Web Application Detections Published in March 2025
In March, Qualys Web Application Scanning released QIDs targeting vulnerabilities in several widely used software products and frameworks, including,
Next.js, MITRE – Caldera, WordPress, Wazuh Server, JSONPath Plus, GraphQL Mesh, NAKIVO – Backup and Replication, Adobe – ColdFusion, SeaCMS, Joomla! – Core, Joomla! – Sourcerer Extension, Joomla! – ConvertForms Extension, Kibana, Apache – Pinot, Apache – Tomcat, Apache – Ranger, Apache – CloudStack, Apache – Camel, Apache – Nifi, IBM – Aspera Shares, ServiceNow , GitLab – GitLab CE/EE, Wiki.js, Pandora FMS, Zimbra, ClassCMS, Liferay Portal, JetBrains – YouTrack, JetBrains – TeamCity, Jenkins – AnchorChain Plugin, Drupal – Core, Synapse , LiteLLM, Splunk, Vite, PublicCMS, Gunicorn.
The QIDs released to detect the vulnerabilities in the frameworks above are listed below, details about the following QIDs can be found in our knowledge base. Please review reports of the scanned applications for these detections and, if any are identified, follow the steps provided in the knowledge base to ensure applications are protected against the reported vulnerabilities. Resolution of these vulnerabilities as soon as they are detected should be a priority for all organizations. These vulnerabilities can pose security risks if not addressed. Security risks can include breaches, unauthorized access, and various malicious activities.
| QID | Title |
| 151052 | Next.js Middleware Authorization Bypass Vulnerability (CVE-2025-29927) |
| 151053 | Axios Server-Side Request Forgery (SSRF) Vulnerability (CVE-2025-27152) |
| 152786 | MITRE Caldera Remote Code Execution (RCE) Vulnerability (CVE-2025-27364) |
| 152789 | WordPress WP Multi Store Locator Plugin: Blind SQL Injection Vulnerability (CVE-2025-26974) |
| 152794 | WordPress Reset Plugin: Cross-Site Request Forgery Vulnerability (CVE-2024-13684) |
| 152795 | WordPress Ultimate Classified Listings Plugin: Cross-Site Request Forgery Vulnerability (CVE-2024-13753) |
| 152796 | Wazuh Server Remote Code Execution (RCE) Vulnerability (CVE-2025-24016) |
| 152797 | JSONPath Plus Remote Code Execution (RCE) Vulnerability (CVE-2025-1302) |
| 152798 | GraphQL Mesh Path Traversal Vulnerability (CVE-2025-27098) |
| 152799 | WordPress Easy Quotes Plugin: Blind SQL Injection Vulnerability (CVE-2025-26943) |
| 152800 | WordPress WP Video Posts Plugin: Cross-Site Request Forgery Vulnerability (CVE-2025-27298) |
| 152801 | NAKIVO Backup and Replication Arbitrary File Read Vulnerability (CVE-2024-48248) |
| 152802 | WordPress WP Sitemap Plugin: SQL Injection Vulnerability (CVE-2025-27312) |
| 152803 | Adobe ColdFusion AMF Deserialization Vulnerability (CVE-2017-3066) |
| 152804 | SeaCMS SQL Injection Vulnerability (CVE-2025-22974) |
| 152805 | Joomla! SQL Injection Vulnerability (CVE-2025-22207) |
| 152806 | Joomla! Extension Sourcerer Remote Code Execution Vulnerability (CVE-2025-22204) |
| 152807 | WordPress Residential Address Detection Plugin: Privilege Escalation Vulnerability (CVE-2025-27270) |
| 152808 | WordPress GiveWP Plugin: PHP Object Injection Vulnerability (CVE-2025-0912) |
| 152809 | WordPress Newscrunch Theme: Arbitrary File Upload Vulnerability (CVE-2025-1307) |
| 152810 | Joomla ConvertForms Extension SQL Injection Vulnerability (CVE-2025-22212) |
| 152811 | Kibana Arbitrary Code Execution Vulnerability (CVE-2025-25015) |
| 152812 | Joomla! Extension Convert Forms Arbitrary File Upload Vulnerability (CVE-2024-40744) |
| 152813 | WordPress Small Package Quotes – Worldwide Express Edition Plugin: SQL Injection Vulnerability (CVE-2025-27268) |
| 152814 | WordPress Small Package Quotes – Worldwide Express Edition Plugin: SQL Injection Vulnerability (CVE-2025-24667) |
| 152815 | WordPress FULL Customer Plugin: Local File Inclusion Vulnerability (CVE-2025-26757) |
