CyberAlerts

CVE-2025-26943

WordPress Easy Quotes plugin <= 1.2.2 - SQL Injection vulnerability

Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Jürgen Müller Easy Quotes allows Blind SQL Injection. This issue affects Easy Quotes: from n/a through 1.2.2.

CVSS: CRITICAL (9.3)

EPSS Score: 0.04%

SSVC Exploitation: none

Source: CVE

February 25th, 2025 (about 2 months ago)

CVE-2025-26900

WordPress Flexmls® IDX Plugin Plugin <= 3.14.27 - PHP Object Injection vulnerability

Description: Deserialization of Untrusted Data vulnerability in flexmls Flexmls® IDX allows Object Injection. This issue affects Flexmls® IDX: from n/a through 3.14.27.

CVSS: CRITICAL (9.8)

EPSS Score: 0.06%

Source: CVE

February 25th, 2025 (about 2 months ago)

CVE-2025-1128

Everest Forms <= 3.0.9.4 - Unauthenticated Arbitrary File Upload, Read, and Deletion

Description: The Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file upload, read, and deletion due to missing file type and path validation in the 'format' method of the EVF_Form_Fields_Upload class in all versions up to, and including, 3.0.9.4. This makes it possible for unauthenticated attackers to upload, read, and delete arbitrary files on the affected site's server which may make remote code execution, sensitive information disclosure, or a site takeover possible.

CVSS: CRITICAL (9.8)

EPSS Score: 0.7%

Source: CVE

February 25th, 2025 (about 2 months ago)

CVE-2025-26776

WordPress Chaty Pro Plugin <= 3.3.3 - Arbitrary File Upload vulnerability

Description: Unrestricted Upload of File with Dangerous Type vulnerability in NotFound Chaty Pro allows Upload a Web Shell to a Web Server. This issue affects Chaty Pro: from n/a through 3.3.3.

CVSS: CRITICAL (10.0)

EPSS Score: 0.05%

Source: CVE

February 22nd, 2025 (about 2 months ago)

CVE-2025-26763

WordPress Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider Plugin <= 3.94.0 - PHP Object Injection vulnerability

Description: Deserialization of Untrusted Data vulnerability in MetaSlider Responsive Slider by MetaSlider allows Object Injection. This issue affects Responsive Slider by MetaSlider: from n/a through 3.94.0.

CVSS: CRITICAL (9.8)

EPSS Score: 0.04%

Source: CVE

February 22nd, 2025 (about 2 months ago)

CVE-2024-13789

Ravpage <= 2.31 - PHP Object Injection

Description: The ravpage plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.31 via deserialization of untrusted input from the 'paramsv2' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

CVSS: CRITICAL (9.8)

EPSS Score: 0.4%

Source: CVE

February 21st, 2025 (about 2 months ago)

CVE-2024-9893

Nextend Social Login Pro <= 3.1.14 - Authentication Bypass via WordPress.com OAuth provider

Description: The Nextend Social Login Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.1.14. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.

CVSS: CRITICAL (9.8)

EPSS Score: 0.46%

Source: CVE

February 20th, 2025 (about 2 months ago)

CVE-2024-9501

Wp Social Login and Register Social Counter <= 3.0.7 - Authentication Bypass via WordPress.com OAuth provider

Description: The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.0.7. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.

CVSS: CRITICAL (9.8)

EPSS Score: 0.72%

Source: CVE

February 20th, 2025 (about 2 months ago)

CVE-2024-9488

Comments – wpDiscuz <= 7.6.24 - Authentication Bypass via WordPress.com OAuth provider

Description: The Comments – wpDiscuz plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.6.24. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.

CVSS: CRITICAL (9.8)

EPSS Score: 0.76%

Source: CVE

February 20th, 2025 (about 2 months ago)

CVE-2025-22654

WordPress Simplified Plugin Plugin <= 1.0.6 - Arbitrary File Upload vulnerability

Description: Unrestricted Upload of File with Dangerous Type vulnerability in kodeshpa Simplified allows Using Malicious Files. This issue affects Simplified: from n/a through 1.0.6.

CVSS: CRITICAL (10.0)

EPSS Score: 1.24%

Source: CVE

February 19th, 2025 (about 2 months ago)

Threat and Vulnerability Intelligence Database

Example Searches: