Web Application Detections Published in April 2025

Hitesh Kadu
Hitesh Kadu, Senior, Web Application Security Signatures Engineer
- 7 min read

In April, Qualys Web Application Scanning released QIDs targeting vulnerabilities in several widely used software products and frameworks, including, 

BentoML, jQuery, Fortinet, FoxCMS, SemCMS, Gradio, CrushFTP, WordPress, Apache, Jenkins, Drupal, YesWiki, Zabbix, Zimbra, Hashicorp, pgAdmin, Open WebUI, Adobe, Langflow, Kibana, Apache Seata, Apache ActiveMQ Artemis, Joomla!, Shopware, Mattermost, Oracle, Flowise, Vite, PHP, OpenCMS, ELMAH, Citrix, InstaWP, Apache Roller, Flynax, Craft CMS, ify, Ivanti, phpMyAdmin, Dify and Commvault.

The QIDs released to detect the vulnerabilities in the frameworks above are listed below, details about the following QIDs can be found in our knowledge base. Please review reports of the scanned applications for these detections and, if any are identified follow the steps provided in the knowledge base to ensure applications are protected against the reported vulnerabilities. Resolution of these vulnerabilities as soon as they are detected should be a priority for all organizations. These vulnerabilities can pose security risks if not addressed. Security risks can include breaches, unauthorized access, and various malicious activities.

