CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-0952
Eco Nature - Environment & Ecology WordPress Theme <= 2.0.4 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update
Description: The Eco Nature - Environment & Ecology WordPress Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'cmsmasters_hide_admin_notice' AJAX action in all versions up to, and including, 2.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to 'hide' on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values to true such as registration.

CVSS: HIGH (8.1)

EPSS Score: 0.03%

Source: CVE
March 14th, 2025 (4 months ago)

CVE-2024-13913
InstaWP Connect – 1-click WP Staging & Migration <= 0.1.0.83 - Cross-Site Request Forgery to Local File Inclusion
Description: The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.0.83. This is due to missing or incorrect nonce validation in the '/migrate/templates/main.php' file. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

CVSS: HIGH (8.8)

EPSS Score: 0.04%

Source: CVE
March 14th, 2025 (4 months ago)

CVE-2024-13376
Industrial <= 1.7.8 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
Description: The Industrial theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the _ajax_get_total_content_import_items() function in all versions up to, and including, 1.7.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

CVSS: HIGH (8.8)

EPSS Score: 0.04%

Source: CVE
March 14th, 2025 (4 months ago)

CVE-2025-2056
WP Ghost <= 5.4.01 - Unauthenticated Limited File Read
Description: The WP Ghost (Hide My WP Ghost) – Security & Firewall plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 5.4.01 via the showFile function. This makes it possible for unauthenticated attackers to read the contents of specific file types on the server, which can contain sensitive information.

CVSS: HIGH (7.5)

EPSS Score: 0.12%

Source: CVE
March 14th, 2025 (4 months ago)

CVE-2024-11283
WP JobHunt <= 7.1 - Authentication Bypass to Candidate
Description: The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. This is due to wp_ajax_google_api_login_callback function not properly verifying a user's identity prior to authenticating them. This makes it possible for unauthenticated attackers to access arbitrary candidate accounts.

CVSS: HIGH (7.5)

EPSS Score: 0.1%

Source: CVE
March 14th, 2025 (4 months ago)

CVE-2025-24855
numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never...
Description: numbers.c in libxslt before 1.1.43 has a use-after-free because, in nested XPath evaluations, an XPath context node can be modified but never restored. This is related to xsltNumberFormatGetValue, xsltEvalXPathPredicate, xsltEvalXPathStringNs, and xsltComputeSortResultInternal.

CVSS: HIGH (7.8)

EPSS Score: 0.01%

Source: CVE
March 14th, 2025 (4 months ago)

CVE-2024-55549
xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes.
Description: xsltGetInheritedNsList in libxslt before 1.1.43 has a use-after-free issue related to exclusion of result prefixes.

CVSS: HIGH (7.8)

EPSS Score: 0.01%

Source: CVE
March 14th, 2025 (4 months ago)

CVE-2024-36305
A security agent link following vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected...
Description: A security agent link following vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

CVSS: HIGH (7.8)

EPSS Score: 0.12%

SSVC Exploitation: none

Source: CVE
March 14th, 2025 (4 months ago)

CVE-2024-2301
Certain HP LaserJet Pro devices are potentially vulnerable to a Cross-Site Scripting (XSS) attack via the web management interface of the device.
Description: Certain HP LaserJet Pro devices are potentially vulnerable to a Cross-Site Scripting (XSS) attack via the web management interface of the device.

CVSS: HIGH (7.6)

EPSS Score: 0.22%

SSVC Exploitation: none

Source: CVE
March 14th, 2025 (4 months ago)

CVE-2025-2230
Philips Intellispace Cardiovascular (ISCV) Improper Authentication
Description: A flaw exists in the Windows login flow where an AuthContext token can be exploited for replay attacks and authentication bypass.

CVSS: HIGH (7.7)

EPSS Score: 0.03%

Source: CVE
March 13th, 2025 (4 months ago)