Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-0316 |
Description: The WP Directorybox Manager plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.5. This is due to incorrect authentication in the 'wp_dp_enquiry_agent_contact_form_submit_callback' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.
CVSS: CRITICAL (9.8) EPSS Score: 0.09%
February 9th, 2025 (2 months ago)
|
|
CVE-2025-25107 |
Description: Cross-Site Request Forgery (CSRF) vulnerability in sainwp OneStore Sites allows Cross Site Request Forgery. This issue affects OneStore Sites: from n/a through 0.1.1.
CVSS: CRITICAL (9.6) EPSS Score: 0.04%
February 8th, 2025 (2 months ago)
|
|
CVE-2025-25106 |
Description: Cross-Site Request Forgery (CSRF) vulnerability in FancyWP Starter Templates by FancyWP allows Cross Site Request Forgery. This issue affects Starter Templates by FancyWP: from n/a through 2.0.0.
CVSS: CRITICAL (9.6) EPSS Score: 0.04%
February 8th, 2025 (2 months ago)
|
|
CVE-2025-25101 |
Description: Cross-Site Request Forgery (CSRF) vulnerability in MetricThemes Munk Sites allows Cross Site Request Forgery. This issue affects Munk Sites: from n/a through 1.0.7.
CVSS: CRITICAL (9.6) EPSS Score: 0.04%
February 8th, 2025 (2 months ago)
|
|
CVE-2025-1107 |
Description: Unverified password change vulnerability in Janto, versions prior to r12. This could allow an unauthenticated attacker to change another user's password without knowing their current password. To exploit the vulnerability, the attacker must create a specific POST request and send it to the endpoint ‘/public/cgi/Gateway.php’.
CVSS: CRITICAL (9.9) EPSS Score: 0.04%
February 8th, 2025 (2 months ago)
|
|
CVE-2025-1077 |
Description: A security vulnerability has been identified in the IBL Software Engineering Visual Weather and derived products (NAMIS, Aero Weather, Satellite Weather). The vulnerability is present in the Product Delivery Service (PDS) component in specific server configurations where the PDS pipeline utilizes the IPDS pipeline with Message Editor Output Filters enabled.
A remote unauthenticated
attacker can exploit this vulnerability to send unauthenticated requests to execute the IPDS pipeline with specially crafted Form Properties, enabling remote execution of arbitrary Python code. This vulnerability could lead to a full system compromise of the affected server, particularly if Visual Weather services are run under a privileged user account—contrary to the documented installation best practices.
Upgrade to the patched versions 7.3.10 (or higher), 8.6.0 (or higher).
CVSS: CRITICAL (9.5) EPSS Score: 0.04%
February 8th, 2025 (2 months ago)
|
|
CVE-2025-1061 |
Description: The Nextend Social Login Pro plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.1.16. This is due to insufficient verification on the user being supplied during the Apple OAuth authenticate request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.
CVSS: CRITICAL (9.8) EPSS Score: 0.06%
February 8th, 2025 (2 months ago)
|
|
CVE-2025-0282 |
Description: Check out recommendations from CISA and others on how to protect network edge devices. Plus, OWASP has published the 10 risks associated with non-human identities. In addition, find out why ransomware payments plunged in 2024. And a new U.K. non-profit will categorize cyber incidents’ severity. And much more!Dive into six things that are top of mind for the week ending Feb. 7.1 - New cyber guides unpack how to secure network edge devicesLooking for insights and best practices for preventing and mitigating cyberattacks against network edge devices, such as routers, VPN gateways, IoT devices, web servers and internet-facing operational technology (OT) systems? You might want to check out new guidance published by several cybersecurity agencies this week.“Foreign adversaries routinely exploit software vulnerabilities in network edge devices to infiltrate critical infrastructure networks and systems,” reads a statement from the U.S. Cybersecurity and Infrastructure Security Agency (CISA).“These guidance documents detail various considerations and strategies for a more secure and resilient network both before and after a compromise,” the statement adds. These are the new guides, jointly published by cyber agencies from various countries:Security Considerations for Edge Devices, led by the Canadian Centre for Cyber Security (CCCS), includes:A description of common threats to edge devices, such as misconfigurations and mismanagement; vulnerability exploitation; and denial of serv...
CVSS: CRITICAL (9.0)
February 7th, 2025 (2 months ago)
|
|
CVE-2025-24981 |
Description: MDC is a tool to take regular Markdown and write documents interacting deeply with a Vue component. In affected versions unsafe parsing logic of the URL from markdown can lead to arbitrary JavaScript code due to a bypass to the existing guards around the `javascript:` protocol scheme in the URL. The parsing logic implement in `props.ts` maintains a deny-list approach to filtering potential malicious payload. It does so by matching protocol schemes like `javascript:` and others. These security guards can be bypassed by an adversarial that provides JavaScript URLs with HTML entities encoded via hex string. Users who consume this library and perform markdown parsing from unvalidated sources could result in rendering vulnerable XSS anchor links. This vulnerability has been addressed in version 0.13.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS: CRITICAL (9.3) EPSS Score: 0.05%
February 7th, 2025 (2 months ago)
|
|
CVE-2025-24786 |
Description: WhoDB is an open source database management tool. While the application only displays Sqlite3 databases present in the directory `/db`, there is no path traversal prevention in place. This allows an unauthenticated attacker to open any Sqlite3 database present on the host machine that the application is running on. Affected versions of WhoDB allow users to connect to Sqlite3 databases. By default, the databases must be present in `/db/` (or alternatively `./tmp/` if development mode is enabled). If no databases are present in the default directory, the UI indicates that the user is unable to open any databases. The database file is an user-controlled value. This value is used in `.Join()` with the default directory, in order to get the full path of the database file to open. No checks are performed whether the database file that is eventually opened actually resides in the default directory `/db`. This allows an attacker to use path traversal (`../../`) in order to open any Sqlite3 database present on the system. This issue has been addressed in version 0.45.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS: CRITICAL (10.0) EPSS Score: 0.05%
February 7th, 2025 (2 months ago)
|