Web Application Detections — March 2025
In March, Qualys Web Application Scanning released QIDs targeting vulnerabilities in several widely used software products and frameworks, including, Next.js, MITRE – Caldera, WordPress, Wazuh Server, JSONPath Plus, GraphQL Mesh, NAKIVO – Backup and Replication, Adobe – ColdFusion, SeaCMS, Joomla! – Core, Joomla! – Sourcerer Extension, Joomla! – ConvertForms Extension, Kibana, Apache – Pinot, Apache – Tomcat, Apache – Ranger, Apache – CloudStack, Apache – Camel, Apache – Nifi, IBM – Aspera Shares, ServiceNow , GitLab – GitLab CE/EE, Wiki.js, Pandora FMS, Zimbra, ClassCMS, Liferay Portal, JetBrains – YouTrack, JetBrains – TeamCity, Jenkins – AnchorChain Plugin, Drupal – Core, Synapse , LiteLLM, Splunk, Vite, PublicCMS, Gunicorn.
The following table lists the QIDs released in March 2025.
| QID | Title |
|---|---|
| 151052 | Next.js Middleware Authorization Bypass Vulnerability (CVE-2025-29927) |
| 151053 | Axios Server-Side Request Forgery (SSRF) Vulnerability (CVE-2025-27152) |
| 152786 | MITRE Caldera Remote Code Execution (RCE) Vulnerability (CVE-2025-27364) |
| 152789 | WordPress WP Multi Store Locator Plugin: Blind SQL Injection Vulnerability (CVE-2025-26974) |
| 152794 | WordPress Reset Plugin: Cross-Site Request Forgery Vulnerability (CVE-2024-13684) |
| 152795 | WordPress Ultimate Classified Listings Plugin: Cross-Site Request Forgery Vulnerability (CVE-2024-13753) |
| 152796 | Wazuh Server Remote Code Execution (RCE) Vulnerability (CVE-2025-24016) |
| 152797 | JSONPath Plus Remote Code Execution (RCE) Vulnerability (CVE-2025-1302) |
| 152798 | GraphQL Mesh Path Traversal Vulnerability (CVE-2025-27098) |
| 152799 | WordPress Easy Quotes Plugin: Blind SQL Injection Vulnerability (CVE-2025-26943) |
| 152800 | WordPress WP Video Posts Plugin: Cross-Site Request Forgery Vulnerability (CVE-2025-27298) |
| 152801 | NAKIVO Backup and Replication Arbitrary File Read Vulnerability (CVE-2024-48248) |
| 152802 | WordPress WP Sitemap Plugin: SQL Injection Vulnerability (CVE-2025-27312) |
| 152803 | Adobe ColdFusion AMF Deserialization Vulnerability (CVE-2017-3066) |
| 152804 | SeaCMS SQL Injection Vulnerability (CVE-2025-22974) |
| 152805 | Joomla! SQL Injection Vulnerability (CVE-2025-22207) |
| 152806 | Joomla! Extension Sourcerer Remote Code Execution Vulnerability (CVE-2025-22204) |
| 152807 | WordPress Residential Address Detection Plugin: Privilege Escalation Vulnerability (CVE-2025-27270) |
| 152808 | WordPress GiveWP Plugin: PHP Object Injection Vulnerability (CVE-2025-0912) |
| 152809 | WordPress Newscrunch Theme: Arbitrary File Upload Vulnerability (CVE-2025-1307) |
| 152810 | Joomla ConvertForms Extension SQL Injection Vulnerability (CVE-2025-22212) |
| 152811 | Kibana Arbitrary Code Execution Vulnerability (CVE-2025-25015) |
| 152812 | Joomla! Extension Convert Forms Arbitrary File Upload Vulnerability (CVE-2024-40744) |
| 152813 | WordPress Small Package Quotes – Worldwide Express Edition Plugin: SQL Injection Vulnerability (CVE-2025-27268) |
| 152814 | WordPress Small Package Quotes – Worldwide Express Edition Plugin: SQL Injection Vulnerability (CVE-2025-24667) |
| 152815 | WordPress FULL Customer Plugin: Local File Inclusion Vulnerability (CVE-2025-26757) |
| 152816 | WordPress Bitcoin / AltCoin Payment Gateway for WooCommerce Plugin: Blind SQL Injection Vulnerability (CVE-2025-26535) |
| 152817 | IBM Aspera Shares XML External Entity Injection (XXE) Vulnerability (CVE-2025-0162) |
| 152818 | Apache Pinot Authentication Bypass Vulnerability (CVE-2024-56325) |
| 152819 | WordPress uListing Plugin: SQL Injection Vulnerabilities (CVE-2025-25150,CVE-2025-25151) |
