Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-3101
Configurator Theme Core <= 1.4.7 - Authenticated (Subscriber+) Privilege Escalation
Description: The Configurator Theme Core plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.4.7. This is due to the plugin not properly validating user meta fields prior to updating them in the database. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change escalate their privileges to Administrator.

CVSS: HIGH (8.8)

EPSS Score: 0.04%

Source: CVE
April 24th, 2025 (about 2 months ago)

CVE-2025-3058
Xelion Webchat <= 9.1.0 - Authenticated (Subscriber+) Arbitrary Options Update
Description: The Xelion Webchat plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the xwc_save_settings() function in all versions up to, and including, 9.1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

CVSS: HIGH (8.8)

EPSS Score: 0.04%

Source: CVE
April 24th, 2025 (about 2 months ago)

CVE-2025-3761
My Tickets – Accessible Event Ticketing <= 2.0.16 - Authenticated (Subscriber+) Privilege Escalation
Description: The My Tickets – Accessible Event Ticketing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.0.16. This is due to the mt_save_profile() function not appropriately restricting access to unauthorized users to update roles. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update their role to that of an administrator.

CVSS: HIGH (8.8)

EPSS Score: 0.04%

Source: CVE
April 24th, 2025 (about 2 months ago)

CVE-2025-3530
WordPress Simple PayPal Shopping Cart <= 5.1.2 - Unauthenticated Product Price Manipulation
Description: The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to product price manipulation in all versions up to, and including, 5.1.2. This is due to a logic flaw involving the inconsistent use of parameters during the cart addition process. The plugin uses the parameter 'product_tmp_two' for computing a security hash against price tampering while using 'wspsc_product' to display the product, allowing an unauthenticated attacker to substitute details from a cheaper product and bypass payment for a more expensive item.

CVSS: HIGH (7.5)

EPSS Score: 0.1%

Source: CVE
April 23rd, 2025 (about 2 months ago)

CVE-2025-3529
WordPress Simple PayPal Shopping Cart <= 5.1.2 - Unauthenticated Information Exposure via file_url Parameter
Description: The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.1.2 via the 'file_url' parameter. This makes it possible for unauthenticated attackers to view potentially sensitive information and download a digital product without paying for it.

CVSS: HIGH (8.2)

EPSS Score: 0.07%

Source: CVE
April 23rd, 2025 (about 2 months ago)

CVE-2024-24843
WordPress PowerPack Pro for Elementor Plugin < 2.10.8 is vulnerable to Cross Site Request Forgery (CSRF)
Description: Cross-Site Request Forgery (CSRF) vulnerability in PowerPack Addons for Elementor PowerPack Pro for Elementor.This issue affects PowerPack Pro for Elementor: from n/a before 2.10.8.

CVSS: HIGH (7.1)

EPSS Score: 0.1%

SSVC Exploitation: none

Source: CVE
April 22nd, 2025 (about 2 months ago)

CVE-2024-1710
The Addon Library plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the onAjaxAction function...
Description: The Addon Library plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the onAjaxAction function action in all versions up to, and including, 1.3.76. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several unauthorized actions including uploading arbitrary files.

CVSS: HIGH (8.8)

EPSS Score: 0.23%

SSVC Exploitation: none

Source: CVE
April 22nd, 2025 (about 2 months ago)

CVE-2024-21752
WordPress Ajax Search Lite Plugin <= 4.11.4 is vulnerable to Cross Site Scripting (XSS)
Description: Cross-Site Request Forgery (CSRF) vulnerability in Ernest Marcinko Ajax Search Lite allows Reflected XSS.This issue affects Ajax Search Lite: from n/a through 4.11.4.

CVSS: HIGH (7.1)

EPSS Score: 0.05%

SSVC Exploitation: none

Source: CVE
April 22nd, 2025 (about 2 months ago)

CVE-2025-46252
WordPress Message Filter for Contact Form 7 plugin <= 1.6.3.2 - SQL Injection vulnerability
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kofimokome Message Filter for Contact Form 7 allows SQL Injection. This issue affects Message Filter for Contact Form 7: from n/a through 1.6.3.2.

CVSS: HIGH (7.6)

EPSS Score: 0.04%

Source: CVE
April 22nd, 2025 (about 2 months ago)

CVE-2025-46251
WordPress VikRestaurants Table Reservations and Take-Away plugin <= 1.3.3 - CSRF to Stored XSS vulnerability
Description: Cross-Site Request Forgery (CSRF) vulnerability in e4jvikwp VikRestaurants Table Reservations and Take-Away allows Cross Site Request Forgery. This issue affects VikRestaurants Table Reservations and Take-Away: from n/a through 1.3.3.

CVSS: HIGH (7.1)

EPSS Score: 0.02%

Source: CVE
April 22nd, 2025 (about 2 months ago)