Web Application Detections Published in May 2025

In May, Qualys Web Application Scanning released QIDs targeting vulnerabilities in several widely used software products and frameworks; including, Vue, React Router, WordPress, Tornado, OpenSSL, SAP, Apache, SeaCMS, XWiki, Ivanti, Python, Traefik, YesWiki, Kibana, GitLab, Zimbra, JetBrains, Ollama, Jenkins, Adobe, Fortinet, Microsoft, DeepJavaLibrary, Atlassian, ZenML, Versa, Grafana, Moodle, vBulletin, Invision Community, WSO2, and Gradio.

The following table lists the QIDs released in May 2025.

QID Title
151055 Vue Cross-site Scripting Vulnerability (CVE-2024-6783)
151056 React Router URL Spoofing Vulnerability (CVE-2025-31137)
151057 React Router Cache Poisoning Vulnerability (CVE-2025-43864)
151058 React Router Pre-rendered Data Spoofing Vulnerability (CVE-2025-43865)
152993 WordPress Download Manager Plugin: Arbitrary File Deletion Vulnerability (CVE-2025-3404)
520049 Tornado Denial of Service Vulnerability (CVE-2025-47287)
520050 Open Secure Sockets Layer (OpenSSL) Improper Certificate Validation Vulnerability (CVE-2025-4575)
530031 SAP NetWeaver Visual Composer Development Server Missing Authorization Vulnerability (CVE-2025-31324)
530032 WordPress NewsBlogger Theme: Arbitrary File Upload Vulnerability (CVE-2025-1304)
530033 Apache Solr Misconfigured Authentication
530034 WordPress SureTriggers Plugin: Privilege Escalation Vulnerability (CVE-2025-27007)
530035 WordPress Job Listings Plugin: Privilege Escalation Vulnerability (CVE-2025-3918)
530036 SeaCMS SQL Injection Vulnerability (CVE-2025-44072)
530037 SeaCMS SQL Injection Vulnerability (CVE-2025-44074)
530038 WordPress External Image Replace Plugin: Arbitrary File Upload Vulnerability (CVE-2025-4279)
530039 WordPress Depicter Plugin: SQL Injection Vulnerability (CVE-2025-2011)
530040 WordPress Page View Count Plugin: Missing Authorization Vulnerability (CVE-2025-2816)
530041 WordPress Projectopia Plugin: Missing Authorization Vulnerability (CVE-2025-3952)
530042 SeaCMS Remote Code Execution (RCE) Vulnerability (CVE-2025-44071)
530043 WordPress Frontend Login and Registration Blocks Plugin: Privilege Escalation Vulnerability (CVE-2025-3605)
530044 WordPress Drag and Drop Multiple File Upload for WooCommerce Plugin: Arbitrary File Upload Vulnerability (CVE-2025-4403)
530045 WordPress WPBookit Plugin: Privilege Escalation Vulnerabilities (CVE-2025-3810,CVE-2025-3811)
530046 Apache ActiveMQ Denial of Service (DoS) Vulnerability (CVE-2025-27533)
530047 FoxCMS File Deletion Vulnerability (CVE-2025-45238)
530048 XWiki Cross-Site Scripting (XSS) and Privilege Escalation Vulnerability (CVE-2025-32974)
530049 Ivanti Cloud Services Application (CSA) Default Credentials Privilege Escalation Vulnerability (CVE-2025-22460)
530051 Python h11 HTTP Request Smuggling Vulnerability (CVE-2025-43859)
530052 Traefik Path Traversal Vulnerability (CVE-2025-32431)
530053 YesWiki Unauthenticated Archive Creation and Download Vulnerability (CVE-2025-46348)
530054 Kibana Prototype Pollution Vulnerability (CVE-2025-25014)
530055 GitLab CE/EE Information Disclosure and Session Hijacking Vulnerability (CVE-2025-1908)
530056 Zimbra Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2025-32354)
530057 JetBrains TeamCity Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2025-46618)
530058 JetBrains TeamCity Path Traversal Vulnerability (CVE-2025-46433)
530061 Ivanti Endpoint Manager Mobile (EPMM) Remote Code Execution (RCE) Vulnerability (CVE-2025-4427,CVE-2025-4428)
530062 Apache Superset Improper Authorization Vulnerability (CVE-2025-27696)
530063 WordPress TicketBAI Facturas para WooCommerce Plugin: Arbitrary File Deletion Vulnerability (CVE-2025-4564)
530064 Ollama Denial of Service Vulnerability (CVE-2025-1975)
530065 JetBrains TeamCity Base64 Credentials Exposure Vulnerability (CVE-2025-46432)
530066 Jenkins WSO2 Oauth Plugin Authentication Bypass Vulnerability (CVE-2025-47889)
530067 Adobe ColdFusion Arbitrary Code Execution Vulnerabilities (CVE-2025-43559,CVE-2025-43560,CVE-2025-43562)
530068 Adobe ColdFusion Arbitrary Code Execution Vulnerabilities (CVE-2025-43561,CVE-2025-43565)
530069 Adobe ColdFusion Arbitrary File Read Vulnerabilities (CVE-2025-43563,CVE-2025-43564)
530070 Adobe ColdFusion Path Traversal Vulnerability (CVE-2025-43566)
530071 Fortinet FortiOS Authentication Bypass Vulnerability (CVE-2025-22252)
530073 Jenkins OpenID Connect Provider Plugin Token Impersonation Vulnerability (CVE-2025-47884)
530074 Jenkins Health Advisor by CloudBees Plugin Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2025-47885)
