Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-27007
WordPress SureTriggers <= 1.0.82 - Privilege Escalation Vulnerability
🚨 Marked as known exploited on May 7th, 2025 (about 1 month ago).
Description: Incorrect Privilege Assignment vulnerability in Brainstorm Force SureTriggers allows Privilege Escalation.This issue affects SureTriggers: from n/a through 1.0.82.

CVSS: CRITICAL (9.8)

EPSS Score: 17.88%

SSVC Exploitation: none

Source: CVE
May 1st, 2025 (about 1 month ago)

CVE-2025-2907
Order Delivery Date Pro for WooCommerce < 12.3.1 - Unauthenticated Arbitrary Option Update
Description: The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing settings. Furthermore it also lacks proper checks to only update options relevant to the Order Delivery Date WordPress plugin before 12.3.1. This leads to attackers being able to modify the default_user_role to administrator and users_can_register, allowing them to register as an administrator of the site for complete site takeover.

CVSS: CRITICAL (9.8)

EPSS Score: 3.36%

Source: CVE
April 26th, 2025 (about 1 month ago)

CVE-2025-2470
Service Finder Bookings <= 5.1 - Unauthenticated Privilege Escalation via 'nsl_registration_store_extra_input'
Description: The Service Finder Bookings plugin for WordPress, used by the Service Finder - Directory and Job Board WordPress Theme, is vulnerable to privilege escalation in all versions up to, and including, 5.1. This is due to a lack of restriction on user role in the 'nsl_registration_store_extra_input' function. This makes it possible for unauthenticated attackers to register an account on the site with an arbitrary role, including Administrator, when registering via a social login. The Nextend Social Login plugin must be installed and configured to exploit the vulnerability.

CVSS: CRITICAL (9.8)

EPSS Score: 0.1%

SSVC Exploitation: none

Source: CVE
April 25th, 2025 (about 1 month ago)

CVE-2025-46264
WordPress PowerPress Podcasting <= 11.12.5 - Arbitrary File Upload Vulnerability
Description: Unrestricted Upload of File with Dangerous Type vulnerability in Angelo Mandato PowerPress Podcasting allows Upload a Web Shell to a Web Server. This issue affects PowerPress Podcasting: from n/a through 11.12.5.

CVSS: CRITICAL (9.9)

EPSS Score: 0.05%

Source: CVE
April 24th, 2025 (about 1 month ago)

CVE-2025-46248
WordPress Frontend Dashboard <= 2.2.5 - SQL Injection Vulnerability
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in M A Vinoth Kumar Frontend Dashboard allows SQL Injection. This issue affects Frontend Dashboard: from n/a through 2.2.5.

CVSS: CRITICAL (9.3)

EPSS Score: 0.04%

Source: CVE
April 24th, 2025 (about 1 month ago)

CVE-2024-0610
The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'MerchantReference'...
Description: The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'MerchantReference' parameter in all versions up to, and including, 1.6.5.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS: CRITICAL (9.8)

EPSS Score: 0.46%

SSVC Exploitation: none

Source: CVE
April 24th, 2025 (about 1 month ago)

CVE-2025-3604
Flynax Bridge <= 2.2.0 - Unauthenticated Privilege Escalation via Account Takeover
Description: The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.

CVSS: CRITICAL (9.8)

EPSS Score: 0.1%

Source: CVE
April 24th, 2025 (about 1 month ago)

CVE-2025-3603
Flynax Bridge <= 2.2.0 - Unauthenticated Privilege Escalation via Password Update
Description: The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. This is due to the plugin not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

CVSS: CRITICAL (9.8)

EPSS Score: 0.1%

Source: CVE
April 24th, 2025 (about 1 month ago)

CVE-2025-1093
AIHub <= 1.3.7 - Unauthenticated Arbitrary File Upload in generate_image
Description: The AIHub theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the generate_image function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVSS: CRITICAL (9.8)

EPSS Score: 0.2%

Source: CVE
April 19th, 2025 (about 2 months ago)

CVE-2025-3278
UrbanGo Membership <= 1.0.4 - Unauthenticated Privilege Escalation
Description: The UrbanGo Membership plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.0.4. This is due to the plugin allowing users who are registering new accounts to set their own role or by supplying 'user_register_role' field. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role.

CVSS: CRITICAL (9.8)

EPSS Score: 0.1%

Source: CVE
April 19th, 2025 (about 2 months ago)