Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-4389 |
Description: The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the crawlomatic_generate_featured_image() function in all versions up to, and including, 2.6.8.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS: CRITICAL (9.8) EPSS Score: 0.2%
May 17th, 2025 (20 days ago)
|
|
Description: Overview
Session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access.
Am I Affected?
You are affected by this vulnerability if you meet the following pre-conditions:
Applications using the Auth0-PHP SDK, or the following SDKs that rely on the Auth0-PHP SDK:
a. Auth0/symfony,
b. Auth0/laravel-auth0,
c. Auth0/wordpress,
Session storage configured with CookieStore.
Fix
Upgrade Auth0/Auth0-PHP to v8.14.0. As an additional precautionary measure, we recommend rotating your cookie encryption keys. Note that once updated, any previous session cookies will be rejected.
Acknowledgement
Okta would like to thank Félix Charette for discovering this vulnerability.
References
https://github.com/auth0/auth0-PHP/security/advisories/GHSA-g98g-r7gf-2r25
https://github.com/auth0/laravel-auth0/security/advisories/GHSA-9fwj-9mjf-rhj3
https://github.com/auth0/symfony/security/advisories/GHSA-9wg9-93h9-j8ch
https://github.com/auth0/wordpress/security/advisories/GHSA-2f4r-34m4-3w8q
https://nvd.nist.gov/vuln/detail/CVE-2025-47275
https://github.com/auth0/auth0-PHP/commit/52a79480fdb246f59dbc089b81a784ae049bd389
https://github.com/auth0/auth0-PHP/releases/tag/8.14.0
https://github.com/advisories/GHSA-g98g-r7gf-2r25
CVSS: CRITICAL (9.1) EPSS Score: 0.04%
May 16th, 2025 (20 days ago)
|
|
CVE-2025-39481 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in imithemes Eventer allows Blind SQL Injection. This issue affects Eventer: from n/a through 3.9.6.
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
May 16th, 2025 (20 days ago)
|
|
CVE-2025-32643 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPGYM allows Blind SQL Injection. This issue affects WPGYM: from n/a through 65.0.
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
May 16th, 2025 (20 days ago)
|
|
CVE-2025-47275 |
Description: Auth0-PHP provides the PHP SDK for Auth0 Authentication and Management APIs. Starting in version 8.0.0-BETA1 and prior to version 8.14.0, session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in unauthorized access. Certain pre-conditions are required to be vulnerable to this issue: Applications using the Auth0-PHP SDK, or the Auth0/symfony, Auth0/laravel-auth0, and Auth0/wordpress SDKs that rely on the Auth0-PHP SDK; and session storage configured with CookieStore. Upgrade Auth0/Auth0-PHP to v8.14.0 to receive a patch. As an additional precautionary measure, rotating cookie encryption keys is recommended. Note that once updated, any previous session cookies will be rejected.
CVSS: CRITICAL (9.1) EPSS Score: 0.04%
May 15th, 2025 (21 days ago)
|
|
CVE-2024-8673 |
Description: The Z-Downloads WordPress plugin before 1.11.7 does not properly validate uploaded files allowing for the uploading of SVGs containing malicious JavaScript.
CVSS: CRITICAL (9.1) EPSS Score: 4.34%
May 15th, 2025 (21 days ago)
|
|
CVE-2024-6809 |
Description: The Simple Video Directory WordPress plugin before 1.4.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.
CVSS: CRITICAL (9.8) EPSS Score: 0.06%
May 15th, 2025 (21 days ago)
|
|
CVE-2024-6159 |
Description: The Push Notification for Post and BuddyPress WordPress plugin before 1.9.4 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
CVSS: CRITICAL (9.8) EPSS Score: 3.22%
May 15th, 2025 (21 days ago)
|
|
CVE-2025-4564 |
Description: The TicketBAI Facturas para WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation via the 'delpdf' action in all versions up to, and including, 3.18. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
CVSS: CRITICAL (9.8) EPSS Score: 0.6%
May 15th, 2025 (22 days ago)
|
|
CVE-2025-3917 |
Description: The 百度站长SEO合集(支持百度/神马/Bing/头条推送) plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the download_remote_image_to_media_library function in all versions up to, and including, 2.0.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS: CRITICAL (9.8) EPSS Score: 0.17%
May 15th, 2025 (22 days ago)
|