Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-1307 |
Description: The Newscrunch theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check in the newscrunch_install_and_activate_plugin() function in all versions up to, and including, 1.8.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS: CRITICAL (9.8) EPSS Score: 3.57%
March 4th, 2025 (about 2 months ago)
|
|
CVE-2025-0912 |
Description: The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.4 via deserialization of untrusted input from the Donation Form through the 'card_address' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.
CVSS: CRITICAL (9.8) EPSS Score: 1.62%
March 4th, 2025 (about 2 months ago)
|
|
CVE-2025-22273 |
Description: CVE-2025-22273: Allocation of Resources Without Limits or Throttling
CVSS: CRITICAL (9.3) EPSS Score: 0.05%
March 4th, 2025 (about 2 months ago)
|
|
CVE-2025-27590 |
Description: In oxidized-web (aka Oxidized Web) before 0.15.0, the RANCID migration page allows an unauthenticated user to gain control over the Linux user account that is running oxidized-web.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-27590
https://github.com/ytti/oxidized-web/commit/a5220a0ddc57b85cd122bffee228d3ed4901668e
https://github.com/ytti/oxidized-web/releases/tag/0.15.0
https://github.com/advisories/GHSA-jx6p-9c26-g373
CVSS: CRITICAL (9.0) EPSS Score: 0.13%
March 3rd, 2025 (about 2 months ago)
|
|
CVE-2024-0012 |
CVSS: CRITICAL (9.3)
March 3rd, 2025 (about 2 months ago)
|
|
CVE-2025-26206 |
Description: Cross Site Request Forgery vulnerability in sell done storefront v.1.0 allows a remote attacker to escalate privileges via the index.html component
CVSS: CRITICAL (9.0) EPSS Score: 0.05%
March 3rd, 2025 (about 2 months ago)
|
|
CVE-2025-27419 |
Description: WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A Denial of Service (DoS) vulnerability exists in WeGIA. This vulnerability allows any unauthenticated user to cause the server to become unresponsive by performing aggressive spidering. The vulnerability is caused by recursive crawling of dynamically generated URLs and insufficient handling of large volumes of requests. This vulnerability is fixed in 3.2.16.
CVSS: CRITICAL (9.2) EPSS Score: 0.13%
March 3rd, 2025 (about 2 months ago)
|
|
CVE-2024-4885 |
🚨 Marked as known exploited on March 3rd, 2025 (about 2 months ago).
Description: In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold. The
WhatsUp.ExportUtilities.Export.GetFileWithoutZip
allows execution of commands with iisapppool\nmconsole privileges.
CVSS: CRITICAL (9.8) EPSS Score: 93.68% SSVC Exploitation: active
March 3rd, 2025 (about 2 months ago)
|
|
CVE-2024-4885 |
Description: Progress WhatsUp Gold contains a path traversal vulnerability that allows an unauthenticated attacker to achieve remote code execution.
CVSS: CRITICAL (9.8) EPSS Score: 93.68%
March 3rd, 2025 (about 2 months ago)
|
|
CVE-2025-27270 |
Description: Missing Authorization vulnerability in NotFound Residential Address Detection allows Privilege Escalation. This issue affects Residential Address Detection: from n/a through 2.5.4.
CVSS: CRITICAL (9.8) EPSS Score: 0.06%
March 3rd, 2025 (about 2 months ago)
|