Web Application Detections — April 2025
In April, Qualys Web Application Scanning released QIDs targeting vulnerabilities in several widely used software products and frameworks, including, BentoML, jQuery, Fortinet, FoxCMS, SemCMS, Gradio, CrushFTP, WordPress, Apache, Jenkins, Drupal, YesWiki, Zabbix, Zimbra, Hashicorp, pgAdmin, Open WebUI, Adobe, Langflow, Kibana, Apache Seata, Apache ActiveMQ Artemis, Joomla!, Shopware, Mattermost, Oracle, Flowise, Vite, PHP, OpenCMS, ELMAH, Citrix, InstaWP, Apache Roller, Flynax, Craft CMS, ify, Ivanti, phpMyAdmin, Dify and Commvault.
The following table lists the QIDs released in April 2025.
| QID | Title |
|---|---|
| 150931 | BentoML Remote Code Execution (RCE) Vulnerability (CVE-2025-32375) |
| 151054 | jQuery Validation Plugin Cross-site Scripting (XSS) Vulnerability (CVE-2025-3573) |
| 152896 | Fortinet FortiPortal Path Equivalence Information Disclosure Vulnerability (CVE-2025-24470) |
| 152897 | FoxCMS Remote Code Execution Vulnerability (CVE-2025-29306) |
| 152898 | SemCMS SQL Injection Vulnerability (CVE-2025-25686) |
| 152899 | Gradio Denial of Service Vulnerability (CVE-2024-10569) |
| 152900 | CrushFTP Authentication Bypass Vulnerability (CVE-2025-2825) |
| 152901 | Gradio Server-Side Request Forgery (SSRF) Vulnerability (CVE-2024-47167) |
| 152902 | WordPress Kubio AI Page Builder Plugin: Local File Inclusion Vulnerability (CVE-2025-2294) |
| 152903 | WordPress Shuffle Plugin: SQL Injection Vulnerability (CVE-2025-28873) |
| 152904 | WordPress SoJ Soundslides Plugin: Arbitrary File Upload Vulnerability (CVE-2025-2249) |
| 152905 | FortiADC Cross-site Scripting (XSS) Vulnerability (CVE-2023-37933) |
| 152906 | Apache OFBiz Cross Site Scripting Vulnerability (CVE-2025-30676) |
| 152907 | Jenkins Missing Authorization Vulnerability (CVE-2025-31720) |
| 152908 | Drupal Admin LTE Theme Improper Authentication Vulnerability (CVE-2025-3062) |
| 152909 | YesWiki Path Traversal Vulnerability (CVE-2025-31131) |
| 152910 | Zabbix API SQL Injection Vulnerability (CVE-2024-36465) |
| 152911 | Zimbra Cross-Site Scripting (XSS) Vulnerability (CVE-2023-34192) |
| 152912 | Hashicorp Consul Remote Code Execution (RCE) Vulnerability |
| 152913 | Jenkins Templating Engine Plugin Sandbox Bypass Vulnerability (CVE-2025-31722) |
| 152914 | Apache Airflow MySQL Provider SQL Injection Vulnerability (CVE-2025-27018) |
| 152915 | SeaCMS SQL Injection Vulnerability (CVE-2025-29647) |
| 152916 | Apache Oozie Cross-site Scripting Vulnerability (CVE-2025-26796) |
| 152917 | Ivanti Connect Secure (ICS) Stack-based Buffer Overflow Vulnerability (CVE-2025-22457) |
| 152918 | Ivanti Policy Secure (IPS) Stack-based Buffer Overflow Vulnerability (CVE-2025-22457) |
| 152919 | MinIO Incomplete Signature Validation Vulnerability (CVE-2025-31489) |
| 152920 | WordPress RomethemeKit For Elementor Plugin: Code Injection Vulnerability (CVE-2025-30911) |
| 152921 | WordPress PostMash Plugin: SQL Injection Vulnerability (CVE-2025-30622) |
| 152922 | WordPress BookingPress Plugin: SQL Injection Vulnerability (CVE-2025-31910) |
