CyberAlerts

CVE-2024-12213

WP Job Board Pro <= 1.2.76 - Unauthenticated Privilege Escalation via process_register

Description: The WP Job Board Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.2.76. This is due to the plugin allowing a user to supply the 'role' field when registering. This makes it possible for unauthenticated attackers to register as an administrator on vulnerable sites.

CVSS: CRITICAL (9.8)

EPSS Score: 0.09%

Source: CVE

February 13th, 2025 (4 months ago)

CVE-2024-10960

Brizy – Page Builder <= 2.6.4 - Authenticated (Contributor+) Arbitrary File Upload via storeUploads

Description: The Brizy – Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'storeUploads' function in all versions up to, and including, 2.6.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVSS: CRITICAL (9.9)

EPSS Score: 0.05%

Source: CVE

February 13th, 2025 (4 months ago)

CVE-2025-0181

WP Foodbakery <= 4.7 - Authentication Bypass in foodbakery_parse_request

Description: The WP Foodbakery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.7. This is due to the plugin not properly validating a user's identity prior to setting the current user and their authentication cookie. This makes it possible for unauthenticated attackers to gain access to a target user's (e.g. administrators) account.

CVSS: CRITICAL (9.8)

EPSS Score: 0.09%

Source: CVE

February 12th, 2025 (4 months ago)

CVE-2025-0180

WP Foodbakery <= 4.7 - Unauthenticated Privilege Escalation in foodbakery_registration_validation

Description: The WP Foodbakery plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.3. This is due to the plugin not properly restricting what user meta can be updated during profile registration. This makes it possible for unauthenticated attackers to register on the site as an administrator.

CVSS: CRITICAL (9.8)

EPSS Score: 0.09%

Source: CVE

February 12th, 2025 (4 months ago)

CVE-2024-13011

WP Foodbakery <= 4.7 - Unauthenticated Arbitrary File Upload

Description: The WP Foodbakery plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'upload_publisher_profile_image' function in versions up to, and including, 4.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVSS: CRITICAL (9.8)

EPSS Score: 0.09%

Source: CVE

February 11th, 2025 (4 months ago)

CVE-2025-0316

WP Directorybox Manager <= 2.5 - Authentication Bypass

Description: The WP Directorybox Manager plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.5. This is due to incorrect authentication in the 'wp_dp_enquiry_agent_contact_form_submit_callback' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.

CVSS: CRITICAL (9.8)

EPSS Score: 0.09%

Source: CVE

February 9th, 2025 (4 months ago)

CVE-2025-25107

WordPress OneStore Sites plugin <= 0.1.1 - CSRF to Arbitrary Plugin Installation vulnerability

Description: Cross-Site Request Forgery (CSRF) vulnerability in sainwp OneStore Sites allows Cross Site Request Forgery. This issue affects OneStore Sites: from n/a through 0.1.1.

CVSS: CRITICAL (9.6)

EPSS Score: 0.04%

Source: CVE

February 8th, 2025 (4 months ago)

CVE-2025-25106

WordPress Starter Templates by FancyWP plugin <= 2.0.0 - CSRF to Arbitrary Plugin Installation vulnerability

Description: Cross-Site Request Forgery (CSRF) vulnerability in FancyWP Starter Templates by FancyWP allows Cross Site Request Forgery. This issue affects Starter Templates by FancyWP: from n/a through 2.0.0.

CVSS: CRITICAL (9.6)

EPSS Score: 0.04%

Source: CVE

February 8th, 2025 (4 months ago)

CVE-2025-25101

WordPress Munk Sites plugin <= 1.0.7 - CSRF to Arbitrary Plugin Installation vulnerability

Description: Cross-Site Request Forgery (CSRF) vulnerability in MetricThemes Munk Sites allows Cross Site Request Forgery. This issue affects Munk Sites: from n/a through 1.0.7.

CVSS: CRITICAL (9.6)

EPSS Score: 0.04%

Source: CVE

February 8th, 2025 (4 months ago)

CVE-2025-1061

Nextend Social Login Pro <= 3.1.16 - Authentication Bypass via Apple OAuth provider

Description: The Nextend Social Login Pro plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.1.16. This is due to insufficient verification on the user being supplied during the Apple OAuth authenticate request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.

CVSS: CRITICAL (9.8)

EPSS Score: 0.06%

Source: CVE

February 8th, 2025 (4 months ago)

Threat and Vulnerability Intelligence Database

Example Searches: