Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE-2025-26936

Description: CVE-2025-26936: WordPress Fresh Framework Plugin <= 1.70.0 is vulnerable to Remote Code Execution (RCE)

CVSS: CRITICAL (10.0)

EPSS Score: 0.07%

Source: DarkWebInformer
March 10th, 2025 (3 months ago)

CVE-2025-26936

Description: Improper Control of Generation of Code ('Code Injection') vulnerability in NotFound Fresh Framework allows Code Injection. This issue affects Fresh Framework: from n/a through 1.70.0.

CVSS: CRITICAL (10.0)

EPSS Score: 0.07%

Source: CVE
March 10th, 2025 (3 months ago)

CVE-2025-26916

Description: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in EPC Massive Dynamic. This issue affects Massive Dynamic: from n/a through 8.2.

CVSS: CRITICAL (9.0)

EPSS Score: 0.14%

SSVC Exploitation: none

Source: CVE
March 10th, 2025 (3 months ago)

CVE-2025-0177

Description: The Javo Core plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.0.0.080. This is due to the plugin allowing users who are registering new accounts to set their own role. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role.

CVSS: CRITICAL (9.8)

EPSS Score: 0.06%

Source: CVE
March 8th, 2025 (3 months ago)

CVE-2025-1315

Description: The InWave Jobs plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 3.5.1. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

CVSS: CRITICAL (9.8)

EPSS Score: 0.06%

Source: CVE
March 7th, 2025 (3 months ago)

CVE-2024-12876

Description: The Golo - City Travel Guide WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.10. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

CVSS: CRITICAL (9.8)

EPSS Score: 0.06%

Source: CVE
March 7th, 2025 (3 months ago)

CVE-2025-1475

Description: The WPCOM Member plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.7.5. This is due to insufficient verification on the 'user_phone' parameter when logging in. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if SMS login is enabled.

CVSS: CRITICAL (9.8)

EPSS Score: 0.16%

Source: CVE
March 7th, 2025 (3 months ago)

CVE-2024-12281

Description: The Homey theme for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.2. This is due to the plugin allowing users who are registering new accounts to set their own role. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the Editor or Shop Manager role.

CVSS: CRITICAL (9.8)

EPSS Score: 0.06%

Source: CVE
March 5th, 2025 (3 months ago)

CVE-2024-11951

Description: The Homey Login Register plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.0. This is due to the plugin allowing users who are registering new accounts to set their own role. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role.

CVSS: CRITICAL (9.8)

EPSS Score: 0.06%

Source: CVE
March 5th, 2025 (3 months ago)

CVE-2025-1515

Description: The WP Real Estate Manager plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.8. This is due to insufficient identity verification on the LinkedIn login request process. This makes it possible for unauthenticated attackers to bypass official authentication and log in as any user on the site, including administrators.

CVSS: CRITICAL (9.8)

EPSS Score: 0.15%

Source: CVE
March 5th, 2025 (3 months ago)