CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-0667
BOINC Server Stored XSS Injection in pm.php
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in BOINC Server allows Stored XSS.This issue affects BOINC Server: through 1.4.7.

CVSS: HIGH (8.7)

EPSS Score: 0.06%

Source: CVE
May 7th, 2025 (about 2 months ago)

CVE-2025-0666
BOINC Server Stored XSS Injection in host_venue_action.php
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in BOINC Server allows Stored XSS.This issue affects BOINC Server: through 1.4.7.

CVSS: HIGH (7.0)

EPSS Score: 0.06%

Source: CVE
May 7th, 2025 (about 2 months ago)

CVE-2025-4335
Woocommerce Multiple Addresses <= 1.0.7.1 - Authenticated (Subscriber+) Privilege Escalation
Description: The Woocommerce Multiple Addresses plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.7.1. This is due to insufficient restrictions on user meta that can be updated through the save_multiple_shipping_addresses() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.

CVSS: HIGH (8.8)

EPSS Score: 0.04%

Source: CVE
May 7th, 2025 (about 2 months ago)

CVE-2025-3921
PeproDev Ultimate Profile Solutions 1.9.1 - 7.5.2 - Missing Authorization to Limited Unauthenticated Arbitrary User Meta Update via handel_ajax_req...
Description: The PeproDev Ultimate Profile Solutions plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handel_ajax_req() function in versions 1.9.1 to 7.5.2. This makes it possible for unauthenticated attackers to update arbitrary user's metadata which can be leveraged to block an administrator from accessing their site when wp_capabilities is set to 0.

CVSS: HIGH (8.2)

EPSS Score: 0.07%

Source: CVE
May 7th, 2025 (about 2 months ago)

CVE-2025-3852
WPshop 2 – E-Commerce 2.0.0 - 2.6.0 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover
Description: The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 2.0.0 to 2.6.0. This is due to the plugin not properly validating a user's identity prior to updating their details like email & password through the update() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

CVSS: HIGH (8.8)

EPSS Score: 0.05%

Source: CVE
May 7th, 2025 (about 2 months ago)

CVE-2025-0856
PGS Core <= 5.8.0 - Missing Authorization via Multiple Functions
Description: The PGS Core plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on multiple functions in all versions up to, and including, 5.8.0. This makes it possible for unauthenticated attackers to add, modify, or plugin options.

CVSS: HIGH (7.3)

EPSS Score: 0.09%

Source: CVE
May 6th, 2025 (about 2 months ago)
BeyondTrust PRA connection takeover - CVE-2025-0217
Description: Posted by Paul Szabo via Fulldisclosure on May 06=== Details ======================================================== Vendor: BeyondTrust Product: Privileged Remote Access (PRA) Subject: PRA connection takeover CVE ID: CVE-2025-0217 CVSS: 7.8 (high) CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Author: Paul Szabo Date: 2025-05-05 === Introduction =================================================== I noticed an issue in BeyondTrust Privileged...

CVSS: HIGH (7.3)

EPSS Score: 0.02%

Source: Full Disclosure Mailinglist
May 6th, 2025 (about 2 months ago)

CVE-2025-47420
User Permissions on Network API
Description: 266 vulnerability in Crestron Automate VX allows Privilege Escalation.This issue affects Automate VX: from 5.6.8161.21536 through 6.4.0.49.

CVSS: HIGH (8.7)

EPSS Score: 0.04%

Source: CVE
May 6th, 2025 (about 2 months ago)

CVE-2025-4372
Use after free in WebAudio in Google Chrome prior to 136.0.7103.92 allowed a remote attacker to potentially exploit heap corruption via a crafted...
Description: Use after free in WebAudio in Google Chrome prior to 136.0.7103.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

CVSS: HIGH (8.8)

EPSS Score: 0.06%

Source: CVE
May 6th, 2025 (about 2 months ago)

CVE-2025-0853
PGS Core <= 5.8.0 - Unauthenticated SQL Injection
Description: The PGS Core plugin for WordPress is vulnerable to SQL Injection via the 'event' parameter in the 'save_header_builder' function in all versions up to, and including, 5.8.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS: HIGH (7.5)

EPSS Score: 0.08%

Source: CVE
May 6th, 2025 (about 2 months ago)