CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-5392 |
Description: The GB Forms DB plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.2 via the gbfdb_talk_to_front() function. This is due to the function accepting user input and then passing that through call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leverage to inject backdoors or create new administrative user accounts to name a few things.
CVSS: CRITICAL (9.8) EPSS Score: 0.24%
July 11th, 2025 (7 days ago)
|
|
CVE-2025-7401 |
Description: The Premium Age Verification / Restriction for WordPress plugin for WordPress is vulnerable to arbitrary file read and write due to the existence of an insufficiently protected remote support functionality in remote_tunnel.php in all versions up to, and including, 3.0.2. This makes it possible for unauthenticated attackers to read from or write to arbitrary files on the affected site's server which may make the exposure of sensitive information or remote code execution possible.
CVSS: CRITICAL (9.8) EPSS Score: 0.19%
July 11th, 2025 (7 days ago)
|
|
CVE-2025-4606 |
Description: The Sala - Startup & SaaS WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.4. This is due to the theme not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
CVSS: CRITICAL (9.8) EPSS Score: 0.1%
July 9th, 2025 (9 days ago)
|
|
CVE-2025-34077 |
Description: An authentication bypass vulnerability exists in the WordPress Pie Register plugin ≤ 3.7.1.4 that allows unauthenticated attackers to impersonate arbitrary users by submitting a crafted POST request to the login endpoint. By setting social_site=true and manipulating the user_id_social_site parameter, an attacker can generate a valid WordPress session cookie for any user ID, including administrators. Once authenticated, the attacker may exploit plugin upload functionality to install a malicious plugin containing arbitrary PHP code, resulting in remote code execution on the underlying server.
CVSS: CRITICAL (10.0) EPSS Score: 0.47%
July 9th, 2025 (9 days ago)
|
|
CVE-2025-4855 |
Description: The Support Board plugin for WordPress is vulnerable to unauthorized access/modification/deletion of data due to use of hardcoded default secrets in the sb_encryption() function in all versions up to, and including, 3.8.0. This makes it possible for unauthenticated attackers to bypass authorization and execute arbitrary AJAX actions defined in the sb_ajax_execute() function. An attacker can use this vulnerability to exploit CVE-2025-4828 and various other functions unauthenticated.
CVSS: CRITICAL (9.8) EPSS Score: 0.1%
July 9th, 2025 (9 days ago)
|
|
CVE-2025-4828 |
Description: The Support Board plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the sb_file_delete function in all versions up to, and including, 3.8.0. This makes it possible for attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). An attacker can leverage CVE-2025-4855 vulnerability to exploit this vulnerability unauthenticated.
CVSS: CRITICAL (9.8) EPSS Score: 1.05%
July 9th, 2025 (9 days ago)
|
|
CVE-2025-52833 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in designthemes LMS allows SQL Injection. This issue affects LMS: from n/a through 9.1.
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
July 4th, 2025 (13 days ago)
|
|
CVE-2025-52832 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpo-HR NGG Smart Image Search allows SQL Injection. This issue affects NGG Smart Image Search: from n/a through 3.4.1.
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
July 4th, 2025 (13 days ago)
|
|
CVE-2025-52831 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in thanhtungtnt Video List Manager allows SQL Injection. This issue affects Video List Manager: from n/a through 1.7.
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
July 4th, 2025 (13 days ago)
|
|
CVE-2025-52830 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bsecuretech bSecure – Your Universal Checkout allows Blind SQL Injection. This issue affects bSecure – Your Universal Checkout: from n/a through 1.7.9.
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
July 4th, 2025 (13 days ago)
|