Web Application Detections Published in May 2025
In May, Qualys Web Application Scanning released QIDs targeting vulnerabilities in several widely used software products and frameworks; including, Vue, React Router, WordPress, Tornado, OpenSSL, SAP, Apache, SeaCMS, XWiki, Ivanti, Python, Traefik, YesWiki, Kibana, GitLab, Zimbra, JetBrains, Ollama, Jenkins, Adobe, Fortinet, Microsoft, DeepJavaLibrary, Atlassian, ZenML, Versa, Grafana, Moodle, vBulletin, Invision Community, WSO2, and Gradio.
The following table lists the QIDs released in May 2025.
| QID | Title |
|---|---|
| 151055 | Vue Cross-site Scripting Vulnerability (CVE-2024-6783) |
| 151056 | React Router URL Spoofing Vulnerability (CVE-2025-31137) |
| 151057 | React Router Cache Poisoning Vulnerability (CVE-2025-43864) |
| 151058 | React Router Pre-rendered Data Spoofing Vulnerability (CVE-2025-43865) |
| 152993 | WordPress Download Manager Plugin: Arbitrary File Deletion Vulnerability (CVE-2025-3404) |
| 520049 | Tornado Denial of Service Vulnerability (CVE-2025-47287) |
| 520050 | Open Secure Sockets Layer (OpenSSL) Improper Certificate Validation Vulnerability (CVE-2025-4575) |
| 530031 | SAP NetWeaver Visual Composer Development Server Missing Authorization Vulnerability (CVE-2025-31324) |
| 530032 | WordPress NewsBlogger Theme: Arbitrary File Upload Vulnerability (CVE-2025-1304) |
| 530033 | Apache Solr Misconfigured Authentication |
| 530034 | WordPress SureTriggers Plugin: Privilege Escalation Vulnerability (CVE-2025-27007) |
| 530035 | WordPress Job Listings Plugin: Privilege Escalation Vulnerability (CVE-2025-3918) |
| 530036 | SeaCMS SQL Injection Vulnerability (CVE-2025-44072) |
| 530037 | SeaCMS SQL Injection Vulnerability (CVE-2025-44074) |
| 530038 | WordPress External Image Replace Plugin: Arbitrary File Upload Vulnerability (CVE-2025-4279) |
| 530039 | WordPress Depicter Plugin: SQL Injection Vulnerability (CVE-2025-2011) |
| 530040 | WordPress Page View Count Plugin: Missing Authorization Vulnerability (CVE-2025-2816) |
| 530041 | WordPress Projectopia Plugin: Missing Authorization Vulnerability (CVE-2025-3952) |
| 530042 | SeaCMS Remote Code Execution (RCE) Vulnerability (CVE-2025-44071) |
| 530043 | WordPress Frontend Login and Registration Blocks Plugin: Privilege Escalation Vulnerability (CVE-2025-3605) |
| 530044 | WordPress Drag and Drop Multiple File Upload for WooCommerce Plugin: Arbitrary File Upload Vulnerability (CVE-2025-4403) |
| 530045 | WordPress WPBookit Plugin: Privilege Escalation Vulnerabilities (CVE-2025-3810,CVE-2025-3811) |
| 530046 | Apache ActiveMQ Denial of Service (DoS) Vulnerability (CVE-2025-27533) |
| 530047 | FoxCMS File Deletion Vulnerability (CVE-2025-45238) |
| 530048 | XWiki Cross-Site Scripting (XSS) and Privilege Escalation Vulnerability (CVE-2025-32974) |
| 530049 | Ivanti Cloud Services Application (CSA) Default Credentials Privilege Escalation Vulnerability (CVE-2025-22460) |
| 530051 | Python h11 HTTP Request Smuggling Vulnerability (CVE-2025-43859) |
| 530052 | Traefik Path Traversal Vulnerability (CVE-2025-32431) |
| 530053 | YesWiki Unauthenticated Archive Creation and Download Vulnerability (CVE-2025-46348) |
| 530054 | Kibana Prototype Pollution Vulnerability (CVE-2025-25014) |
