CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-51615 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Owen Cutajar & Hyder Jaffari WordPress Auction Plugin allows SQL Injection.This issue affects WordPress Auction Plugin: from n/a through 3.7.
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
December 7th, 2024 (7 months ago)
|
|
CVE-2024-12155 |
Description: The SV100 Companion plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the settings_import() function in all versions up to, and including, 2.0.02. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
CVSS: CRITICAL (9.8) EPSS Score: 0.09%
December 7th, 2024 (7 months ago)
|
|
CVE-2024-54221 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Roninwp FAT Services Booking.This issue affects FAT Services Booking: from n/a through 5.6.
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
December 5th, 2024 (7 months ago)
|
|
CVE-2023-3249 |
Description: The Web3 – Crypto wallet Login & NFT token gating plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.6.0. This is due to incorrect authentication checking in the 'hidden_form_data' function. This makes it possible for authenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.
CVSS: CRITICAL (9.8) EPSS Score: 0.04%
December 4th, 2024 (7 months ago)
|
|
CVE-2023-2278 |
Description: The WP Directory Kit plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.1.9 via the 'wdk_public_action' function. This allows unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
CVSS: CRITICAL (9.8) EPSS Score: 0.34%
December 4th, 2024 (7 months ago)
|
|
CVE-2024-52476 |
Description: Unrestricted Upload of File with Dangerous Type vulnerability in stefanbohacek Fediverse Embeds allows Upload a Web Shell to a Web Server.This issue affects Fediverse Embeds: from n/a through 1.5.3.
CVSS: CRITICAL (10.0) EPSS Score: 0.04%
December 3rd, 2024 (7 months ago)
|
|
CVE-2024-11925 |
Description: The JobSearch WP Job Board plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.6.7. This is due to the plugin not properly verifying a users identity when verifying an email address through the user_account_activation function. This makes it possible for unauthenticated attackers to log in as any user, including site administrators if the users email is known.
CVSS: CRITICAL (9.8) EPSS Score: 0.04%
November 29th, 2024 (7 months ago)
|
|
CVE-2024-11082 |
Description: The Tumult Hype Animations plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the hypeanimations_panel() function in all versions up to, and including, 1.9.15. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS: CRITICAL (9.9) EPSS Score: 0.05%
November 29th, 2024 (7 months ago)
|
|
CVE-2024-8672 |
Description: The Widget Options – The #1 WordPress Widget & Block Control Plugin plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.0.7 via the display logic functionality that extends several page builders. This is due to the plugin allowing users to supply input that will be passed through eval() without any filtering or capability checks. This makes it possible for authenticated attackers, with contributor-level access and above, to execute code on the server. Special note: We suggested the vendor implement an allowlist of functions and limit the ability to execute commands to just administrators, however, they did not take our advice. We are considering this patched, however, we believe it could still be further hardened and there may be residual risk with how the issue is currently patched.
CVSS: CRITICAL (9.9) EPSS Score: 0.05%
November 29th, 2024 (7 months ago)
|
|
CVE-2024-52490 |
Description: Unrestricted Upload of File with Dangerous Type vulnerability in Pathomation allows Upload a Web Shell to a Web Server.This issue affects Pathomation: from n/a through 2.5.1.
CVSS: CRITICAL (10.0) EPSS Score: 0.04%
November 29th, 2024 (7 months ago)
|