Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-1061
Nextend Social Login Pro <= 3.1.16 - Authentication Bypass via Apple OAuth provider
Description: The Nextend Social Login Pro plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.1.16. This is due to insufficient verification on the user being supplied during the Apple OAuth authenticate request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.

CVSS: CRITICAL (9.8)

EPSS Score: 0.06%

Source: CVE
February 8th, 2025 (2 months ago)

CVE-2025-24677
WordPress Post/Page Copying Tool to Export and Import post/page for Cross site Migration Plugin <= 2.0.3 - Remote Code Execution (RCE) vulnerability
Description: Improper Control of Generation of Code ('Code Injection') vulnerability in WPSpins Post/Page Copying Tool allows Remote Code Inclusion. This issue affects Post/Page Copying Tool: from n/a through 2.0.3.

CVSS: CRITICAL (9.9)

EPSS Score: 0.04%

Source: CVE
February 5th, 2025 (2 months ago)

CVE-2025-22699
WordPress Traveler Code plugin <= 3.1.0 - Unauthenticated Arbitrary SQL Execution vulnerability
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound Traveler Code. This issue affects Traveler Code: from n/a through 3.1.0.

CVSS: CRITICAL (9.0)

EPSS Score: 0.04%

Source: CVE
February 5th, 2025 (2 months ago)

CVE-2025-24661
WordPress Taxi Booking Manager for WooCommerce plugin <= 1.1.8 - PHP Object Injection vulnerability
Description: Deserialization of Untrusted Data vulnerability in MagePeople Team Taxi Booking Manager for WooCommerce allows Object Injection. This issue affects Taxi Booking Manager for WooCommerce: from n/a through 1.1.8.

CVSS: CRITICAL (9.8)

EPSS Score: 0.04%

Source: CVE
February 4th, 2025 (3 months ago)

CVE-2025-0493
MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution <= 4.2.14 - Unauthenticated Limited Local File Inclusion
Description: The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Limited Local File Inclusion in all versions up to, and including, 4.2.14 via the tabname parameter. This makes it possible for unauthenticated attackers to include PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP files can be uploaded and included

CVSS: CRITICAL (9.8)

EPSS Score: 0.06%

Source: CVE
February 1st, 2025 (3 months ago)

CVE-2024-13742
iControlWP – Multiple WordPress Site Manager <= 4.4.5 - Unauthenticated PHP Object Injection
Description: The iControlWP – Multiple WordPress Site Manager plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.5 via deserialization of untrusted input from the reqpars parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

CVSS: CRITICAL (9.8)

EPSS Score: 0.06%

Source: CVE
January 31st, 2025 (3 months ago)

CVE-2024-12822
Media Manager for UserPro <= 3.12.0 - Missing Authorization to Unauthenticated Arbitrary Options Update
Description: The Media Manager for UserPro plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the add_capto_img() function in all versions up to, and including, 3.11.0. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

CVSS: CRITICAL (9.8)

EPSS Score: 0.09%

Source: CVE
January 31st, 2025 (3 months ago)

CVE-2024-13448
ThemeREX Addons <= 2.32.3 - Unauthenticated Arbitrary File Upload in trx_addons_uploads_save_data
Description: The ThemeREX Addons plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'trx_addons_uploads_save_data' function in all versions up to, and including, 2.32.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVSS: CRITICAL (9.8)

EPSS Score: 0.09%

Source: CVE
January 29th, 2025 (3 months ago)

CVE-2025-24671
WordPress Save as PDF Plugin by Pdfcrowd Plugin <= 4.4.0 - PHP Object Injection vulnerability
Description: Deserialization of Untrusted Data vulnerability in Pdfcrowd Save as PDF plugin by Pdfcrowd allows Object Injection. This issue affects Save as PDF plugin by Pdfcrowd: from n/a through 4.4.0.

CVSS: CRITICAL (9.8)

EPSS Score: 0.04%

Source: CVE
January 28th, 2025 (3 months ago)

CVE-2025-24667
WordPress Small Package Quotes Plugin <= 5.2.17 - SQL Injection vulnerability
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eniture Technology Small Package Quotes – Worldwide Express Edition allows SQL Injection. This issue affects Small Package Quotes – Worldwide Express Edition: from n/a through 5.2.17.

CVSS: CRITICAL (9.3)

EPSS Score: 0.04%

Source: CVE
January 28th, 2025 (3 months ago)