename (dev-&gt;<br /> dev_group.cg_item) and a newline character, the total formatted string<br /> length may exceed the buffer size of 256 bytes.<br /> <br /> Since snprintf() returns the total number of bytes that would have been<br /> written (the length of %s/%sn ), this value may exceed the buffer length<br /> (256 bytes) passed to memcpy(), this will ultimately cause function<br /> memcpy reporting a buffer overflow error.<br /> <br /> An additional check of the return value of snprintf() can avoid this<br /> buffer overflow.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> blk-mq: fix blk_mq_tags double free while nr_requests grown<br /> <br /> In the case user trigger tags grow by queue sysfs attribute nr_requests,<br /> hctx-&gt;sched_tags will be freed directly and replaced with a new<br /> allocated tags, see blk_mq_tag_update_depth().<br /> <br /> The problem is that hctx-&gt;sched_tags is from elevator-&gt;et-&gt;tags, while<br /> et-&gt;tags is still the freed tags, hence later elevator exit will try to<br /> free the tags again, causing kernel panic.<br /> <br /> Fix this problem by replacing et-&gt;tags with new allocated tags as well.<br /> <br /> Noted there are still some long term problems that will require some<br /> refactor to be fixed thoroughly[1].<br /> <br /> [1] https://lore.kernel.org/all/20250815080216.410665-1-yukuai1@huaweicloud.com/

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: rtw89: fix use-after-free in rtw89_core_tx_kick_off_and_wait()<br /> <br /> There is a bug observed when rtw89_core_tx_kick_off_and_wait() tries to<br /> access already freed skb_data:<br /> <br /> BUG: KFENCE: use-after-free write in rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110<br /> <br /> CPU: 6 UID: 0 PID: 41377 Comm: kworker/u64:24 Not tainted 6.17.0-rc1+ #1 PREEMPT(lazy)<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS edk2-20250523-14.fc42 05/23/2025<br /> Workqueue: events_unbound cfg80211_wiphy_work [cfg80211]<br /> <br /> Use-after-free write at 0x0000000020309d9d (in kfence-#251):<br /> rtw89_core_tx_kick_off_and_wait drivers/net/wireless/realtek/rtw89/core.c:1110<br /> rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338<br /> rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979<br /> rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165<br /> rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.h:141<br /> rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012<br /> rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059<br /> rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758<br /> process_one_work kernel/workqueue.c:3241<br /> worker_thread kernel/workqueue.c:3400<br /> kthread kernel/kthread.c:463<br /> ret_from_fork arch/x86/kernel/process.c:154<br /> ret_from_fork_asm arch/x86/entry/entry_64.S:258<br /> <br /> kfence-#251: 0x0000000056e2393d-0x000000009943cb62, size=232, cache=skbuff_head_cache<br /> <br /> allocated by task 41377 on cpu 6 at 77869.159548s (0.009551s ago):<br /> __alloc_skb net/core/skbuff.c:659<br /> __netdev_alloc_skb net/core/skbuff.c:734<br /> ieee80211_nullfunc_get net/mac80211/tx.c:5844<br /> rtw89_core_send_nullfunc drivers/net/wireless/realtek/rtw89/core.c:3431<br /> rtw89_core_scan_complete drivers/net/wireless/realtek/rtw89/core.c:5338<br /> rtw89_hw_scan_complete_cb drivers/net/wireless/realtek/rtw89/fw.c:7979<br /> rtw89_chanctx_proceed_cb drivers/net/wireless/realtek/rtw89/chan.c:3165<br /> rtw89_chanctx_proceed drivers/net/wireless/realtek/rtw89/chan.c:3194<br /> rtw89_hw_scan_complete drivers/net/wireless/realtek/rtw89/fw.c:8012<br /> rtw89_mac_c2h_scanofld_rsp drivers/net/wireless/realtek/rtw89/mac.c:5059<br /> rtw89_fw_c2h_work drivers/net/wireless/realtek/rtw89/fw.c:6758<br /> process_one_work kernel/workqueue.c:3241<br /> worker_thread kernel/workqueue.c:3400<br /> kthread kernel/kthread.c:463<br /> ret_from_fork arch/x86/kernel/process.c:154<br /> ret_from_fork_asm arch/x86/entry/entry_64.S:258<br /> <br /> freed by task 1045 on cpu 9 at 77869.168393s (0.001557s ago):<br /> ieee80211_tx_status_skb net/mac80211/status.c:1117<br /> rtw89_pci_release_txwd_skb drivers/net/wireless/realtek/rtw89/pci.c:564<br /> rtw89_pci_release_tx_skbs.isra.0 drivers/net/wireless/realtek/rtw89/pci.c:651<br /> rtw89_pci_release_tx drivers/net/wireless/realtek/rtw89/pci.c:676<br /> rtw89_pci_napi_poll drivers/net/wireless/realtek/rtw89/pci.c:4238<br /> __napi_poll net/core/dev.c:7495<br /> net_rx_action net/core/dev.c:7557 net/core/dev.c:7684<br /> handle_softirqs kernel/softirq.c:580<br /> do_softirq.part.0 kernel/softirq.c:480<br /> __local_bh_enable_ip kernel/softirq.c:407<br /> rtw89_pci_interrupt_threadfn drivers/net/wireless/realtek/rtw89/pci.c:927<br /> irq_thread_fn kernel/irq/manage.c:1133<br /> irq_thread kernel/irq/manage.c:1257<br /> kthread kernel/kthread.c:463<br /> ret_from_fork arch/x86/kernel/process.c:154<br /> ret_from_fork_asm arch/x86/entry/entry_64.S:258<br /> <br /> It is a consequence of a race between the waiting and the signaling side<br /> of the completion:<br /> <br /> Waiting thread Completing thread<br /> <br /> rtw89_core_tx_kick_off_and_wait()<br /> rcu_assign_pointer(skb_data-&gt;wait, wait)<br /> /* start waiting */<br /> wait_for_completion_timeout()<br /> rtw89_pci_tx_status()<br /> rtw89_core_tx_wait_complete()<br /> rcu_read_lock()<br /> /* signals completion and<br /> <br /> ---truncated---

This issue affects Apache Spark versions before 3.4.4, 3.5.2 and 4.0.0.<br /> <br /> <br /> <br /> Apache Spark versions before 4.0.0, 3.5.2 and 3.4.4 use an insecure default network encryption cipher for RPC communication between nodes.<br /> <br /> When spark.network.crypto.enabled is set to true (it is set to false by default), but spark.network.crypto.cipher is not explicitly configured, Spark defaults to AES in CTR mode (AES/CTR/NoPadding), which provides encryption without authentication.<br /> <br /> This vulnerability allows a man-in-the-middle attacker to modify encrypted RPC traffic undetected by flipping bits in ciphertext, potentially compromising heartbeat messages or application data and affecting the integrity of Spark workflows.<br /> <br /> <br /> To mitigate this issue, users should either configure spark.network.crypto.cipher to AES/GCM/NoPadding to enable authenticated encryption or<br /> <br /> enable SSL encryption by setting spark.ssl.enabled to true, which provides stronger transport security.

A path traversal issue exists in WXR9300BE6P series firmware versions prior to Ver.1.10. Arbitrary file may be altered by an administrative user who logs in to the affected product. Moreover, arbitrary OS command may be executed via some file alteration.