Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-26936
CVE-2025-26936: WordPress Fresh Framework Plugin <= 1.70.0 is vulnerable to Remote Code Execution (RCE)
Description: CVE-2025-26936: WordPress Fresh Framework Plugin <= 1.70.0 is vulnerable to Remote Code Execution (RCE)

CVSS: CRITICAL (10.0)

EPSS Score: 0.07%

Source: DarkWebInformer
March 10th, 2025 (3 months ago)

CVE-2025-26936
WordPress Fresh Framework plugin <= 1.70.0 - Unauthenticated Remote Code Execution (RCE) vulnerability
Description: Improper Control of Generation of Code ('Code Injection') vulnerability in NotFound Fresh Framework allows Code Injection. This issue affects Fresh Framework: from n/a through 1.70.0.

CVSS: CRITICAL (10.0)

EPSS Score: 0.07%

Source: CVE
March 10th, 2025 (3 months ago)

CVE-2025-26916
WordPress Massive Dynamic theme <= 8.2 - Unauthenticated Local File Inclusion vulnerability
Description: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in EPC Massive Dynamic. This issue affects Massive Dynamic: from n/a through 8.2.

CVSS: CRITICAL (9.0)

EPSS Score: 0.14%

SSVC Exploitation: none

Source: CVE
March 10th, 2025 (3 months ago)

CVE-2025-0177
Javo Core <= 3.0.0.080 - Unauthenticated Privilege Escalation in ajax_signup
Description: The Javo Core plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.0.0.080. This is due to the plugin allowing users who are registering new accounts to set their own role. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role.

CVSS: CRITICAL (9.8)

EPSS Score: 0.06%

Source: CVE
March 8th, 2025 (3 months ago)

CVE-2025-1315
InWave Jobs <= 3.5.1 - Unauthenticated Privilege Escalation via Password Reset
Description: The InWave Jobs plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 3.5.1. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

CVSS: CRITICAL (9.8)

EPSS Score: 0.06%

Source: CVE
March 7th, 2025 (3 months ago)

CVE-2024-12876
Golo - Directory & Listing, Travel WordPress Theme <= 1.6.10 - Missing Authorization to Privilege Escalation via Unauthenticated Arbitrary User Pas...
Description: The Golo - City Travel Guide WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.10. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

CVSS: CRITICAL (9.8)

EPSS Score: 0.06%

Source: CVE
March 7th, 2025 (3 months ago)

CVE-2025-1475
WPCOM Member <= 1.7.5 - Authentication Bypass via 'user_phone'
Description: The WPCOM Member plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.7.5. This is due to insufficient verification on the 'user_phone' parameter when logging in. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if SMS login is enabled.

CVSS: CRITICAL (9.8)

EPSS Score: 0.16%

Source: CVE
March 7th, 2025 (3 months ago)

CVE-2024-12281
Homey <= 2.4.2 - Unauthenticated Privilege Escalation in homey_save_profile
Description: The Homey theme for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.2. This is due to the plugin allowing users who are registering new accounts to set their own role. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the Editor or Shop Manager role.

CVSS: CRITICAL (9.8)

EPSS Score: 0.06%

Source: CVE
March 5th, 2025 (3 months ago)

CVE-2024-11951
Homey Login Register <= 2.4.0 - Unauthenticated Privilege Escalation in homey_register
Description: The Homey Login Register plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.0. This is due to the plugin allowing users who are registering new accounts to set their own role. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role.

CVSS: CRITICAL (9.8)

EPSS Score: 0.06%

Source: CVE
March 5th, 2025 (3 months ago)

CVE-2025-1515
WP Real Estate Manager <= 2.8 - Authentication Bypass via Account Takeover
Description: The WP Real Estate Manager plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.8. This is due to insufficient identity verification on the LinkedIn login request process. This makes it possible for unauthenticated attackers to bypass official authentication and log in as any user on the site, including administrators.

CVSS: CRITICAL (9.8)

EPSS Score: 0.15%

Source: CVE
March 5th, 2025 (3 months ago)