| 530055 | GitLab CE/EE Information Disclosure and Session Hijacking Vulnerability (CVE-2025-1908) |
| 530056 | Zimbra Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2025-32354) |
| 530057 | JetBrains TeamCity Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2025-46618) |
| 530058 | JetBrains TeamCity Path Traversal Vulnerability (CVE-2025-46433) |
| 530061 | Ivanti Endpoint Manager Mobile (EPMM) Remote Code Execution (RCE) Vulnerability (CVE-2025-4427,CVE-2025-4428) |
| 530062 | Apache Superset Improper Authorization Vulnerability (CVE-2025-27696) |
| 530063 | WordPress TicketBAI Facturas para WooCommerce Plugin: Arbitrary File Deletion Vulnerability (CVE-2025-4564) |
| 530064 | Ollama Denial of Service Vulnerability (CVE-2025-1975) |
| 530065 | JetBrains TeamCity Base64 Credentials Exposure Vulnerability (CVE-2025-46432) |
| 530066 | Jenkins WSO2 Oauth Plugin Authentication Bypass Vulnerability (CVE-2025-47889) |
| 530067 | Adobe ColdFusion Arbitrary Code Execution Vulnerabilities (CVE-2025-43559,CVE-2025-43560,CVE-2025-43562) |
| 530068 | Adobe ColdFusion Arbitrary Code Execution Vulnerabilities (CVE-2025-43561,CVE-2025-43565) |
| 530069 | Adobe ColdFusion Arbitrary File Read Vulnerabilities (CVE-2025-43563,CVE-2025-43564) |
| 530070 | Adobe ColdFusion Path Traversal Vulnerability (CVE-2025-43566) |
| 530071 | Fortinet FortiOS Authentication Bypass Vulnerability (CVE-2025-22252) |
| 530073 | Jenkins OpenID Connect Provider Plugin Token Impersonation Vulnerability (CVE-2025-47884) |
| 530074 | Jenkins Health Advisor by CloudBees Plugin Stored Cross-Site Scripting (XSS) Vulnerability (CVE-2025-47885) |
| 530075 | Adobe Connect Multiple Cross-site Scripting Vulnerabilities (APSB25-36) |
| 530076 | WordPress BEAF Plugin: Arbitrary File Upload Vulnerability (CVE-2025-47549) |
| 530077 | WordPress TI WooCommerce Wishlist Plugin: Arbitrary File Upload Vulnerability (CVE-2025-47577) |
| 530078 | Microsoft Partner Center Detected |
| 530079 | Microsoft Copilot Studio Detected |
| 530080 | DeepJavaLibrary Path Traversal Vulnerability (CVE-2025-0851) |
| 530081 | DeepJavaLibrary Path Traversal Vulnerability (CVE-2024-37902) |
| 530082 | DJL Serving Unauthorized Access to Application Configuration |
| 530083 | WordPress OTP-less One Tap Sign In Plugin: Privilege Escalation Vulnerability (CVE-2025-3746) |
| 530084 | WordPress Frontend Dashboard Plugin: Privilege Escalation Vulnerability (CVE-2025-4104) |
| 530085 | Atlassian Jira Privilege Escalation Vulnerability (CVE-2025-22157) |
| 530086 | DJL Serving Log Exposure |
| 530087 | JetBrains TeamCity Stored Cross-Site Scripting Vulnerability (CVE-2025-47853) |
| 530088 | JetBrains TeamCity Stored Cross-Site Scripting Vulnerability (CVE-2025-47852) |
| 530089 | JetBrains TeamCity Stored Cross-Site Scripting Vulnerability (CVE-2025-47851) |
| 530090 | ZenML Denial of Service Vulnerability (CVE-2024-9340) |
| 530091 | Zimbra Cross-Site Scripting (XSS) Vulnerability (CVE-2024-27443) |
| 530092 | Microsoft Azure Portal Detected |
| 530093 | JetBrains TeamCity Open Redirect Vulnerability (CVE-2025-47854) |
| 530094 | JetBrains YouTrack Attachment Visibility Bypass Vulnerability (CVE-2025-47850) |
| 530095 | JetBrains YouTrack Unauthenticated Issue Deletion Vulnerability (CVE-2025-48391) |
