Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-1661 |
Description: The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.6.5 via the 'template' parameter of the woof_text_search AJAX action. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
CVSS: CRITICAL (9.8) EPSS Score: 76.3%
March 11th, 2025 (about 1 month ago)
|
|
CVE-2025-26936 |
Description: CVE-2025-26936: WordPress Fresh Framework Plugin <= 1.70.0 is vulnerable to Remote Code Execution (RCE)
CVSS: CRITICAL (10.0) EPSS Score: 0.07%
March 10th, 2025 (about 1 month ago)
|
|
CVE-2025-26936 |
Description: Improper Control of Generation of Code ('Code Injection') vulnerability in NotFound Fresh Framework allows Code Injection. This issue affects Fresh Framework: from n/a through 1.70.0.
CVSS: CRITICAL (10.0) EPSS Score: 0.07%
March 10th, 2025 (about 1 month ago)
|
|
CVE-2025-26916 |
Description: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in EPC Massive Dynamic. This issue affects Massive Dynamic: from n/a through 8.2.
CVSS: CRITICAL (9.0) EPSS Score: 0.14% SSVC Exploitation: none
March 10th, 2025 (about 1 month ago)
|
|
CVE-2025-0177 |
Description: The Javo Core plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.0.0.080. This is due to the plugin allowing users who are registering new accounts to set their own role. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role.
CVSS: CRITICAL (9.8) EPSS Score: 0.06%
March 8th, 2025 (about 1 month ago)
|
|
CVE-2025-1315 |
Description: The InWave Jobs plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 3.5.1. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
CVSS: CRITICAL (9.8) EPSS Score: 0.06%
March 7th, 2025 (about 1 month ago)
|
|
CVE-2024-12876 |
Description: The Golo - City Travel Guide WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.10. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
CVSS: CRITICAL (9.8) EPSS Score: 0.06%
March 7th, 2025 (about 1 month ago)
|
|
CVE-2025-1475 |
Description: The WPCOM Member plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.7.5. This is due to insufficient verification on the 'user_phone' parameter when logging in. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if SMS login is enabled.
CVSS: CRITICAL (9.8) EPSS Score: 0.16%
March 7th, 2025 (about 1 month ago)
|
|
CVE-2024-12281 |
Description: The Homey theme for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.2. This is due to the plugin allowing users who are registering new accounts to set their own role. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the Editor or Shop Manager role.
CVSS: CRITICAL (9.8) EPSS Score: 0.06%
March 5th, 2025 (about 2 months ago)
|
|
CVE-2024-11951 |
Description: The Homey Login Register plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.0. This is due to the plugin allowing users who are registering new accounts to set their own role. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role.
CVSS: CRITICAL (9.8) EPSS Score: 0.06%
March 5th, 2025 (about 2 months ago)
|