| 152816 | WordPress Bitcoin / AltCoin Payment Gateway for WooCommerce Plugin: Blind SQL Injection Vulnerability (CVE-2025-26535) |
| 152817 | IBM Aspera Shares XML External Entity Injection (XXE) Vulnerability (CVE-2025-0162) |
| 152818 | Apache Pinot Authentication Bypass Vulnerability (CVE-2024-56325) |
| 152819 | WordPress uListing Plugin: SQL Injection Vulnerabilities (CVE-2025-25150,CVE-2025-25151) |
| 152820 | WordPress WPCOM Member Plugin: Authentication Bypass Vulnerability (CVE-2025-1475) |
| 152821 | Apache Tomcat Remote Code Execution (RCE) Vulnerability (CVE-2025-24813) |
| 152822 | ServiceNow Authorization Bypass Vulnerability (CVE-2025-0337) |
| 152823 | WordPress SMS Alert Order Notifications Plugin: SQL Injection Vulnerability (CVE-2025-26988) |
| 152824 | WordPress Events Calendar for GeoDirectory Plugin: Object Injection Vulnerability (CVE-2025-26967) |
| 152825 | WordPress WizShop Plugin: Local File Inclusion Vulnerability (CVE-2025-25122) |
| 152827 | WordPress WPGet API Plugin: Server-Side Request Forgery Vulnerability (CVE-2024-13857) |
| 152829 | Wiki.js Client Side Template Injection Vulnerability (CVE-2024-34710) |
| 152830 | WordPress ProfileGrid Plugin: Object Injection Vulnerability (CVE-2025-26999) |
| 152832 | WordPress UiPress lite Plugin: Unauthorized Modification of Data Vulnerability (CVE-2025-1309) |
| 152833 | WordPress Newscrunch Theme: Cross-Site Request Forgery Vulnerability (CVE-2025-1306) |
| 152834 | WordPress HUSKY – Products Filter Professional for WooCommerce Plugin: Local File Inclusion Vulnerability (CVE-2025-1661) |
| 152835 | Apache Ranger CSV Injection Vulnerability (CVE-2024-55532) |
| 152836 | Flowise Pre-Auth Arbitrary File Upload Vulnerability (CVE-2025-26319) |
| 152837 | WordPress WPSchoolPress Plugin: Privilege Escalation Vulnerability (CVE-2025-1667) |
| 152838 | WordPress uListing Plugin: Missing Authorization Vulnerability (CVE-2025-1657) |
| 152839 | Apache Camel Header Injection Vulnerability (CVE-2025-27636,CVE-2025-29891) |
| 152840 | WordPress InstaWP Connect Plugin: Cross-Site Request Forgery Vulnerability (CVE-2024-13913) |
| 152841 | GitLab CE/EE Cross Site Scripting Vulnerability (CVE-2025-0475) |
| 152842 | Pandora FMS Command Injection Vulnerabilities (CVE-2024-12971,CVE-2024-12992) |
| 152843 | GitLab EE Cross Site Scripting Vulnerability (CVE-2025-0555) |
| 152844 | WordPress uListing Plugin: Privilege Escalation Vulnerability (CVE-2025-1653) |
| 152845 | WordPress Helloprint Plugin: Path Traversal Vulnerability (CVE-2025-26534) |
| 152846 | Apache Nifi Sensitive Information Disclosure Vulnerability (CVE-2025-27017) |
| 152847 | Kibana Prototype Pollution Vulnerability (CVE-2024-37287) |
| 152848 | WordPress CiyaShop Theme: PHP Object Injection Vulnerability (CVE-2024-13824) |
| 152849 | WordPress Ultimate Member Plugin: SQL Injection Vulnerability (CVE-2025-1702) |
| 152850 | WordPress WPBookit Plugin: Cross-Site Request Forgery Vulnerability (CVE-2025-26910) |
| 152851 | GLPI SQL Injection Vulnerability (CVE-2025-24799) |
| 152852 | WordPress Multiple Shipping And Billing Address For Woocommerce Plugin: SQL Injection Vulnerability (CVE-2025-26875) |
| 152853 | Gradio Denial of Service Vulnerability (CVE-2024-8966) |
| 152854 | Trace.axd Information Leak |
| 152855 | GLPI Remote Code Execution Vulnerability (CVE-2025-24801) |
| 152856 | WordPress Age Gate Plugin: Local File Inclusion Vulnerability (CVE-2025-2505) |
| 152857 | JetBrains YouTrack Arbitrary JavaScript Execution Vulnerability (CVE-2024-49579) |
| 152858 | Jenkins AnchorChain Plugin Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2025-30196) |
| 152859 | GitLab CE/EE Account Takeover Vulnerability (CVE-2023-7028) |