| 152820 | WordPress WPCOM Member Plugin: Authentication Bypass Vulnerability (CVE-2025-1475) |
| 152821 | Apache Tomcat Remote Code Execution (RCE) Vulnerability (CVE-2025-24813) |
| 152822 | ServiceNow Authorization Bypass Vulnerability (CVE-2025-0337) |
| 152823 | WordPress SMS Alert Order Notifications Plugin: SQL Injection Vulnerability (CVE-2025-26988) |
| 152824 | WordPress Events Calendar for GeoDirectory Plugin: Object Injection Vulnerability (CVE-2025-26967) |
| 152825 | WordPress WizShop Plugin: Local File Inclusion Vulnerability (CVE-2025-25122) |
| 152827 | WordPress WPGet API Plugin: Server-Side Request Forgery Vulnerability (CVE-2024-13857) |
| 152829 | Wiki.js Client Side Template Injection Vulnerability (CVE-2024-34710) |
| 152830 | WordPress ProfileGrid Plugin: Object Injection Vulnerability (CVE-2025-26999) |
| 152832 | WordPress UiPress lite Plugin: Unauthorized Modification of Data Vulnerability (CVE-2025-1309) |
| 152833 | WordPress Newscrunch Theme: Cross-Site Request Forgery Vulnerability (CVE-2025-1306) |
| 152834 | WordPress HUSKY – Products Filter Professional for WooCommerce Plugin: Local File Inclusion Vulnerability (CVE-2025-1661) |
| 152835 | Apache Ranger CSV Injection Vulnerability (CVE-2024-55532) |
| 152836 | Flowise Pre-Auth Arbitrary File Upload Vulnerability (CVE-2025-26319) |
| 152837 | WordPress WPSchoolPress Plugin: Privilege Escalation Vulnerability (CVE-2025-1667) |
| 152838 | WordPress uListing Plugin: Missing Authorization Vulnerability (CVE-2025-1657) |
| 152839 | Apache Camel Header Injection Vulnerability (CVE-2025-27636,CVE-2025-29891) |
| 152840 | WordPress InstaWP Connect Plugin: Cross-Site Request Forgery Vulnerability (CVE-2024-13913) |
| 152841 | GitLab CE/EE Cross Site Scripting Vulnerability (CVE-2025-0475) |
| 152842 | Pandora FMS Command Injection Vulnerabilities (CVE-2024-12971,CVE-2024-12992) |
| 152843 | GitLab EE Cross Site Scripting Vulnerability (CVE-2025-0555) |
| 152844 | WordPress uListing Plugin: Privilege Escalation Vulnerability (CVE-2025-1653) |
| 152845 | WordPress Helloprint Plugin: Path Traversal Vulnerability (CVE-2025-26534) |
| 152846 | Apache Nifi Sensitive Information Disclosure Vulnerability (CVE-2025-27017) |
| 152847 | Kibana Prototype Pollution Vulnerability (CVE-2024-37287) |
| 152848 | WordPress CiyaShop Theme: PHP Object Injection Vulnerability (CVE-2024-13824) |
| 152849 | WordPress Ultimate Member Plugin: SQL Injection Vulnerability (CVE-2025-1702) |
| 152850 | WordPress WPBookit Plugin: Cross-Site Request Forgery Vulnerability (CVE-2025-26910) |
| 152851 | GLPI SQL Injection Vulnerability (CVE-2025-24799) |
| 152852 | WordPress Multiple Shipping And Billing Address For Woocommerce Plugin: SQL Injection Vulnerability (CVE-2025-26875) |
| 152853 | Gradio Denial of Service Vulnerability (CVE-2024-8966) |
| 152854 | Trace.axd Information Leak |
| 152855 | GLPI Remote Code Execution Vulnerability (CVE-2025-24801) |
| 152856 | WordPress Age Gate Plugin: Local File Inclusion Vulnerability (CVE-2025-2505) |
| 152857 | JetBrains YouTrack Arbitrary JavaScript Execution Vulnerability (CVE-2024-49579) |
| 152858 | Jenkins AnchorChain Plugin Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2025-30196) |
| 152859 | GitLab CE/EE Account Takeover Vulnerability (CVE-2023-7028) |
| 152860 | WordPress VikRentCar Car Rental Management System Plugin: Cross-Site Request Forgery Vulnerability (CVE-2024-11640) |
| 152861 | Apache CloudStack KVM Template Upload Vulnerability (CVE-2024-50386) |
| 152862 | WordPress SMTP by BestWebSoft Plugin: Arbitrary File Upload Vulnerability (CVE-2024-13908) |
