CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-13468
Trash Duplicate and 301 Redirect <= 1.9 - Missing Authorization to Unauthenticated Arbitrary Post Deletion
Description: The Trash Duplicate and 301 Redirect plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'duplicates-action-top' action in all versions up to, and including, 1.9. This makes it possible for unauthenticated attackers to delete arbitrary posts/pages.

CVSS: HIGH (7.5)

EPSS Score: 0.04%

Source: CVE
February 20th, 2025 (4 months ago)

CVE-2024-11582
Subscribe2 – Form, Email Subscribers & Newsletters <= 10.43 - Unauthenticated Stored Cross-Site Scripting via IP Parameter
Description: The Subscribe2 – Form, Email Subscribers & Newsletters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ip parameter in all versions up to, and including, 10.43 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: HIGH (7.2)

EPSS Score: 0.09%

Source: CVE
February 20th, 2025 (4 months ago)

CVE-2024-10114
Social Login - WordPress / WooCommerce Plugin <= 2.7.7 - Authentication Bypass via WordPress.com OAuth provider
Description: The WooCommerce - Social Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.7.7. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.

CVSS: HIGH (8.1)

EPSS Score: 0.24%

Source: CVE
February 20th, 2025 (4 months ago)

CVE-2024-10097
Loginizer Security and Loginizer <= 1.9.2 - Authentication Bypass via WordPress.com OAuth provider
Description: The Loginizer Security and Loginizer plugins for WordPress are vulnerable to authentication bypass in all versions up to, and including, 1.9.2. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.

CVSS: HIGH (8.1)

EPSS Score: 0.55%

Source: CVE
February 20th, 2025 (4 months ago)

CVE-2024-10020
Heateor Social Login WordPress <= 1.1.35 - Authentication Bypass via Disqus OAuth provider
Description: The Heateor Social Login WordPress plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.1.35. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, if they have access to the email and the user does not have an already-existing account for the service returning the token. An attacker cannot authenticate as an administrator by default, but these accounts are also at risk if authentication for administrators has explicitly been allowed via the social login.

CVSS: HIGH (8.1)

EPSS Score: 0.45%

Source: CVE
February 20th, 2025 (4 months ago)

CVE-2025-22663
WordPress Paid Videochat Turnkey Site plugin <= 7.2.12 - Arbitrary File Deletion vulnerability
Description: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in videowhisper Paid Videochat Turnkey Site allows Path Traversal. This issue affects Paid Videochat Turnkey Site: from n/a through 7.2.12.

CVSS: HIGH (8.6)

EPSS Score: 0.07%

Source: CVE
February 19th, 2025 (4 months ago)

CVE-2025-22657
WordPress Atarim plugin <= 4.0.9 - Arbitrary Content Deletion vulnerability
Description: Missing Authorization vulnerability in Vito Peleg Atarim allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Atarim: from n/a through 4.0.9.

CVSS: HIGH (7.5)

EPSS Score: 0.06%

Source: CVE
February 19th, 2025 (4 months ago)

CVE-2025-22656
WordPress Cookie Monster Plugin <= 1.2.2 - Local File Inclusion vulnerability
Description: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Oscar Alvarez Cookie Monster allows PHP Local File Inclusion. This issue affects Cookie Monster: from n/a through 1.2.2.

CVSS: HIGH (8.1)

EPSS Score: 0.14%

Source: CVE
February 19th, 2025 (4 months ago)

CVE-2025-22639
WordPress Distance Rate Shipping for WooCommerce plugin <= 1.3.4 - SQL Injection vulnerability
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound Distance Rate Shipping for WooCommerce allows Blind SQL Injection. This issue affects Distance Rate Shipping for WooCommerce: from n/a through 1.3.4.

CVSS: HIGH (8.5)

EPSS Score: 0.04%

Source: CVE
February 19th, 2025 (4 months ago)

CVE-2025-0817
FormCraft - Premium WordPress Form Builder <= 3.9.11 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload
Description: The FormCraft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.9.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

CVSS: HIGH (7.2)

EPSS Score: 0.11%

Source: CVE
February 19th, 2025 (4 months ago)