Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-1069
The Contact Form Entries plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation on the 'view_page'...
Description: The Contact Form Entries plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation on the 'view_page' function in versions up to, and including, 1.3.2. This makes it possible for authenticated attackers with administrator-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVSS: HIGH (7.2)

EPSS Score: 2.46%

SSVC Exploitation: none

Source: CVE
May 29th, 2025 (6 days ago)

CVE-2025-5287
Likes and Dislikes Plugin <= 1.0.0 - Unauthenticated SQL Injection
Description: The Likes and Dislikes Plugin plugin for WordPress is vulnerable to SQL Injection via the 'post' parameter in all versions up to, and including, 1.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS: HIGH (7.5)

EPSS Score: 0.08%

Source: CVE
May 28th, 2025 (7 days ago)

CVE-2025-4800
MasterStudy LMS Pro <= 4.7.0 - Authenticated (Subscriber+) Arbitrary File Upload
Description: The MasterStudy LMS Pro plugin for WordPress is vulnerable to arbitrary file uploads due to a missing file type validation in the stm_lms_add_assignment_attachment function in all versions up to, and including, 4.7.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server, which may make remote code execution possible.

CVSS: HIGH (8.8)

EPSS Score: 0.25%

Source: CVE
May 28th, 2025 (7 days ago)

CVE-2025-5117
Property 1.0.5 - 1.0.6 - Missing Authorization to Authenticated (Author+) Privilege Escalation via property_package_user_role Metadata in PayPal Re...
Description: The Property plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the use of the property_package_user_role metadata in versions 1.0.5 to 1.0.6. This makes it possible for authenticated attackers, with Author‐level access and above, to elevate their privileges to that of an administrator by creating a package post whose property_package_user_role is set to administrator and then submitting the PayPal registration form.

CVSS: HIGH (8.8)

EPSS Score: 0.05%

Source: CVE
May 27th, 2025 (8 days ago)

CVE-2025-4336
eMagicOne Store Manager for WooCommerce <= 1.2.5 - Unauthenticated Arbitrary File Upload via set_file()
Description: The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_file() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This is only exploitable by unauthenticated attackers in default configurations where the the default password is left as 1:1, or where the attacker gains access to the credentials.

CVSS: HIGH (8.1)

EPSS Score: 0.2%

Source: CVE
May 24th, 2025 (11 days ago)

CVE-2024-22309
WordPress ChatBot Plugin <= 5.1.0 is vulnerable to PHP Object Injection
Description: Deserialization of Untrusted Data vulnerability in QuantumCloud ChatBot with AI.This issue affects ChatBot with AI: from n/a through 5.1.0.

CVSS: HIGH (8.7)

EPSS Score: 0.22%

SSVC Exploitation: none

Source: CVE
May 23rd, 2025 (12 days ago)

CVE-2024-22305
WordPress Contact Form builder with drag & drop - Kali Forms Plugin <= 2.3.36 is vulnerable to Insecure Direct Object References (IDOR)
Description: Authorization Bypass Through User-Controlled Key vulnerability in ali Forms Contact Form builder with drag & drop for WordPress – Kali Forms.This issue affects Contact Form builder with drag & drop for WordPress – Kali Forms: from n/a through 2.3.36.

CVSS: HIGH (7.5)

EPSS Score: 0.07%

SSVC Exploitation: none

Source: CVE
May 23rd, 2025 (12 days ago)

CVE-2024-22283
WordPress Delhivery Logistics Courier Plugin <= 1.0.107 is vulnerable to SQL Injection
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Delhivery Delhivery Logistics Courier.This issue affects Delhivery Logistics Courier: from n/a through 1.0.107.

CVSS: HIGH (8.5)

EPSS Score: 0.12%

SSVC Exploitation: none

Source: CVE
May 23rd, 2025 (12 days ago)

CVE-2024-22152
WordPress Product Import Export for WooCommerce Plugin <= 2.3.7 is vulnerable to Arbitrary File Upload
Description: Unrestricted Upload of File with Dangerous Type vulnerability in WebToffee Product Import Export for WooCommerce.This issue affects Product Import Export for WooCommerce: from n/a through 2.3.7.

CVSS: HIGH (8.0)

EPSS Score: 0.16%

SSVC Exploitation: none

Source: CVE
May 23rd, 2025 (12 days ago)

CVE-2025-48292
WordPress Tourmaster plugin <= 5.3.8 - Local File Inclusion vulnerability
Description: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in GoodLayers Tourmaster allows PHP Local File Inclusion. This issue affects Tourmaster: from n/a through 5.3.8.

CVSS: HIGH (8.1)

EPSS Score: 0.15%

Source: CVE
May 23rd, 2025 (12 days ago)