| 152923 | pgAdmin Remote Code Execution (RCE) Vulnerability (CVE-2025-2945) |
| 152925 | WordPress Uncanny Automator Plugin: Privilege Escalation Vulnerability (CVE-2025-2075) |
| 152926 | WordPress Ark Core Plugin: Remote Code Execution Vulnerability (CVE-2025-26970) |
| 152927 | Next.js Middleware Authorization Bypass Vulnerability (CVE-2025-29927) |
| 152929 | pgAdmin Cross-Site Scripting (XSS) Vulnerability (CVE-2025-2946) |
| 152930 | WordPress Shopper Approved Reviews Plugin: Missing Authorization Vulnerability (CVE-2025-3063) |
| 152931 | Open WebUI Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2024-7806) |
| 152932 | Apache Airflow Common SQL Provider SQL Injection Vulnerability (CVE-2025-30473) |
| 152933 | WordPress Checkout Mestres do Plugin: Missing Authorization Vulnerability (CVE-2025-2266) |
| 152934 | Adobe ColdFusion Arbitrary Code Execution Vulnerabilities (CVE-2025-30286,CVE-2025-30289,CVE-2025-30292) |
| 152935 | Adobe ColdFusion Arbitrary Code Execution Vulnerabilities (CVE-2025-24447,CVE-2025-30284,CVE-2025-30285) |
| 152936 | Adobe ColdFusion Arbitrary File Read Vulnerability (CVE-2025-30281) |
| 152937 | Adobe ColdFusion Arbitrary Code Execution Vulnerabilities (CVE-2025-30282,CVE-2025-30287) |
| 152938 | Adobe ColdFusion Security Feature Bypass Vulnerabilities (CVE-2025-30288,CVE-2025-30290,CVE-2025-30291) |
| 152939 | Adobe ColdFusion Arbitrary Code Execution Vulnerability (CVE-2025-24446) |
| 152940 | Langflow Remote Code Execution Vulnerability (CVE-2025-3248) |
| 152941 | Kibana Uncontrolled Resource Consumption Vulnerability (CVE-2024-52974) |
| 152942 | Kibana Prototype Pollution Vulnerability (CVE-2024-12556) |
| 152943 | WordPress Inline Image Upload for BBPress Plugin: Arbitrary File Upload Vulnerability (CVE-2025-2006) |
| 152944 | WordPress Awesome Support – WordPress HelpDesk and Support Plugin: Sensitive Information Exposure Vulnerability (CVE-2024-13567) |
| 152945 | WordPress WP Google Calendar Manager Plugin: SQL Injection Vulnerability (CVE-2025-28939) |
| 152946 | Apache Seata Insecure Deserialization Vulnerability (CVE-2024-47552) |
| 152947 | Apache Seata Data Amplification Vulnerability (CVE-2024-54016) |
| 152948 | WordPress SureTriggers Plugin: Authentication Bypass Vulnerability (CVE-2025-3102) |
| 152949 | Apache ActiveMQ Artemis Insertion of Sensitive Information into Log File Vulnerability (CVE-2025-27391) |
| 152950 | WordPress All Push Notification for WP Plugin: Cross-Site Scripting (XSS) Vulnerability (CVE-2025-25092) |
| 152951 | Adobe ColdFusion Security Feature Bypass Vulnerabilities (CVE-2025-30293,CVE-2025-30294) |
| 152952 | Apache ActiveMQ Artemis Default Credentials |
| 152953 | WordPress Drag and Drop Multiple File Upload for Contact Form 7 Plugin: Arbitrary File Deletion Vulnerability (CVE-2025-2328) |
| 152954 | Joomla! Core MFA Authentication Bypass Vulnerability (CVE-2025-25227) |
| 152955 | Fortinet FortiOS Out-of-bound Write Vulnerability (CVE-2024-21762) |
| 152956 | Fortinet FortiOS Heap Buffer Overflow Vulnerability (CVE-2023-27997) |
| 152957 | Fortinet FortiOS Heap Buffer Overflow Vulnerability (CVE-2022-42475) |
