CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-32370 |
Description: Kentico Xperience before 13.0.178 has a specific set of allowed ContentUploader file extensions for unauthenticated uploads; however, because .zip is processed through TryZipProviderSafe, there is additional functionality to create files with other extensions. NOTE: this is a separate issue not necessarily related to SVG or XSS.
CVSS: HIGH (7.2) EPSS Score: 0.06%
April 6th, 2025 (3 months ago)
|
|
CVE-2024-46833 |
Description: In the Linux kernel, the following vulnerability has been resolved:
net: hns3: void array out of bound when loop tnl_num
When query reg inf of SSU, it loops tnl_num times. However, tnl_num comes
from hardware and the length of array is a fixed value. To void array out
of bound, make sure the loop time is not greater than the length of array
CVSS: HIGH (7.8) EPSS Score: 0.03% SSVC Exploitation: none
April 5th, 2025 (3 months ago)
|
|
CVE-2024-13776 |
Description: The ZoomSounds - WordPress Wave Audio Player with Playlist plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'dzsap_delete_notice' AJAX action in all versions up to, and including, 6.91. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to 'seen' on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values to true such as registration. There are several other functions also vulnerable to missing authorization.
CVSS: HIGH (8.1) EPSS Score: 0.04%
April 5th, 2025 (3 months ago)
|
|
CVE-2025-2933 |
Description: The Email Notifications for Updates plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the awun_import_settings() function in all versions up to, and including, 1.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
CVSS: HIGH (8.8) EPSS Score: 0.04%
April 5th, 2025 (3 months ago)
|
|
CVE-2025-0810 |
Description: The Read More & Accordion plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.5. This is due to missing or incorrect nonce validation on the addNewButtons() function. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS: HIGH (7.5) EPSS Score: 0.02%
April 5th, 2025 (3 months ago)
|
|
CVE-2024-13604 |
Description: The KB Support – Customer Support Ticket & Helpdesk Plugin, Knowledge Base Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.4 via the 'kbs' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/kbs directory which can contain file attachments included in support tickets. The vulnerability was partially patched in version 1.7.3.2.
CVSS: HIGH (7.5) EPSS Score: 0.05%
April 5th, 2025 (3 months ago)
|
|
CVE-2025-3259 |
Description: A vulnerability, which was classified as critical, has been found in Tenda RX3 16.03.13.11. This issue affects the function formSetDeviceName of the file /goform/SetOnlineDevName. The manipulation of the argument devName leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Eine Schwachstelle wurde in Tenda RX3 16.03.13.11 entdeckt. Sie wurde als kritisch eingestuft. Hierbei geht es um die Funktion formSetDeviceName der Datei /goform/SetOnlineDevName. Durch Manipulation des Arguments devName mit unbekannten Daten kann eine stack-based buffer overflow-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Der Exploit steht zur öffentlichen Verfügung.
CVSS: HIGH (8.7) EPSS Score: 0.11%
April 4th, 2025 (3 months ago)
|
|
CVE-2025-32204 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in rocketelements Split Test For Elementor allows SQL Injection. This issue affects Split Test For Elementor: from n/a through 1.8.2.
CVSS: HIGH (7.6) EPSS Score: 0.04%
April 4th, 2025 (3 months ago)
|
|
CVE-2025-32203 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in manu225 Falling things allows SQL Injection. This issue affects Falling things: from n/a through 1.08.
CVSS: HIGH (7.6) EPSS Score: 0.04%
April 4th, 2025 (3 months ago)
|
|
CVE-2025-32159 |
Description: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Radius Blocks allows PHP Local File Inclusion. This issue affects Radius Blocks: from n/a through 2.2.1.
CVSS: HIGH (7.5) EPSS Score: 0.13%
April 4th, 2025 (3 months ago)
|