| 152863 | Spring Framework Path Traversal Vulnerability (CVE-2024-38819) |
| 152864 | WordPress Gallery Plugin: PHP Object Injection Vulnerability (CVE-2024-13906) |
| 152865 | Kibana Uncontrolled Resource Consumption Vulnerability (CVE-2024-52972) |
| 152866 | Zimbra Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2025-27915) |
| 152867 | ClassCMS File Inclusion Vulnerability (CVE-2024-48180) |
| 152868 | Liferay Portal Cross-site scripting (XSS) Vulnerability (CVE-2025-2536) |
| 152869 | Kibana Arbitrary Code Execution Vulnerability (CVE-2023-31414) |
| 152870 | JetBrains YouTrack Permanent Token Exposure Vulnerability (CVE-2025-24457) |
| 152871 | JetBrains YouTrack Account takeover Vulnerability (CVE-2025-24458) |
| 152872 | WordPress PublishPress Authors Plugin: SQL Injection Vulnerability (CVE-2025-26886) |
| 152873 | WordPress WPCS – WordPress Currency Switcher Professional Plugin: Arbitrary Shortcode Execution Vulnerability (CVE-2025-2169) |
| 152874 | WordPress Traveler Theme: Local File Inclusion Vulnerability (CVE-2025-1771) |
| 152875 | WordPress Logo Slider Plugin: Arbitrary Shortcode Execution Vulnerability (CVE-2025-2262) |
| 152876 | WordPress Product Input Fields for WooCommerce Plugin: Arbitrary File Upload Vulnerability (CVE-2024-13359) |
| 152877 | RabbitMQ Cross-Site Scripting (XSS) Vulnerability (CVE-2025-30219) |
| 152878 | WordPress WP Ghost Plugin: Local File Inclusion Vulnerability (CVE-2025-26909) |
| 152879 | GLPI Inventory Plugin: Improper Access Control Vulnerability (CVE-2025-27147) |
| 152880 | WordPress WP e-Commerce Style Email Plugin: Cross-Site Request Forgery Vulnerability (CVE-2025-30615) |
| 152881 | WordPress WP Featured Entries Plugin: SQL Injection Vulnerability (CVE-2025-30569) |
| 152882 | WordPress Site Reviews Plugin: Cross-Site Scripting Vulnerability (CVE-2025-1232) |
| 152883 | WordPress Awesome Logos Plugin: Cross-Site Request Forgery Vulnerability (CVE-2025-30528) |
| 152884 | WordPress AppPresser Plugin: Stored Cross-Site Scripting Vulnerability (CVE-2025-1561) |
| 152885 | Synapse Improper Input Validation Vulnerability (CVE-2025-30355) |
| 152886 | LiteLLM API Key Leakage Vulnerability (CVE-2024-9606) |
| 152887 | WordPress Web Directory Free Plugin: SQL Injection Vulnerability (CVE-2025-28904) |
| 152888 | JetBrains TeamCity Password Exposure in Logs Vulnerability (CVE-2025-31139) |
| 152889 | JetBrains TeamCity Stored Cross-Site Scripting Vulnerability (CVE-2025-31140) |
| 152890 | JetBrains TeamCity Credential Leakage Vulnerability (CVE-2025-31141) |
| 152891 | Splunk Enterprise Sensitive Information Disclosure Vulnerability (CVE-2025-20231) |
| 152892 | Splunk Enterprise Remote Code Execution Vulnerability (CVE-2025-20229) |
| 152893 | WordPress WP Ultimate Exporter Plugin: PHP Object Injection Vulnerability (CVE-2025-2332) |
| 152894 | Vite Arbitrary File Read Vulnerability (CVE-2025-30208) |
| 152895 | WordPress WP Subscription Forms Plugin: SQL Injection Vulnerability (CVE-2025-30784) |
| 154175 | Joomla! Core File Upload Vulnerability (CVE-2025-22213) |
| 154176 | Drupal Reflected Cross Site Scripting vulnerability (SA-CORE-2025-001) |
| 154177 | Drupal Access Bypass vulnerability (SA-CORE-2025-002) |
| 154178 | Drupal PHP Object Injection vulnerability (SA-CORE-2025-003) |
| 520044 | PublicCMS Arbitrary File Upload Vulnerability (CVE-2025-25361) |
| 520045 | Liferay Portal Data Exposure Vulnerability (CVE-2025-2565) |
| 520046 | Gunicorn HTTP Request Smuggling (HRS) Vulnerability (CVE-2024-1135) |
Qualys Notification Link: Web Application Detections Published in March 2025