Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-56000 |
Description: Incorrect Privilege Assignment vulnerability in NotFound K Elements allows Privilege Escalation. This issue affects K Elements: from n/a through n/a.
CVSS: CRITICAL (9.8) EPSS Score: 0.11%
February 19th, 2025 (about 2 months ago)
|
|
CVE-2024-13725 |
Description: The Keap Official Opt-in Forms plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.1 via the service parameter. This makes it possible for unauthenticated attackers to include PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP files can be uploaded and included. If register_argc_argv is enabled on the server and pearcmd.php is installed, this issue might lead to Remote Code Execution.
CVSS: CRITICAL (9.8) EPSS Score: 0.32%
February 19th, 2025 (about 2 months ago)
|
|
CVE-2024-12860 |
Description: The CarSpot – Dealership Wordpress Classified Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.4.3. This is due to the plugin not properly validating a token prior to updating a user's password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
CVSS: CRITICAL (9.8) EPSS Score: 0.06%
February 19th, 2025 (about 2 months ago)
|
|
CVE-2025-22290 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in enituretechnology LTL Freight Quotes – FreightQuote Edition allows SQL Injection. This issue affects LTL Freight Quotes – FreightQuote Edition: from n/a through 2.3.11.
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
February 17th, 2025 (2 months ago)
|
|
CVE-2024-13513 |
Description: The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4.2.3 via the logging functionality. This makes it possible for unauthenticated attackers to extract sensitive data including the plugin's clientToken, which in turn can be used to change user account information including emails and account type. This allows attackers to then change account passwords resulting in a complete site takeover. Version 2.4.2.3 disabled logging but left sites with existing log files vulnerable.
CVSS: CRITICAL (9.8) EPSS Score: 0.06%
February 16th, 2025 (2 months ago)
|
|
CVE-2024-12562 |
Description: The s2Member Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 241216 via deserialization of untrusted input from the 's2member_pro_remote_op' vulnerable parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
CVSS: CRITICAL (9.8) EPSS Score: 0.07%
February 16th, 2025 (2 months ago)
|
|
CVE-2025-22630 |
Description: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in MarketingFire Widget Options allows OS Command Injection.This issue affects Widget Options: from n/a through 4.1.0.
CVSS: CRITICAL (9.9) EPSS Score: 0.04%
February 15th, 2025 (2 months ago)
|
|
CVE-2024-13182 |
Description: The WP Directorybox Manager plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.5. This is due to incorrect authentication in the 'wp_dp_parse_request' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator.
CVSS: CRITICAL (9.8) EPSS Score: 0.09%
February 14th, 2025 (2 months ago)
|
|
CVE-2024-10763 |
Description: The Campress theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.35 via the 'campress_woocommerce_get_ajax_products' function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
CVSS: CRITICAL (9.8) EPSS Score: 0.09%
February 14th, 2025 (2 months ago)
|
|
CVE-2024-13421 |
Description: The Real Estate 7 WordPress theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.5.1. This is due to the plugin not properly restricting the roles allowed to be selected during registration. This makes it possible for unauthenticated attackers to register a new administrative user account.
CVSS: CRITICAL (9.8) EPSS Score: 0.06%
February 13th, 2025 (2 months ago)
|