Vulnerability Summary for the Week of January 20, 2025

High Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source Info
aEnrich Technology–a+HRD
 
The a+HRD from aEnrich Technology has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents. 2025-01-20 9.8 CVE-2025-0585
aEnrich Technology–a+HRD
 
The a+HRD from aEnrich Technology has an Insecure Deserialization vulnerability, allowing remote attackers with database modification privileges and regular system privileges to perform arbitrary code execution. 2025-01-20 7.2 CVE-2025-0586
aipower — aipower
 
The “AI Power: Complete AI Pack” plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.8.96 via deserialization of untrusted input from the $form[‘post_content’] variable through the wpaicg_export_prompts function. This allows authenticated attackers, with administrative privileges, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. 2025-01-22 This article has been indexed from Bulletins

Read the original article: