Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-2083
Logo Carousel Gutenberg Block <= 2.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via sliderId Parameter
Description: The Logo Carousel Gutenberg Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘sliderId’ parameter in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

Source: CVE
April 15th, 2025 (about 1 hour ago)

CVE-2025-2225
Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates <= 1.6.9 - Authenticated (Contributor+) Stored Cross-Site Sc...
Description: The Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘rael_title_tag' parameter in all versions up to, and including, 1.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 1.6.9.

CVSS: MEDIUM (6.4)

Source: CVE
April 15th, 2025 (about 5 hours ago)

CVE-2024-13610
Simple Social Media Share Buttons < 6.0.0 - Admin+ Stored XSS
Description: The Simple Social Media Share Buttons WordPress plugin before 6.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Source: CVE
April 15th, 2025 (about 5 hours ago)

CVE-2024-13207
Widget for Social Page Feeds < 6.4.2 - Admin+ Stored XSS
Description: The Widget for Social Page Feeds WordPress plugin before 6.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Source: CVE
April 15th, 2025 (about 5 hours ago)

CVE-2025-3470
TS Poll – Survey, Versus Poll, Image Poll, Video Poll <= 2.4.6 - Authenticated (Administrator+) SQL Injection via 's' Parameter
Description: The TS Poll – Survey, Versus Poll, Image Poll, Video Poll plugin for WordPress is vulnerable to SQL Injection via the s parameter in all versions up to, and including, 2.4.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS: MEDIUM (4.9)

SSVC Exploitation: none

Source: CVE
April 15th, 2025 (about 8 hours ago)

CVE-2024-11447
Community by PeepSo – Social Network, Membership, Registration, User Profiles, Premium – Mobile App <=7.0.3.0 - Reflected Cross-Site Scripting
Description: The Community by PeepSo – Download from PeepSo.com plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘filter’ parameter in all versions up to, and including, 7.0.3.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS: MEDIUM (6.1)

EPSS Score: 0.13%

SSVC Exploitation: none

Source: CVE
April 14th, 2025 (about 15 hours ago)

CVE-2025-27009
WordPress My auctions allegro plugin <= 3.6.20 - Cross Site Request Forgery (CSRF) vulnerability
Description: Cross-Site Request Forgery (CSRF) vulnerability in wphocus My auctions allegro allows Stored XSS.This issue affects My auctions allegro: from n/a through 3.6.20.

CVSS: HIGH (7.1)

EPSS Score: 0.03%

SSVC Exploitation: none

Source: CVE
April 14th, 2025 (about 23 hours ago)

CVE-2025-2563
User Registration & Membership < 4.1.2- Unauthenticated Privilege Escalation
Description: The User Registration & Membership WordPress plugin before 4.1.2 does not prevent users to set their account role when the Membership Addon is enabled, leading to a privilege escalation issue and allowing unauthenticated users to gain admin privileges

EPSS Score: 1.68%

Source: CVE
April 14th, 2025 (1 day ago)

CVE-2024-9230
PowerPress Podcasting < 11.9.18 - Author+ XSS via Podcast URL
Description: The PowerPress Podcasting plugin by Blubrry WordPress plugin before 11.9.18 does not sanitise and escape some of its settings when adding a podcast, which could allow author and above users to perform Stored Cross-Site Scripting attacks

EPSS Score: 0.02%

Source: CVE
April 14th, 2025 (1 day ago)

CVE-2025-1456
Royal Elementor Addons and Templates <= 1.7.1012 - Authenticated DOM-Based (Contributor+) Stored Cross-Site Scripting
Description: The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `widgetGrid`, `widgetCountDown`, and `widgetInstagramFeed` methods in all versions up to, and including, 1.7.1012 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE
April 12th, 2025 (3 days ago)