Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-46242 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Bob Watu Quiz allows SQL Injection. This issue affects Watu Quiz: from n/a through 3.4.3.
CVSS: HIGH (7.6) EPSS Score: 0.03%
April 22nd, 2025 (about 2 months ago)
|
|
CVE-2025-46241 |
Description: Cross-Site Request Forgery (CSRF) vulnerability in codepeople Appointment Booking Calendar allows SQL Injection. This issue affects Appointment Booking Calendar: from n/a through 1.3.92.
CVSS: HIGH (8.2) EPSS Score: 0.02%
April 22nd, 2025 (about 2 months ago)
|
|
CVE-2025-3616 |
Description: The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the gspb_make_proxy_api_request() function in versions 11.4 to 11.4.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The arbitrary file upload was sufficiently patched in 11.4.5, but a capability check was added in 11.4.6 to properly prevent unauthorized limited file uploads.
CVSS: HIGH (8.8) EPSS Score: 0.25%
April 22nd, 2025 (about 2 months ago)
|
|
CVE-2025-3404 |
Description: The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the savePackage function in all versions up to, and including, 3.3.12. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
CVSS: HIGH (8.8) EPSS Score: 0.19%
April 19th, 2025 (about 2 months ago)
|
|
CVE-2025-3809 |
Description: The Debug Log Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the auto-refresh debug log in all versions up to, and including, 2.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS: HIGH (7.2) EPSS Score: 0.1%
April 19th, 2025 (about 2 months ago)
|
|
CVE-2025-2111 |
Description: The Insert Headers And Footers plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.1. This is due to missing or incorrect nonce validation on the 'custom_plugin_set_option' function. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. The 'WPBRIGADE_SDK__DEV_MODE' constant must be set to 'true' to exploit the vulnerability.
CVSS: HIGH (7.5) EPSS Score: 0.02%
April 19th, 2025 (about 2 months ago)
|
|
CVE-2025-3103 |
Description: The CLEVER - HTML5 Radio Player With History - Shoutcast and Icecast - Elementor Widget Addon plugin for WordPress is vulnerable to arbitrary file read due to insufficient file path validation in the 'history.php' file in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to read arbitrary files on the affected site's server, which may contain sensitive information including database credentials. The vulnerability was partially patched in version 2.4.
CVSS: HIGH (7.5) EPSS Score: 0.04%
April 19th, 2025 (about 2 months ago)
|
|
CVE-2025-2010 |
Description: The JobWP – Job Board, Job Listing, Career Page and Recruitment Plugin plugin for WordPress is vulnerable to SQL Injection via the 'jobwp_upload_resume' parameter in all versions up to, and including, 2.3.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS: HIGH (7.5) EPSS Score: 0.08%
April 19th, 2025 (about 2 months ago)
|
|
CVE-2025-39470 |
Description: Path Traversal: '.../...//' vulnerability in ThimPress Ivy School allows PHP Local File Inclusion.This issue affects Ivy School: from n/a through 1.6.0.
CVSS: HIGH (8.1) EPSS Score: 0.06%
April 18th, 2025 (about 2 months ago)
|
|
CVE-2025-39469 |
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pantherius Modal Survey allows Reflected XSS.This issue affects Modal Survey: from n/a through 2.0.2.0.1.
CVSS: HIGH (7.1) EPSS Score: 0.04%
April 18th, 2025 (about 2 months ago)
|