| 152958 | WordPress Checkout Mestres do Plugin: Privilege Escalation Vulnerability (CVE-2025-32695) |
| 152959 | Shopware SQL Injection Vulnerability (CVE-2025-27892) |
| 152960 | WordPress WPC Admin Columns Plugin: Privilege Escalation Vulnerability (CVE-2025-3418) |
| 152961 | Mattermost Incorrect Authorization Vulnerability (CVE-2025-24866) |
| 152962 | WordPress Civi Theme: Authentication Bypass Vulnerability (CVE-2024-13771) |
| 152963 | Oracle WebLogic Server: Apache Velocity Engine Vulnerability (CPU-APR2025) |
| 152964 | Mattermost Authentication Bypass via Bot Conversion Caching Issue (CVE-2025-2475) |
| 152965 | WordPress AnalyticsWP Plugin: SQL Injection Vulnerability (CVE-2024-13321) |
| 152966 | WordPress Embedder Plugin: Missing Authorization Vulnerability (CVE-2025-3417) |
| 152967 | WordPress CardGate Payments for WooCommerce Plugin: SQL Injection Vulnerability (CVE-2025-32119) |
| 152968 | Apache HertzBeat Server-Side Request Forgery (SSRF) Vulnerability (CVE-2024-56736) |
| 152969 | Flowise SQL Injection Vulnerability (CVE-2025-29189) |
| 152970 | WordPress WPSolr Free Plugin: Cross-Site Request Forgery Vulnerability (CVE-2025-31036) |
| 152971 | Vite Arbitrary File Read Vulnerability (CVE-2025-31125) |
| 152972 | Open WebUI Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2024-7035) |
| 152973 | WordPress WP User Profiles Plugin: Privilege Escalation Vulnerability (CVE-2025-31524) |
| 152974 | WordPress Golo Theme: Privilege Escalation Vulnerability (CVE-2024-12876) |
| 152975 | WordPress WP Ghost Plugin: Path Traversal Vulnerability (CVE-2025-2056) |
| 152976 | WordPress MinimogWP Theme: Local File Inclusion Vulnerability (CVE-2024-13790) |
| 152977 | Open WebUI Server-Side Request Forgery (SSRF) Vulnerability (CVE-2024-7959) |
| 152978 | Mattermost File Information Disclosure Vulnerability (CVE-2025-2424) |
| 152980 | Mattermost Privilege Escalation Vulnerability (CVE-2025-32093) |
| 152981 | Mattermost Incorrect Authorization Vulnerability (CVE-2025-2564) |
| 152982 | WordPress User Registration and Membership Plugin: Privilege Escalation Vulnerability (CVE-2025-2563) |
| 152983 | WordPress HelpGent Plugin: PHP Object Injection Vulnerability (CVE-2025-32658) |
| 152984 | WordPress Projectopia Plugin: Privilege Escalation Vulnerability (CVE-2025-32648) |
| 152985 | Mattermost Unauthenticated Access to Archived Channel Metadata Vulnerability (CVE-2025-27571) |
| 152986 | Mattermost MFA Enforcement Bypass Vulnerability (CVE-2025-27538) |
| 152987 | Mattermost Domain Exfiltration Vulnerability (CVE-2025-31363) |
| 152988 | Mattermost AI Bot Triggering Vulnerability (CVE-2025-24839) |
| 152989 | Open WebUI Denial of Service Vulnerability (CVE-2024-7983) |
| 152990 | Vite Arbitrary File Read Vulnerability (CVE-2025-31486) |
| 152991 | Open WebUI Stored Cross Site Scripting Vulnerability (CVE-2024-7990) |
| 152992 | WordPress Insert Headers And Footers Plugin: Cross-Site Request Forgery Vulnerability (CVE-2025-2111) |
| 152994 | WordPress WP Editor Plugin: Arbitrary File Update Vulnerability (CVE-2025-3294) |
