CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-22679
WordPress Job Board Manager Plugin <= 2.1.60 - Reflected Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Job Board Manager allows Reflected XSS. This issue affects Job Board Manager: from n/a through 2.1.60.

CVSS: HIGH (7.1)

EPSS Score: 0.04%

Source: CVE
February 4th, 2025 (5 months ago)

CVE-2024-43333
WordPress Admin and Site Enhancements (ASE) Pro Plugin <= 7.6.2.1 - Privilege Escalation vulnerability
Description: Incorrect Privilege Assignment vulnerability in NotFound Admin and Site Enhancements (ASE) Pro allows Privilege Escalation. This issue affects Admin and Site Enhancements (ASE) Pro: from n/a through 7.6.2.1.

CVSS: HIGH (7.5)

EPSS Score: 0.04%

Source: CVE
February 4th, 2025 (5 months ago)

CVE-2024-13343
WooCommerce Customers Manager <= 31.3 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation
Description: The WooCommerce Customers Manager plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the ajax_assign_new_roles() function in all versions up to, and including, 31.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.

CVSS: HIGH (8.8)

EPSS Score: 0.05%

Source: CVE
February 4th, 2025 (5 months ago)

CVE-2024-12859
BoomBox Theme Extensions <= 1.8.0 - Authenticated (Contributor+) Local File Inclusion via Shortcode
Description: The BoomBox Theme Extensions plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.8.0 via the 'boombox_listing' shortcode 'type' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.

CVSS: HIGH (8.8)

EPSS Score: 0.05%

Source: CVE
February 4th, 2025 (5 months ago)

CVE-2024-12171
ELEX WordPress HelpDesk & Customer Ticketing System <= 3.2.6 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation
Description: The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the 'eh_crm_agent_add_user' AJAX action in all versions up to, and including, 3.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new administrative user accounts.

CVSS: HIGH (8.8)

EPSS Score: 0.06%

Source: CVE
February 4th, 2025 (5 months ago)

CVE-2025-0366
Jupiter X Core <= 4.8.7 - Authenticated (Contributor+) SVG Upload to Local File Inclusion (Remote Code Execution)
Description: The Jupiter X Core plugin for WordPress is vulnerable to Local File Inclusion to Remote Code Execution in all versions up to, and including, 4.8.7 via the get_svg() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution. In this specific case, an attacker can create a form that allows SVG uploads, upload an SVG file with malicious content and then include the SVG file in a post to achieve remote code execution. This means it is relatively easy to gain remote code execution as a contributor-level user and above by default.

CVSS: HIGH (8.8)

EPSS Score: 0.06%

Source: CVE
February 2nd, 2025 (5 months ago)

CVE-2025-24749
WordPress EZPZ SAML SP Single Sign On (SSO) plugin <= 1.2.5 - CSRF to Stored XSS vulnerability
Description: Cross-Site Request Forgery (CSRF) vulnerability in Overt Software Solutions LTD EZPZ SAML SP Single Sign On (SSO) allows Cross Site Request Forgery. This issue affects EZPZ SAML SP Single Sign On (SSO): from n/a through 1.2.5.

CVSS: HIGH (7.1)

EPSS Score: 0.04%

Source: CVE
February 1st, 2025 (5 months ago)

CVE-2025-24718
WordPress WP Sessions Time Monitoring Full Automatic Plugin <= 1.1.1 - Reflected Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SWIT WP Sessions Time Monitoring Full Automatic allows Reflected XSS. This issue affects WP Sessions Time Monitoring Full Automatic: from n/a through 1.1.1.

CVSS: HIGH (7.1)

EPSS Score: 0.04%

Source: CVE
February 1st, 2025 (5 months ago)

CVE-2025-24710
WordPress Gwolle Guestbook plugin <= 4.7.1 - Reflected Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Marcel Pol Gwolle Guestbook allows Reflected XSS. This issue affects Gwolle Guestbook: from n/a through 4.7.1.

CVSS: HIGH (7.1)

EPSS Score: 0.04%

Source: CVE
February 1st, 2025 (5 months ago)

CVE-2025-24686
WordPress RegistrationMagic Plugin <= 6.0.3.3 - Reflected Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metagauss User Registration Forms RegistrationMagic allows Reflected XSS. This issue affects RegistrationMagic: from n/a through 6.0.3.3.

CVSS: HIGH (7.1)

EPSS Score: 0.05%

Source: CVE
February 1st, 2025 (5 months ago)