chimdi2700

2 exploits Active since Aug 2025

CVE-2025-8570 NOMISEC CRITICAL

BeyondCart Connector <2.1.0 - Privilege Escalation

The BeyondCart Connector plugin for WordPress is vulnerable to Privilege Escalation due to improper JWT secret management and authorization within the determine_current_user filter in versions 1.4.2 through 3.0.1. This makes it possible for unauthenticated attackers to craft valid tokens and assume any user’s identity.

CVSS 9.8

View Code

CVE-2025-8571 NOMISEC MEDIUM WORKING POC

Concrete CMS < 8.5.21 and 9.0.0-9.4.2 - Reflected Cross-Site Scripting in Conversation Messages Dashboard Page

Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting (XSS) in the Conversation Messages Dashboard Page. Unsanitized input could cause theft of session cookies or tokens, defacement of web content, redirection to malicious sites, and (if victim is an admin), the execution of unauthorized actions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Fortbridge https://fortbridge.co.uk/ for performing a penetration test and vulnerability assessment on Concrete CMS and reporting this issue.

CVSS 4.8

View Code