| 152995 | Jenkins Missing Authorization Vulnerability (CVE-2025-31721) |
| 152996 | WordPress Greenshift – Animation and Page Builder Blocks Plugin: Arbitrary File Upload Vulnerability (CVE-2025-3616) |
| 152997 | BentoML Remote Code Execution (RCE) Vulnerability (CVE-2025-27520) |
| 152998 | WordPress User Registration and Membership Plugin: Authentication Bypass Vulnerability (CVE-2025-2594) |
| 152999 | WordPress Appointment Booking Calendar Plugin: Cross-Site Request Forgery Vulnerability (CVE-2025-46241) |
| 154179 | Drupal Cross Site Scripting (XSS) vulnerability (CVE-2025-31675) |
| 520047 | PHP Validation Bypass Vulnerability (CVE-2025-1219) |
| 520048 | PHP Improper Input Validation Vulnerability (CVE-2025-1736) |
| 530000 | OpenCMS Cross Site Scripting (XSS) Vulnerabilities (CVE-2024-41446,CVE-2024-41447,CVE-2024-42699) |
| 530001 | Open WebUI Improper Privilege Management Vulnerability (CVE-2024-7039) |
| 530002 | Apache Druid Multiple Vulnerabilities (CVE-2025-27888) |
| 530003 | WordPress Eventer Plugin: SQL Injection Vulnerability (CVE-2025-0959) |
| 530004 | ELMAH Sensitive Information Disclosure |
| 530005 | WordPress WP Click Info Plugin: Reflected Cross-Site Scripting Vulnerability (CVE-2025-1401) |
| 530006 | Citrix NetScaler Console Sensitive Information Disclosure Vulnerability (CVE-2024-6235) |
| 530007 | WordPress InstaWP Connect Plugin: Local File Inclusion Vulnerability (CVE-2025-2636) |
| 530008 | Apache Roller Session Management Authentication Bypass Vulnerability (CVE-2025-24859) |
| 530009 | WordPress Flynax Bridge Plugin: Privilege Escalation Vulnerability (CVE-2025-3604) |
| 530011 | WordPress Frontend Login and Registration Blocks Plugin: Privilege Escalation Vulnerability (CVE-2025-3607) |
| 530012 | phpMyAdmin Detected |
| 530013 | Craft CMS Remote Code Execution (RCE) Vulnerability (CVE-2025-32432) |
| 530014 | ify Improper Access Control Vulnerability (CVE-2025-32795) |
| 530015 | WordPress Xelion Webchat Plugin: Missing Authorization Vulnerability (CVE-2025-3058) |
| 530016 | Ivanti Endpoint Manager (EPM) DLL hijacking Vulnerability (CVE-2025-22458) |
| 530017 | Ivanti Endpoint Manager (EPM) Improper Certificate Validation Vulnerability (CVE-2025-22459) |
| 530018 | Ivanti Endpoint Manager (EPM) SQL Injection Vulnerability (CVE-2025-22461) |
| 530019 | Ivanti Endpoint Manager (EPM) Untrusted Pointer Dereference Vulnerability (CVE-2025-22464) |
| 530020 | Ivanti Endpoint Manager (EPM) Reflected XSS Vulnerabilities (CVE-2025-22465,CVE-2025-22466) |
| 530021 | WordPress PowerPress Podcasting Plugin: Arbitrary File Upload Vulnerability (CVE-2025-46264) |
| 530022 | Mattermost Denial-of-Service (DoS) Vulnerability (CVE-2025-35965) |
| 530024 | Apache Tomcat Denial-of-Service (DoS) Vulnerability (CVE-2025-31650) |
| 530026 | Apache Tomcat Rewrite Rule Bypass Vulnerability (CVE-2025-31651) |
| 530027 | Dify Clickjacking Vulnerability (CVE-2025-43854) |
| 530029 | Commvault Command Center Remote Code Execution (RCE) Vulnerability (CVE-2025-34028) |
Qualys Notification Link: Web Application Detections Published in April 2025