Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-1671
Academist Membership <= 1.1.6 - Authentication Bypass via Account Takeover
Description: The Academist Membership plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.6. This is due to the academist_membership_check_facebook_user() function not properly verifying a user's identity prior to authenticating them. This makes it possible for unauthenticated attackers to log in as any user, including site administrators.

CVSS: CRITICAL (9.8)

EPSS Score: 0.06%

Source: CVE
March 1st, 2025 (about 2 months ago)

CVE-2025-1638
Alloggio Membership <= 1.1 - Authentication Bypass via Social Login Account Takeover
Description: The Alloggio Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.2. This is due to the plugin not properly validating a user's identity through the alloggio_membership_init_rest_api_facebook_login and alloggio_membership_init_rest_api_google_login functions. This makes it possible for unauthenticated attackers to log in as any user, including administrators, without knowing a password.

CVSS: CRITICAL (9.8)

EPSS Score: 0.15%

Source: CVE
March 1st, 2025 (about 2 months ago)

CVE-2025-1564
SetSail Membership <= 1.0.3 - Authentication Bypass via Account Takeover
Description: The SetSail Membership plugin for WordPress is vulnerable to in all versions up to, and including, 1.0.3. This is due to the plugin not properly verifying a users identity through the social login. This makes it possible for unauthenticated attackers to log in as any user, including administrators and take over access to their account.

CVSS: CRITICAL (9.8)

EPSS Score: 0.06%

Source: CVE
March 1st, 2025 (about 2 months ago)

CVE-2024-12824
Nokri – Job Board WordPress Theme <= 1.6.2 - Unauthenticated Arbitrary Password Change
Description: The Nokri – Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.2. This is due to the plugin not properly checking for an empty token value prior updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and leverage that to gain access to their account.

CVSS: CRITICAL (9.8)

EPSS Score: 42.85%

Source: CVE
March 1st, 2025 (about 2 months ago)

CVE-2024-9193
WHMpress <= 6.3-revision-0 - Unauthenticated Local File Inclusion to Arbitrary Options Update
Description: The WHMpress - WHMCS WordPress Integration Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6.3-revision-0 via the whmpress_domain_search_ajax_extended_results() function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. Utilizing the /admin/services.php file, this can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

CVSS: CRITICAL (9.8)

EPSS Score: 17.43%

Source: CVE
February 28th, 2025 (about 2 months ago)

CVE-2024-8425
WooCommerce Ultimate Gift Card <= 2.6.0 - Unauthenticated Arbitrary File Upload
Description: The WooCommerce Ultimate Gift Card plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'mwb_wgm_preview_mail' and 'mwb_wgm_woocommerce_add_cart_item_data' functions in all versions up to, and including, 2.6.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVSS: CRITICAL (9.8)

EPSS Score: 0.13%

Source: CVE
February 28th, 2025 (about 2 months ago)

CVE-2024-8420
DHVC Form <= 2.4.7 - Unauthenticated Privilege Escalation
Description: The DHVC Form plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.7. This is due to the plugin allowing a user to supply the 'role' field when registering. This makes it possible for unauthenticated attackers to register as an administrator on sites.

CVSS: CRITICAL (9.8)

EPSS Score: 0.05%

Source: CVE
February 28th, 2025 (about 2 months ago)

CVE-2024-31345
WordPress Auto Poster plugin <= 1.2 - Arbitrary File Upload vulnerability
Description: Unrestricted Upload of File with Dangerous Type vulnerability in Sukhchain Singh Auto Poster.This issue affects Auto Poster: from n/a through 1.2.

CVSS: CRITICAL (9.1)

EPSS Score: 0.91%

SSVC Exploitation: none

Source: CVE
February 26th, 2025 (about 2 months ago)

CVE-2025-26974
WordPress WP Multi Store Locator plugin <= 2.5.1 - SQL Injection vulnerability
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPExperts.io WP Multi Store Locator allows Blind SQL Injection. This issue affects WP Multi Store Locator: from n/a through 2.5.1.

CVSS: CRITICAL (9.3)

EPSS Score: 0.04%

Source: CVE
February 25th, 2025 (about 2 months ago)

CVE-2025-26966
WordPress PrivateContent plugin <= 8.11.5 - Unauthenticated Account Takeover vulnerability
Description: Authentication Bypass Using an Alternate Path or Channel vulnerability in Aldo Latino PrivateContent. This issue affects PrivateContent: from n/a through 8.11.5.

CVSS: CRITICAL (9.8)

EPSS Score: 0.08%

SSVC Exploitation: none

Source: CVE
February 25th, 2025 (about 2 months ago)