| 530097 | Versa Concerto Authentication Bypass Vulnerability (CVE-2025-34027) |
| 530098 | WordPress The Events Calendar Plugin: Sensitive Information Disclosure Vulnerability (CVE-2024-5333) |
| 530099 | WordPress The Events Calendar Plugin: Cross-Site Scripting Vulnerability (CVE-2024-12118) |
| 530101 | FortiClientEMS Path Traversal Vulnerability (CVE-2025-22859) |
| 530102 | Grafana Improper Access Control Vulnerability (CVE-2025-3580) |
| 530103 | Moodle Self Enrollment Bypass Vulnerability (CVE-2025-3634) |
| 530104 | WordPress StoreKeeper for WooCommerce Plugin: Arbitrary File Upload Vulnerability (CVE-2025-47687) |
| 530105 | Moodle Anonymous Submission De-anonymization Vulnerability (CVE-2025-3628) |
| 530106 | Moodle Authentication Bypass Vulnerability (CVE-2025-3625) |
| 530107 | Atlassian Confluence Data Center and Server DoS (Denial of Service) Vulnerability (CVE-2025-31650) |
| 530108 | WordPress Store Manager Connector Plugin: Arbitrary File Deletion Vulnerability (CVE-2025-4603) |
| 530109 | vBulletin Remote Code Execution (RCE) Vulnerability (CVE-2025-48827) |
| 530110 | WordPress Elementor Plugin: Cross-Site Scripting Vulnerability (CVE-2024-10453) |
| 530111 | WordPress Elementor Plugin: Cross-Site Scripting Vulnerability (CVE-2024-13445) |
| 530112 | WordPress Elementor Plugin: Cross-Site Scripting Vulnerability (CVE-2024-54444) |
| 530113 | Moodle Remote Code Execution Vulnerability (CVE-2025-3642) |
| 530114 | Invision Community Remote Code Execution (RCE) Vulnerability (CVE-2025-47916) |
| 530115 | WordPress Property Plugin: Privilege Escalation Vulnerability (CVE-2025-5117) |
| 530116 | WordPress Store Manager Connector Plugin: Arbitrary File Upload Vulnerability (CVE-2025-4336) |
| 530117 | WordPress ELEX WordPress HelpDesk and Customer Ticketing System Plugin: Arbitrary File Upload Vulnerability (CVE-2025-47658) |
| 530118 | Moodle User Data Exposure Before MFA Vulnerability (CVE-2025-3627) |
| 530119 | Moodle CSRF Token Exposure Vulnerability (CVE-2025-3637) |
| 530120 | WordPress Essential Real Estate Plugin: Local File Inclusion Vulnerability (CVE-2025-30849) |
| 530121 | Moodle Reflected Cross-Site Scripting Vulnerability (CVE-2025-3643) |
| 530122 | WordPress Likes and Dislikes Plugin: SQL Injection Vulnerability (CVE-2025-5287) |
| 530123 | Moodle Insecure Direct Object Reference (IDOR) Vulnerability (CVE-2025-3636) |
| 530124 | WordPress NewsBlogger Theme: Cross-Site Request Forgery Vulnerability (CVE-2025-1305) |
| 530125 | Moodle Brickfield Tool Cross-site Request Forgery (CSRF) Vulnerability (CVE-2025-3638) |
| 530126 | Moodle Messaging Web Service Insecure Direct Object Reference (IDOR) Vulnerability (CVE-2025-3645) |
| 530127 | WSO2 API Manager XML External Entity (XXE) Vulnerability (CVE-2025-2905) |
| 530128 | WSO2 API Manager Default Credentials |
| 530129 | WordPress Review Plugin: Local File Inclusion Vulnerability (CVE-2025-2158) |
| 530130 | Gradio CORS Origin Validation Bypass Vulnerability (CVE-2025-5320) |
| 530131 | WordPress WP Tabs Plugin: PHP Object Injection Vulnerability (CVE-2025-48134) |
| 530132 | Moodle Cohorts Report Insecure Direct Object Reference (IDOR) Vulnerability (CVE-2025-3647) |