| 152860 | WordPress VikRentCar Car Rental Management System Plugin: Cross-Site Request Forgery Vulnerability (CVE-2024-11640) |
| 152861 | Apache CloudStack KVM Template Upload Vulnerability (CVE-2024-50386) |
| 152862 | WordPress SMTP by BestWebSoft Plugin: Arbitrary File Upload Vulnerability (CVE-2024-13908) |
| 152863 | Spring Framework Path Traversal Vulnerability (CVE-2024-38819) |
| 152864 | WordPress Gallery Plugin: PHP Object Injection Vulnerability (CVE-2024-13906) |
| 152865 | Kibana Uncontrolled Resource Consumption Vulnerability (CVE-2024-52972) |
| 152866 | Zimbra Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2025-27915) |
| 152867 | ClassCMS File Inclusion Vulnerability (CVE-2024-48180) |
| 152868 | Liferay Portal Cross-site scripting (XSS) Vulnerability (CVE-2025-2536) |
| 152869 | Kibana Arbitrary Code Execution Vulnerability (CVE-2023-31414) |
| 152870 | JetBrains YouTrack Permanent Token Exposure Vulnerability (CVE-2025-24457) |
| 152871 | JetBrains YouTrack Account takeover Vulnerability (CVE-2025-24458) |
| 152872 | WordPress PublishPress Authors Plugin: SQL Injection Vulnerability (CVE-2025-26886) |
| 152873 | WordPress WPCS – WordPress Currency Switcher Professional Plugin: Arbitrary Shortcode Execution Vulnerability (CVE-2025-2169) |
| 152874 | WordPress Traveler Theme: Local File Inclusion Vulnerability (CVE-2025-1771) |
| 152875 | WordPress Logo Slider Plugin: Arbitrary Shortcode Execution Vulnerability (CVE-2025-2262) |
| 152876 | WordPress Product Input Fields for WooCommerce Plugin: Arbitrary File Upload Vulnerability (CVE-2024-13359) |
| 152877 | RabbitMQ Cross-Site Scripting (XSS) Vulnerability (CVE-2025-30219) |
| 152878 | WordPress WP Ghost Plugin: Local File Inclusion Vulnerability (CVE-2025-26909) |
| 152879 | GLPI Inventory Plugin: Improper Access Control Vulnerability (CVE-2025-27147) |
| 152880 | WordPress WP e-Commerce Style Email Plugin: Cross-Site Request Forgery Vulnerability (CVE-2025-30615) |
| 152881 | WordPress WP Featured Entries Plugin: SQL Injection Vulnerability (CVE-2025-30569) |
| 152882 | WordPress Site Reviews Plugin: Cross-Site Scripting Vulnerability (CVE-2025-1232) |
| 152883 | WordPress Awesome Logos Plugin: Cross-Site Request Forgery Vulnerability (CVE-2025-30528) |
| 152884 | WordPress AppPresser Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2025-1561) |
| 152885 | Synapse Improper Input Validation Vulnerability (CVE-2025-30355) |
| 152886 | LiteLLM API Key Leakage Vulnerability (CVE-2024-9606) |
| 152887 | WordPress Web Directory Free Plugin: SQL Injection Vulnerability (CVE-2025-28904) |
| 152888 | JetBrains TeamCity Password Exposure in Logs Vulnerability (CVE-2025-31139) |
| 152889 | JetBrains TeamCity Stored Cross-Site Scripting Vulnerability (CVE-2025-31140) |
| 152890 | JetBrains TeamCity Credential Leakage Vulnerability (CVE-2025-31141) |
| 152891 | Splunk Enterprise Sensitive Information Disclosure Vulnerability (CVE-2025-20231) |
| 152892 | Splunk Enterprise Remote Code Execution Vulnerability (CVE-2025-20229) |
| 152893 | WordPress WP Ultimate Exporter Plugin: PHP Object Injection Vulnerability (CVE-2025-2332) |
| 152894 | Vite Arbitrary File Read Vulnerability (CVE-2025-30208) |
| 152895 | WordPress WP Subscription Forms Plugin: SQL Injection Vulnerability (CVE-2025-30784) |
| 154175 | Joomla! Core File Upload Vulnerability (CVE-2025-22213) |
| 154176 | Drupal Reflected Cross Site Scripting vulnerability (SA-CORE-2025-001) |
| 154177 | Drupal Access Bypass vulnerability (SA-CORE-2025-002) |
| 154178 | Drupal PHP Object Injection vulnerability (SA-CORE-2025-003) |
| 520044 | PublicCMS Arbitrary File Upload Vulnerability (CVE-2025-25361) |
| 520045 | Liferay Portal Data Exposure Vulnerability (CVE-2025-2565) |
| 520046 | Gunicorn HTTP Request Smuggling (HRS) Vulnerability (CVE-2024-1135) |
