CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-2807 |
Description: The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary plugin installations due to a missing capability check in the mvl_setup_wizard_install_plugin() function in all versions up to, and including, 1.4.64. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins on the affected site's server which may make remote code execution possible.
CVSS: HIGH (8.8) EPSS Score: 0.24%
April 8th, 2025 (3 months ago)
|
|
CVE-2025-3064 |
Description: The WPFront User Role Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.1. This is due to missing or incorrect nonce validation on the whitelist_options() function. This makes it possible for unauthenticated attackers to update the default role option that can be leveraged for privilege escalation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This is only exploitable on multisite instances.
CVSS: HIGH (8.8) EPSS Score: 0.02%
April 8th, 2025 (3 months ago)
|
|
CVE-2024-41793 |
Description: A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices provides an endpoint that allows to enable the ssh service without authentication. This could allow an unauthenticated remote attacker to enable remote access to the device via ssh.
CVSS: HIGH (8.6) EPSS Score: 0.05%
April 8th, 2025 (3 months ago)
|
|
CVE-2024-41792 |
Description: A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices contains a path traversal vulnerability. This could allow an unauthenticated attacker it to access arbitrary files on the device with root privileges.
CVSS: HIGH (8.6) EPSS Score: 0.14%
April 8th, 2025 (3 months ago)
|
|
CVE-2024-41791 |
Description: A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices does not authenticate report creation requests. This could allow an unauthenticated remote attacker to read or clear the log files on the device, reset the device or set the date and time.
CVSS: HIGH (7.3) EPSS Score: 0.09%
April 8th, 2025 (3 months ago)
|
|
CVE-2025-3431 |
Description: The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 6.91 via the 'dzsap_download' action. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
CVSS: HIGH (7.5) EPSS Score: 0.08%
April 8th, 2025 (3 months ago)
|
|
CVE-2025-30014 |
Description: SAP Capital Yield Tax Management has directory traversal vulnerability due to insufficient path validation. This could allow an attacker with low privileges to read files from directory which they don�t have access to, hence causing a high impact on confidentiality. Integrity and Availability are not affected.
CVSS: HIGH (7.7) EPSS Score: 0.2%
April 8th, 2025 (3 months ago)
|
|
CVE-2025-27428 |
Description: Due to directory traversal vulnerability, an authorized attacker could gain access to some critical information by using RFC enabled function module. Upon successful exploitation, they could read files from any managed system connected to SAP Solution Manager, leading to high impact on confidentiality. There is no impact on integrity or availability.
CVSS: HIGH (7.7) EPSS Score: 0.12%
April 8th, 2025 (3 months ago)
|
|
CVE-2025-23186 |
Description: In certain conditions, SAP NetWeaver Application Server ABAP allows an authenticated attacker to craft a Remote Function Call (RFC) request to restricted destinations, which can be used to expose credentials for a remote service. These credentials can then be further exploited to completely compromise the remote service, potentially resulting in a significant impact on the confidentiality, integrity, and availability of the application.
CVSS: HIGH (8.5) EPSS Score: 0.05%
April 8th, 2025 (3 months ago)
|
|
CVE-2025-20946 |
Description: Improper handling of exceptional conditions in pairing specific bluetooth devices in Galaxy Watch Bluetooth pairing prior to SMR Apr-2025 Release 1 allows local attackers to pair with specific bluetooth devices without user interaction.
CVSS: HIGH (8.8) EPSS Score: 0.02%
April 8th, 2025 (3 months ago)
|