Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE-2024-13787

Description: The VEDA - MultiPurpose WordPress Theme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.2 via deserialization of untrusted input in the 'veda_backup_and_restore_action' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

CVSS: CRITICAL (9.8)

EPSS Score: 0.12%

Source: CVE
March 5th, 2025 (3 months ago)

CVE-2025-1307

Description: The Newscrunch theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check in the newscrunch_install_and_activate_plugin() function in all versions up to, and including, 1.8.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVSS: CRITICAL (9.8)

EPSS Score: 3.57%

Source: CVE
March 4th, 2025 (3 months ago)

CVE-2025-0912

Description: The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.4 via deserialization of untrusted input from the Donation Form through the 'card_address' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.

CVSS: CRITICAL (9.8)

EPSS Score: 1.62%

Source: CVE
March 4th, 2025 (3 months ago)

CVE-2025-27270

Description: Missing Authorization vulnerability in NotFound Residential Address Detection allows Privilege Escalation. This issue affects Residential Address Detection: from n/a through 2.5.4.

CVSS: CRITICAL (9.8)

EPSS Score: 0.06%

Source: CVE
March 3rd, 2025 (3 months ago)

CVE-2025-27268

Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in enituretechnology Small Package Quotes – Worldwide Express Edition allows SQL Injection. This issue affects Small Package Quotes – Worldwide Express Edition: from n/a through 5.2.18.

CVSS: CRITICAL (9.3)

EPSS Score: 0.04%

Source: CVE
March 3rd, 2025 (3 months ago)

CVE-2025-26988

Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozy Vision SMS Alert Order Notifications – WooCommerce allows SQL Injection. This issue affects SMS Alert Order Notifications – WooCommerce: from n/a through 3.7.8.

CVSS: CRITICAL (9.3)

EPSS Score: 0.04%

Source: CVE
March 3rd, 2025 (3 months ago)

CVE-2025-26970

Description: Improper Control of Generation of Code ('Code Injection') vulnerability in NotFound Ark Theme Core allows Code Injection. This issue affects Ark Theme Core: from n/a through 1.70.0.

CVSS: CRITICAL (10.0)

EPSS Score: 0.07%

Source: CVE
March 3rd, 2025 (3 months ago)

CVE-2025-26535

Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound Bitcoin / AltCoin Payment Gateway for WooCommerce allows Blind SQL Injection. This issue affects Bitcoin / AltCoin Payment Gateway for WooCommerce: from n/a through 1.7.6.

CVSS: CRITICAL (9.3)

EPSS Score: 0.04%

Source: CVE
March 3rd, 2025 (3 months ago)

CVE-2025-25150

Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stylemix uListing allows Blind SQL Injection. This issue affects uListing: from n/a through 2.1.6.

CVSS: CRITICAL (9.3)

EPSS Score: 0.04%

Source: CVE
March 3rd, 2025 (3 months ago)

CVE-2025-1671

Description: The Academist Membership plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.6. This is due to the academist_membership_check_facebook_user() function not properly verifying a user's identity prior to authenticating them. This makes it possible for unauthenticated attackers to log in as any user, including site administrators.

CVSS: CRITICAL (9.8)

EPSS Score: 0.06%

Source: CVE
March 1st, 2025 (3 months ago)