QIDTitle
150931BentoML Remote Code Execution (RCE) Vulnerability (CVE-2025-32375)
151054jQuery Validation Plugin Cross-site Scripting (XSS) Vulnerability (CVE-2025-3573)
152896Fortinet FortiPortal Path Equivalence Information Disclosure Vulnerability (CVE-2025-24470)
152897FoxCMS Remote Code Execution Vulnerability (CVE-2025-29306)
152898SemCMS SQL Injection Vulnerability (CVE-2025-25686)
152899Gradio Denial of Service Vulnerability (CVE-2024-10569)
152900CrushFTP Authentication Bypass Vulnerability (CVE-2025-2825)
152901Gradio Server-Side Request Forgery (SSRF) Vulnerability (CVE-2024-47167)
152902WordPress Kubio AI Page Builder Plugin: Local File Inclusion Vulnerability (CVE-2025-2294)
152903WordPress Shuffle Plugin: SQL Injection Vulnerability (CVE-2025-28873)
152904WordPress SoJ Soundslides Plugin: Arbitrary File Upload Vulnerability (CVE-2025-2249)
152905FortiADC Cross-site Scripting (XSS) Vulnerability (CVE-2023-37933)
152906Apache OFBiz Cross Site Scripting Vulnerability (CVE-2025-30676)
152907Jenkins Missing Authorization Vulnerability (CVE-2025-31720)
152908Drupal Admin LTE Theme Improper Authentication Vulnerability (CVE-2025-3062)
152909YesWiki Path Traversal Vulnerability (CVE-2025-31131)
152910Zabbix API SQL Injection Vulnerability (CVE-2024-36465)
152911Zimbra Cross-Site Scripting (XSS) Vulnerability (CVE-2023-34192)
152912Hashicorp Consul Remote Code Execution (RCE) Vulnerability
152913Jenkins Templating Engine Plugin Sandbox Bypass Vulnerability (CVE-2025-31722)
152914Apache Airflow MySQL Provider SQL Injection Vulnerability (CVE-2025-27018)
152915SeaCMS SQL Injection Vulnerability (CVE-2025-29647)
152916Apache Oozie Cross-site Scripting Vulnerability (CVE-2025-26796)
152917Ivanti Connect Secure (ICS) Stack-based Buffer Overflow Vulnerability (CVE-2025-22457)
152918Ivanti Policy Secure (IPS) Stack-based Buffer Overflow Vulnerability (CVE-2025-22457)
152919MinIO Incomplete Signature Validation Vulnerability (CVE-2025-31489)
152920WordPress RomethemeKit For Elementor Plugin: Code Injection Vulnerability (CVE-2025-30911)
152921WordPress PostMash Plugin: SQL Injection Vulnerability (CVE-2025-30622)
152922WordPress BookingPress Plugin: SQL Injection Vulnerability (CVE-2025-31910)
152923pgAdmin Remote Code Execution (RCE) Vulnerability (CVE-2025-2945)
152925WordPress Uncanny Automator Plugin: Privilege Escalation Vulnerability (CVE-2025-2075)
152926WordPress Ark Core Plugin: Remote Code Execution Vulnerability (CVE-2025-26970)
152927Next.js Middleware Authorization Bypass Vulnerability (CVE-2025-29927)
152929pgAdmin Cross-Site Scripting (XSS) Vulnerability (CVE-2025-2946)
152930WordPress Shopper Approved Reviews Plugin: Missing Authorization Vulnerability (CVE-2025-3063)
152931Open WebUI Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2024-7806)
152932Apache Airflow Common SQL Provider SQL Injection Vulnerability (CVE-2025-30473)
152933WordPress Checkout Mestres do Plugin: Missing Authorization Vulnerability (CVE-2025-2266)
152934Adobe ColdFusion Arbitrary Code Execution Vulnerabilities (CVE-2025-30286,CVE-2025-30289,CVE-2025-30292)
152935Adobe ColdFusion Arbitrary Code Execution Vulnerabilities (CVE-2025-24447,CVE-2025-30284,CVE-2025-30285)
152936Adobe ColdFusion Arbitrary File Read Vulnerability (CVE-2025-30281)
152937Adobe ColdFusion Arbitrary Code Execution Vulnerabilities (CVE-2025-30282,CVE-2025-30287)
152938Adobe ColdFusion Security Feature Bypass Vulnerabilities (CVE-2025-30288,CVE-2025-30290,CVE-2025-30291)
152939Adobe ColdFusion Arbitrary Code Execution Vulnerability (CVE-2025-24446)
152940Langflow Remote Code Execution Vulnerability (CVE-2025-3248)
152941Kibana Uncontrolled Resource Consumption Vulnerability (CVE-2024-52974)
152942Kibana Prototype Pollution Vulnerability (CVE-2024-12556)
152943WordPress Inline Image Upload for BBPress Plugin: Arbitrary File Upload Vulnerability (CVE-2025-2006)
152944WordPress Awesome Support – WordPress HelpDesk and Support Plugin: Sensitive Information Exposure Vulnerability (CVE-2024-13567)
152945WordPress WP Google Calendar Manager Plugin: SQL Injection Vulnerability (CVE-2025-28939)
152946Apache Seata Insecure Deserialization Vulnerability (CVE-2024-47552)
152947Apache Seata Data Amplification Vulnerability (CVE-2024-54016)
152948WordPress SureTriggers Plugin: Authentication Bypass Vulnerability (CVE-2025-3102)
152949Apache ActiveMQ Artemis Insertion of Sensitive Information into Log File Vulnerability (CVE-2025-27391)
152950WordPress All Push Notification for WP Plugin: Cross-Site Scripting (XSS) Vulnerability (CVE-2025-25092)
152951Adobe ColdFusion Security Feature Bypass Vulnerabilities (CVE-2025-30293,CVE-2025-30294)
152952Apache ActiveMQ Artemis Default Credentials
152953WordPress Drag and Drop Multiple File Upload for Contact Form 7 Plugin: Arbitrary File Deletion Vulnerability (CVE-2025-2328)
152954Joomla! Core MFA Authentication Bypass Vulnerability (CVE-2025-25227)
152955Fortinet FortiOS Out-of-bound Write Vulnerability (CVE-2024-21762)
152956Fortinet FortiOS Heap Buffer Overflow Vulnerability (CVE-2023-27997)
152957Fortinet FortiOS Heap Buffer Overflow Vulnerability (CVE-2022-42475)
152958WordPress Checkout Mestres do Plugin: Privilege Escalation Vulnerability (CVE-2025-32695)
152959Shopware SQL Injection Vulnerability (CVE-2025-27892)
152960WordPress WPC Admin Columns Plugin: Privilege Escalation Vulnerability (CVE-2025-3418)
152961Mattermost Incorrect Authorization Vulnerability (CVE-2025-24866)
