CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2025-4302	Stop User Enumeration < 1.7.3 - Protection Bypass Description: The Stop User Enumeration WordPress plugin before version 1.7.3 blocks REST API /wp-json/wp/v2/users/ requests for non-authorized users. However, this can be bypassed by URL-encoding the API path. Source: CVE July 17th, 2025 (about 9 hours ago)
	WordPress Gravity Forms developer hacked to push backdoored plugins Description: The popular WordPress plugin Gravity Forms has been compromised in what seems a supply-chain attack where manual installers from the official website were infected with a backdoor. [...] Source: BleepingComputer July 11th, 2025 (6 days ago)
CVE-2025-2942	Order Delivery Date Pro for WooCommerce < 12.6.0 - Unauthenticated Arbitrary Post Title Disclosure Description: The Order Delivery Date WordPress plugin before 12.6.0 discloses arbitrary post title (such as from draft and private posts) via an unauthenticated AJAX action, allowing attackers to retrieve such information EPSS Score: 0.02% Source: CVE July 11th, 2025 (6 days ago)
CVE-2025-6236	Hostel < 1.1.5.9 - Admin+ Stored XSS Description: The Hostel WordPress plugin before 1.1.5.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). EPSS Score: 0.03% Source: CVE July 10th, 2025 (7 days ago)
CVE-2025-6234	Hostel < 1.1.5.8 - Reflected XSS Description: The Hostel WordPress plugin before 1.1.5.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. EPSS Score: 0.03% Source: CVE July 10th, 2025 (7 days ago)
	Forminator plugin flaw exposes WordPress sites to takeover attacks Description: The Forminator plugin for WordPress is vulnerable to an unauthenticated arbitrary file deletion flaw that could enable full site takeover attacks. [...] Source: BleepingComputer July 2nd, 2025 (15 days ago)
CVE-2025-5730	Easy Contact Form Lite < 1.1.29 - Contributor+ Stored XSS Description: The Contact Form Plugin WordPress plugin before 1.1.29 does not sanitise and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks. EPSS Score: 0.03% Source: CVE June 30th, 2025 (17 days ago)
CVE-2025-3745	WP Lightbox 2 < 3.0.6.8 - Unauthenticated Stored XSS Description: The WP Lightbox 2 WordPress plugin before 3.0.6.8 does not correctly sanitize the value of the title attribute of links before using them, which may allow malicious users to conduct XSS attacks. EPSS Score: 0.03% Source: CVE June 30th, 2025 (17 days ago)
CVE-2025-5526	BuddyPress Docs < 2.2.5 - Subscriber+ Arbitrary Document Read/Update Description: The BuddyPress Docs WordPress plugin before 2.2.5 lacks proper access controls and allows a logged in user to view and download files belonging to another user EPSS Score: 0.03% Source: CVE June 27th, 2025 (20 days ago)
CVE-2025-5194	WP Map Block by aBlocks < 2.0.3 - Contributor+ Stored XSS via Marker Description: The WP Map Block WordPress plugin before 2.0.3 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. EPSS Score: 0.03% Source: CVE June 27th, 2025 (20 days ago)