CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-30825 |
Description: Missing Authorization vulnerability in WPClever WPC Smart Linked Products - Upsells & Cross-sells for WooCommerce allows Privilege Escalation. This issue affects WPC Smart Linked Products - Upsells & Cross-sells for WooCommerce: from n/a through 1.3.5.
CVSS: HIGH (8.8) EPSS Score: 0.04%
April 1st, 2025 (3 months ago)
|
|
CVE-2025-30778 |
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vikas Ratudi VForm allows Reflected XSS. This issue affects VForm: from n/a through 3.1.9.
CVSS: HIGH (7.1) EPSS Score: 0.04%
April 1st, 2025 (3 months ago)
|
|
CVE-2025-30554 |
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Frizzly allows Reflected XSS. This issue affects Frizzly: from n/a through 1.1.0.
CVSS: HIGH (7.1) EPSS Score: 0.04%
April 1st, 2025 (3 months ago)
|
|
CVE-2025-31137 |
Description: React Router is a multi-strategy router for React bridging the gap from React 18 to React 19. There is a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Express adapter. Basically, this vulnerability allows anyone to spoof the URL used in an incoming Request by putting a URL pathname in the port section of a URL that is part of a Host or X-Forwarded-Host header sent to a Remix/React Router request handler. This issue has been patched and released in Remix 2.16.3 and React Router 7.4.1.
CVSS: HIGH (7.5) EPSS Score: 0.06%
April 1st, 2025 (3 months ago)
|
|
Description: Summary
The squelette parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server. The payload ../../../../../../etc/passwd was submitted in the squelette parameter. The requested file was returned in the application's response.
Details
File path traversal vulnerabilities arise when user-controllable data is used within a filesystem operation in an unsafe manner. Typically, a user-supplied filename is appended to a directory prefix in order to read or write the contents of a file. If vulnerable, an attacker can supply path traversal sequences (using dot-dot-slash characters) to break out of the intended directory and read or write files elsewhere on the filesystem.
PoC
Access the below URL to see the contents of /etc/passwd:
URL with payload: https://yeswiki.net/?UrkCEO/edit&theme=margot&squelette=..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&style=margot.css
Similarly, contents of wakka.config.php can be read (which contains database password) using ..%2f..%2f..%2fwakka.config.php as payload. Thus showing the severity of this issue.
Impact
This is a very serious vulnerability, allowing an attacker to access sensitive files containing configuration data, passwords, database records, log data, source code, and program scripts and binaries. Thus, leading to complete loss of confidentiality.
References
https://github.com/YesWiki/yeswiki/security/advisories/GHSA-w34w-fvp3-68xm
https://nvd.nist.gov/vuln/detail/CVE-2025-31131
https:/...
CVSS: HIGH (8.6) EPSS Score: 26.41%
April 1st, 2025 (3 months ago)
|
|
CVE-2025-31132 |
Description: Raven is an open-source messaging platform. A vulnerability allowed any logged in user to execute code via an API endpoint. This vulnerability is fixed in 2.1.10.
CVSS: HIGH (8.1) EPSS Score: 0.08% SSVC Exploitation: none
April 1st, 2025 (3 months ago)
|
|
CVE-2025-31910 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in reputeinfosystems BookingPress allows SQL Injection. This issue affects BookingPress: from n/a through 1.1.28.
CVSS: HIGH (7.6) EPSS Score: 0.04%
April 1st, 2025 (3 months ago)
|
|
CVE-2025-31908 |
Description: Cross-Site Request Forgery (CSRF) vulnerability in Sami Ahmed Siddiqui JSON Structuring Markup allows Stored XSS. This issue affects JSON Structuring Markup: from n/a through 0.1.
CVSS: HIGH (7.1) EPSS Score: 0.02%
April 1st, 2025 (3 months ago)
|
|
CVE-2025-31906 |
Description: Cross-Site Request Forgery (CSRF) vulnerability in ProfitShare.ro WP Profitshare allows Stored XSS. This issue affects WP Profitshare: from n/a through 1.4.9.
CVSS: HIGH (7.1) EPSS Score: 0.02%
April 1st, 2025 (3 months ago)
|
|
CVE-2025-31904 |
Description: Cross-Site Request Forgery (CSRF) vulnerability in Infoway LLC Ebook Downloader allows Cross Site Request Forgery. This issue affects Ebook Downloader: from n/a through 1.0.
CVSS: HIGH (7.1) EPSS Score: 0.02%
April 1st, 2025 (3 months ago)
|