152962WordPress Civi Theme: Authentication Bypass Vulnerability (CVE-2024-13771)
152963Oracle WebLogic Server: Apache Velocity Engine Vulnerability (CPU-APR2025)
152964Mattermost Authentication Bypass via Bot Conversion Caching Issue (CVE-2025-2475)
152965WordPress AnalyticsWP Plugin: SQL Injection Vulnerability (CVE-2024-13321)
152966WordPress Embedder Plugin: Missing Authorization Vulnerability (CVE-2025-3417)
152967WordPress CardGate Payments for WooCommerce Plugin: SQL Injection Vulnerability (CVE-2025-32119)
152968Apache HertzBeat Server-Side Request Forgery (SSRF) Vulnerability (CVE-2024-56736)
152969Flowise SQL Injection Vulnerability (CVE-2025-29189)
152970WordPress WPSolr Free Plugin: Cross-Site Request Forgery Vulnerability (CVE-2025-31036)
152971Vite Arbitrary File Read Vulnerability (CVE-2025-31125)
152972Open WebUI Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2024-7035)
152973WordPress WP User Profiles Plugin: Privilege Escalation Vulnerability (CVE-2025-31524)
152974WordPress Golo Theme: Privilege Escalation Vulnerability (CVE-2024-12876)
152975WordPress WP Ghost Plugin: Path Traversal Vulnerability (CVE-2025-2056)
152976WordPress MinimogWP Theme: Local File Inclusion Vulnerability (CVE-2024-13790)
152977Open WebUI Server-Side Request Forgery (SSRF) Vulnerability (CVE-2024-7959)
152978Mattermost File Information Disclosure Vulnerability (CVE-2025-2424)
152980Mattermost Privilege Escalation Vulnerability (CVE-2025-32093)
152981Mattermost Incorrect Authorization Vulnerability (CVE-2025-2564)
152982WordPress User Registration and Membership Plugin: Privilege Escalation Vulnerability (CVE-2025-2563)
152983WordPress HelpGent Plugin: PHP Object Injection Vulnerability (CVE-2025-32658)
152984WordPress Projectopia Plugin: Privilege Escalation Vulnerability (CVE-2025-32648)
152985Mattermost Unauthenticated Access to Archived Channel Metadata Vulnerability (CVE-2025-27571)
152986Mattermost MFA Enforcement Bypass Vulnerability (CVE-2025-27538)
152987Mattermost Domain Exfiltration Vulnerability (CVE-2025-31363)
152988Mattermost AI Bot Triggering Vulnerability (CVE-2025-24839)
152989Open WebUI Denial of Service Vulnerability (CVE-2024-7983)
152990Vite Arbitrary File Read Vulnerability (CVE-2025-31486)
152991Open WebUI Stored Cross Site Scripting Vulnerability (CVE-2024-7990)
152992WordPress Insert Headers And Footers Plugin: Cross-Site Request Forgery Vulnerability (CVE-2025-2111)
152994WordPress WP Editor Plugin: Arbitrary File Update Vulnerability (CVE-2025-3294)
152995Jenkins Missing Authorization Vulnerability (CVE-2025-31721)
152996WordPress Greenshift – Animation and Page Builder Blocks Plugin: Arbitrary File Upload Vulnerability (CVE-2025-3616)
152997BentoML Remote Code Execution (RCE) Vulnerability (CVE-2025-27520)
152998WordPress User Registration and Membership Plugin: Authentication Bypass Vulnerability (CVE-2025-2594)
152999WordPress Appointment Booking Calendar Plugin: Cross-Site Request Forgery Vulnerability (CVE-2025-46241)
154179Drupal Cross Site Scripting (XSS) vulnerability (CVE-2025-31675)
520047PHP Validation Bypass Vulnerability (CVE-2025-1219)
520048PHP Improper Input Validation Vulnerability (CVE-2025-1736)
530000OpenCMS Cross Site Scripting (XSS) Vulnerabilities (CVE-2024-41446,CVE-2024-41447,CVE-2024-42699)
530001Open WebUI Improper Privilege Management Vulnerability (CVE-2024-7039)
530002Apache Druid Multiple Vulnerabilities (CVE-2025-27888)
530003WordPress Eventer Plugin: SQL Injection Vulnerability (CVE-2025-0959)
530004ELMAH Sensitive Information Disclosure
530005WordPress WP Click Info Plugin: Reflected Cross-Site Scripting Vulnerability (CVE-2025-1401)
530006Citrix NetScaler Console Sensitive Information Disclosure Vulnerability (CVE-2024-6235)
530007WordPress InstaWP Connect Plugin: Local File Inclusion Vulnerability (CVE-2025-2636)
530008Apache Roller Session Management Authentication Bypass Vulnerability (CVE-2025-24859)
530009WordPress Flynax Bridge Plugin: Privilege Escalation Vulnerability (CVE-2025-3604)
530011WordPress Frontend Login and Registration Blocks Plugin: Privilege Escalation Vulnerability (CVE-2025-3607)
530012phpMyAdmin Detected
530013Craft CMS Remote Code Execution (RCE) Vulnerability (CVE-2025-32432)
530014ify Improper Access Control Vulnerability (CVE-2025-32795)
530015WordPress Xelion Webchat Plugin: Missing Authorization Vulnerability (CVE-2025-3058)
530016Ivanti Endpoint Manager (EPM) DLL hijacking Vulnerability (CVE-2025-22458)
530017Ivanti Endpoint Manager (EPM) Improper Certificate Validation Vulnerability (CVE-2025-22459)
530018Ivanti Endpoint Manager (EPM) SQL Injection Vulnerability (CVE-2025-22461)
530019Ivanti Endpoint Manager (EPM) Untrusted Pointer Dereference Vulnerability (CVE-2025-22464)
530020Ivanti Endpoint Manager (EPM) Reflected XSS Vulnerabilities (CVE-2025-22465,CVE-2025-22466)
530021WordPress PowerPress Podcasting Plugin: Arbitrary File Upload Vulnerability (CVE-2025-46264)
530022Mattermost Denial-of-Service (DoS) Vulnerability (CVE-2025-35965)
530024Apache Tomcat Denial-of-Service (DoS) Vulnerability (CVE-2025-31650)
530026Apache Tomcat Rewrite Rule Bypass Vulnerability (CVE-2025-31651)
530027Dify Clickjacking Vulnerability (CVE-2025-43854)
530029Commvault Command Center Remote Code Execution (RCE) Vulnerability (CVE-2025-34028)
Share your Comments

Comments

Your email address will not be published. Required fields are marked *