CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-31432 |
Description: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Chop Chop Pop-Up Chop Chop allows PHP Local File Inclusion. This issue affects Pop-Up Chop Chop: from n/a through 2.1.7.
CVSS: HIGH (7.5) EPSS Score: 0.13%
March 28th, 2025 (3 months ago)
|
|
CVE-2025-2815 |
Description: The Administrator Z plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the adminz_import_backup() function in all versions up to, and including, 2025.03.24. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
CVSS: HIGH (8.8) EPSS Score: 0.04%
March 28th, 2025 (3 months ago)
|
|
CVE-2025-31102 |
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bob Hostel allows Reflected XSS. This issue affects Hostel: from n/a through 1.1.5.5.
CVSS: HIGH (7.1) EPSS Score: 0.04%
March 28th, 2025 (3 months ago)
|
|
CVE-2025-31099 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bestwebsoft Slider by BestWebSoft allows SQL Injection. This issue affects Slider by BestWebSoft: from n/a through 1.1.0.
CVSS: HIGH (7.6) EPSS Score: 0.04%
March 28th, 2025 (3 months ago)
|
|
CVE-2025-27932 |
Description: Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in the file deletion process of the USB storage file-sharing function of HGW-BL1500HM Ver 002.002.003 and earlier. If this vulnerability is exploited, an attacker may delete a file on the device or cause a denial of service (DoS) condition.
CVSS: HIGH (8.1) EPSS Score: 0.1%
March 28th, 2025 (3 months ago)
|
|
CVE-2025-27718 |
Description: Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in the file upload process of the USB storage file-sharing function of HGW-BL1500HM Ver 002.002.003 and earlier. If this vulnerability is exploited, the product's files may be obtained and/or altered or arbitrary code may be executed by a crafted HTTP request to specific functions of the product from a device connected to the LAN side.
CVSS: HIGH (8.8) EPSS Score: 0.5%
March 28th, 2025 (3 months ago)
|
|
CVE-2025-2485 |
Description: The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8.7 via deserialization of untrusted input from the 'dnd_upload_cf7_upload'
function. This makes it possible for attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with the file upload action. The Flamingo plugin must be installed and activated in order to exploit the vulnerability.
CVSS: HIGH (7.5) EPSS Score: 0.07%
March 28th, 2025 (3 months ago)
|
|
CVE-2025-2328 |
Description: The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'dnd_remove_uploaded_files' function in all versions up to, and including, 1.3.8.7. This makes it possible for unauthenticated attackers to add arbitrary file paths (such as ../../../../wp-config.php) to uploaded files on the server, which can easily lead to remote code execution when an Administrator deletes the message. Exploiting this vulnerability requires the Flamingo plugin to be installed and activated.
CVSS: HIGH (8.8) EPSS Score: 0.19%
March 28th, 2025 (3 months ago)
|
|
CVE-2025-24381 |
Description: Dell Unity, version(s) 5.4 and prior, contain(s) an URL Redirection to Untrusted Site ('Open Redirect') vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to a targeted application user being redirected to arbitrary web URLs. The vulnerability could be leveraged by attackers to conduct phishing attacks that cause users to divulge sensitive information. Exploitation may allow for session theft.
CVSS: HIGH (8.8) EPSS Score: 0.08%
March 28th, 2025 (3 months ago)
|
|
CVE-2025-24386 |
Description: Dell Unity, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution and Elevation of privileges.
CVSS: HIGH (7.8) EPSS Score: 0.06%
March 28th, 2025 (3 months ago)
|