530075 Adobe Connect Multiple Cross-site Scripting Vulnerabilities (APSB25-36)
530076 WordPress BEAF Plugin: Arbitrary File Upload Vulnerability (CVE-2025-47549)
530077 WordPress TI WooCommerce Wishlist Plugin: Arbitrary File Upload Vulnerability (CVE-2025-47577)
530078 Microsoft Partner Center Detected
530079 Microsoft Copilot Studio Detected
530080 DeepJavaLibrary Path Traversal Vulnerability (CVE-2025-0851)
530081 DeepJavaLibrary Path Traversal Vulnerability (CVE-2024-37902)
530082 DJL Serving Unauthorized Access to Application Configuration
530083 WordPress OTP-less One Tap Sign In Plugin: Privilege Escalation Vulnerability (CVE-2025-3746)
530084 WordPress Frontend Dashboard Plugin: Privilege Escalation Vulnerability (CVE-2025-4104)
530085 Atlassian Jira Privilege Escalation Vulnerability (CVE-2025-22157)
530086 DJL Serving Log Exposure
530087 JetBrains TeamCity Stored Cross-Site Scripting Vulnerability (CVE-2025-47853)
530088 JetBrains TeamCity Stored Cross-Site Scripting Vulnerability (CVE-2025-47852)
530089 JetBrains TeamCity Stored Cross-Site Scripting Vulnerability (CVE-2025-47851)
530090 ZenML Denial of Service Vulnerability (CVE-2024-9340)
530091 Zimbra Cross-Site Scripting (XSS) Vulnerability (CVE-2024-27443)
530092 Microsoft Azure Portal Detected
530093 JetBrains TeamCity Open Redirect Vulnerability (CVE-2025-47854)
530094 JetBrains YouTrack Attachment Visibility Bypass Vulnerability (CVE-2025-47850)
530095 JetBrains YouTrack Unauthenticated Issue Deletion Vulnerability (CVE-2025-48391)
530097 Versa Concerto Authentication Bypass Vulnerability (CVE-2025-34027)
530098 WordPress The Events Calendar Plugin: Sensitive Information Disclosure Vulnerability (CVE-2024-5333)
530099 WordPress The Events Calendar Plugin: Cross-Site Scripting Vulnerability (CVE-2024-12118)
530101 FortiClientEMS Path Traversal Vulnerability (CVE-2025-22859)
530102 Grafana Improper Access Control Vulnerability (CVE-2025-3580)
530103 Moodle Self Enrollment Bypass Vulnerability (CVE-2025-3634)
530104 WordPress StoreKeeper for WooCommerce Plugin: Arbitrary File Upload Vulnerability (CVE-2025-47687)
530105 Moodle Anonymous Submission De-anonymization Vulnerability (CVE-2025-3628)
530106 Moodle Authentication Bypass Vulnerability (CVE-2025-3625)
530107 Atlassian Confluence Data Center and Server DoS (Denial of Service) Vulnerability (CVE-2025-31650)
530108 WordPress Store Manager Connector Plugin: Arbitrary File Deletion Vulnerability (CVE-2025-4603)
530109 vBulletin Remote Code Execution (RCE) Vulnerability (CVE-2025-48827)
530110 WordPress Elementor Plugin: Cross-Site Scripting Vulnerability (CVE-2024-10453)
530111 WordPress Elementor Plugin: Cross-Site Scripting Vulnerability (CVE-2024-13445)
530112 WordPress Elementor Plugin: Cross-Site Scripting Vulnerability (CVE-2024-54444)
530113 Moodle Remote Code Execution Vulnerability (CVE-2025-3642)
530114 Invision Community Remote Code Execution (RCE) Vulnerability (CVE-2025-47916)
530115 WordPress Property Plugin: Privilege Escalation Vulnerability (CVE-2025-5117)
530116 WordPress Store Manager Connector Plugin: Arbitrary File Upload Vulnerability (CVE-2025-4336)
530117 WordPress ELEX WordPress HelpDesk and Customer Ticketing System Plugin: Arbitrary File Upload Vulnerability (CVE-2025-47658)
530118 Moodle User Data Exposure Before MFA Vulnerability (CVE-2025-3627)
530119 Moodle CSRF Token Exposure Vulnerability (CVE-2025-3637)
530120 WordPress Essential Real Estate Plugin: Local File Inclusion Vulnerability (CVE-2025-30849)
530121 Moodle Reflected Cross-Site Scripting Vulnerability (CVE-2025-3643)
530122 WordPress Likes and Dislikes Plugin: SQL Injection Vulnerability (CVE-2025-5287)
530123 Moodle Insecure Direct Object Reference (IDOR) Vulnerability (CVE-2025-3636)
530124 WordPress NewsBlogger Theme: Cross-Site Request Forgery Vulnerability (CVE-2025-1305)
530125 Moodle Brickfield Tool Cross-site Request Forgery (CSRF) Vulnerability (CVE-2025-3638)
530126 Moodle Messaging Web Service Insecure Direct Object Reference (IDOR) Vulnerability (CVE-2025-3645)
530127 WSO2 API Manager XML External Entity (XXE) Vulnerability (CVE-2025-2905)
530128 WSO2 API Manager Default Credentials
530129 WordPress Review Plugin: Local File Inclusion Vulnerability (CVE-2025-2158)
530130 Gradio CORS Origin Validation Bypass Vulnerability (CVE-2025-5320)
530131 WordPress WP Tabs Plugin: PHP Object Injection Vulnerability (CVE-2025-48134)
530132 Moodle Cohorts Report Insecure Direct Object Reference (IDOR) Vulnerability (CVE-2025-3647)