CyberAlerts

CVE-2025-3951

Description: The WP-Optimize WordPress plugin before 4.2.0 does not properly escape user input when checking image compression statuses, which could allow users with the administrator role to conduct SQL Injection attacks in the context of Multi-Site WordPress configurations.

Source: CVE

June 2nd, 2025 (about 6 hours ago)

CVE-2025-1485

Real Cookie Banner < 5.1.6 - Admin+ Stored XSS

Description: The Real Cookie Banner: GDPR & ePrivacy Cookie Consent WordPress plugin before 5.1.6, real-cookie-banner-pro WordPress plugin before 5.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Source: CVE

June 2nd, 2025 (about 6 hours ago)

CVE-2025-4429

WordPress Gearside Developer Dashboard <= 1.0.72 - Reflected XSS

Description: The Gearside Developer Dashboard WordPress plugin through 1.0.72 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

EPSS Score: 0.03%

Source: CVE

May 30th, 2025 (3 days ago)

[webapps] WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing

Description: WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing

Source: ExploitDB

May 29th, 2025 (4 days ago)

Over 100,000 WordPress Sites at Risk from Critical CVSS 10.0 Vulnerability in Wishlist Plugin

Description: Cybersecurity researchers have disclosed a critical unpatched security flaw impacting TI WooCommerce Wishlist plugin for WordPress that could be exploited by unauthenticated attackers to upload arbitrary files. TI WooCommerce Wishlist, which has over 100,000 active installations, is a tool to allow e-commerce site customers to save their favorite products for later and share the lists on social

Source: TheHackerNews

May 29th, 2025 (4 days ago)

CVE-2024-0187

Community by PeepSo < 6.3.1.2 - Reflected XSS

Description: The Community by PeepSo WordPress plugin before 6.3.1.2 does not sanitise and escape various parameters and generated URLs before outputting them back attributes, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

EPSS Score: 0.33%

SSVC Exploitation: poc

Source: CVE

May 22nd, 2025 (11 days ago)

CVE-2025-4133

Blog2Social: Social Media Auto Post & Scheduler < 8.4.0 - Contributor+ Stored XSS

Description: The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 8.4.0 does not escape the title of posts when outputting them in a dashboard, which could allow users with the contributor role to perform Cross-Site Scripting attacks.

EPSS Score: 0.03%

Source: CVE

May 22nd, 2025 (11 days ago)

Alleged Sale of Unauthorized Admin Access to an Unidentified WordPress E-Commerce Platform in Israel

Description: Alleged Sale of Unauthorized Admin Access to an Unidentified WordPress E-Commerce Platform in Israel

Source: DarkWebInformer

May 21st, 2025 (12 days ago)

Premium WordPress 'Motors' theme vulnerable to admin takeover attacks

Description: A critical privilege escalation vulnerability has been discovered in the premium WordPress theme Motors, which allows unauthenticated attackers to hijack administrator accounts and take complete control of websites. [...]

Source: BleepingComputer

May 20th, 2025 (13 days ago)

Alleged Sale of WordPress Shop to an Unidentified Company in North Macedonia

Description: Alleged Sale of WordPress Shop to an Unidentified Company in North Macedonia

Source: DarkWebInformer

May 20th, 2025 (13 days ago)

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2025-3951	WP-Optimize < 4.2.0 - Admin+ SQLi Description: The WP-Optimize WordPress plugin before 4.2.0 does not properly escape user input when checking image compression statuses, which could allow users with the administrator role to conduct SQL Injection attacks in the context of Multi-Site WordPress configurations. Source: CVE June 2nd, 2025 (about 6 hours ago)
CVE-2025-1485	Real Cookie Banner < 5.1.6 - Admin+ Stored XSS Description: The Real Cookie Banner: GDPR & ePrivacy Cookie Consent WordPress plugin before 5.1.6, real-cookie-banner-pro WordPress plugin before 5.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). Source: CVE June 2nd, 2025 (about 6 hours ago)
CVE-2025-4429	WordPress Gearside Developer Dashboard <= 1.0.72 - Reflected XSS Description: The Gearside Developer Dashboard WordPress plugin through 1.0.72 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. EPSS Score: 0.03% Source: CVE May 30th, 2025 (3 days ago)
	[webapps] WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing Description: WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing Source: ExploitDB May 29th, 2025 (4 days ago)
	Over 100,000 WordPress Sites at Risk from Critical CVSS 10.0 Vulnerability in Wishlist Plugin Description: Cybersecurity researchers have disclosed a critical unpatched security flaw impacting TI WooCommerce Wishlist plugin for WordPress that could be exploited by unauthenticated attackers to upload arbitrary files. TI WooCommerce Wishlist, which has over 100,000 active installations, is a tool to allow e-commerce site customers to save their favorite products for later and share the lists on social Source: TheHackerNews May 29th, 2025 (4 days ago)
CVE-2024-0187	Community by PeepSo < 6.3.1.2 - Reflected XSS Description: The Community by PeepSo WordPress plugin before 6.3.1.2 does not sanitise and escape various parameters and generated URLs before outputting them back attributes, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin EPSS Score: 0.33% SSVC Exploitation: poc Source: CVE May 22nd, 2025 (11 days ago)
CVE-2025-4133	Blog2Social: Social Media Auto Post & Scheduler < 8.4.0 - Contributor+ Stored XSS Description: The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 8.4.0 does not escape the title of posts when outputting them in a dashboard, which could allow users with the contributor role to perform Cross-Site Scripting attacks. EPSS Score: 0.03% Source: CVE May 22nd, 2025 (11 days ago)
	Alleged Sale of Unauthorized Admin Access to an Unidentified WordPress E-Commerce Platform in Israel Description: Alleged Sale of Unauthorized Admin Access to an Unidentified WordPress E-Commerce Platform in Israel Source: DarkWebInformer May 21st, 2025 (12 days ago)
	Premium WordPress 'Motors' theme vulnerable to admin takeover attacks Description: A critical privilege escalation vulnerability has been discovered in the premium WordPress theme Motors, which allows unauthenticated attackers to hijack administrator accounts and take complete control of websites. [...] Source: BleepingComputer May 20th, 2025 (13 days ago)
	Alleged Sale of WordPress Shop to an Unidentified Company in North Macedonia Description: Alleged Sale of WordPress Shop to an Unidentified Company in North Macedonia Source: DarkWebInformer May 20th, 2025 (13 days ago)