CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-1687
Cardealer <= 1.6.4 - Cross-Site Request Forgery to User Update via update_user_profile
Description: The Cardealer theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.4. This is due to missing nonce validation on the 'update_user_profile' function. This makes it possible for unauthenticated attackers to update the user email and password via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS: HIGH (8.8)

EPSS Score: 0.02%

Source: CVE
February 28th, 2025 (4 months ago)

CVE-2025-1682
Cardealer <= 1.6.4 - Arbitrary Theme Option Update to Authenticated (Subscriber+) Privilege Escalation
Description: The Cardealer theme for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.4 due to missing capability check on the 'save_settings' function. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the default user role.

CVSS: HIGH (8.8)

EPSS Score: 0.04%

Source: CVE
February 28th, 2025 (4 months ago)

CVE-2024-12811
Traveler <= 3.1.8 - Authenticated (Contributor+) Local File Inclusion via Shortcode
Description: The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.8 via the 'hotel_alone_slider' shortcode 'style' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.

CVSS: HIGH (8.8)

EPSS Score: 0.1%

Source: CVE
February 28th, 2025 (4 months ago)

CVE-2024-31109
WordPress Woocommerce Social Media Share Buttons plugin <= 1.3.0 - CSRF to Cross Site Scripting (XSS) vulnerability
Description: Cross-Site Request Forgery (CSRF) vulnerability in Toastie Studio Woocommerce Social Media Share Buttons allows Stored XSS.This issue affects Woocommerce Social Media Share Buttons: from n/a through 1.3.0.

CVSS: HIGH (7.1)

EPSS Score: 0.07%

SSVC Exploitation: none

Source: CVE
February 27th, 2025 (4 months ago)

CVE-2024-30341
Foxit PDF Reader Doc Object Out-Of-Bounds Read Remote Code Execution Vulnerability
Description: Foxit PDF Reader Doc Object Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Doc objects. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22709.

CVSS: HIGH (7.8)

EPSS Score: 0.22%

SSVC Exploitation: none

Source: CVE
February 27th, 2025 (4 months ago)

CVE-2024-30330
Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnerability
Description: Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Doc objects in AcroForms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22636.

CVSS: HIGH (7.8)

EPSS Score: 0.29%

SSVC Exploitation: none

Source: CVE
February 27th, 2025 (4 months ago)

CVE-2024-27335
Kofax Power PDF PNG File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability
Description: Kofax Power PDF PNG File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Kofax Power PDF. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of PNG files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22018.

CVSS: HIGH (7.8)

EPSS Score: 0.16%

SSVC Exploitation: none

Source: CVE
February 27th, 2025 (4 months ago)

CVE-2025-1756
[mongosh] mongosh vulnerable to local privilege escalation
Description: mongosh may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user's system with elevated privilege, when a crafted file is stored in C:\node_modules. This issue affects mongosh prior to 2.3.0. References https://nvd.nist.gov/vuln/detail/CVE-2025-1756 https://access.redhat.com/errata/RHSA-2025:1756 https://jira.mongodb.org/browse/MONGOSH-2028 https://github.com/advisories/GHSA-f5w3-73h4-jpcm

CVSS: HIGH (7.5)

EPSS Score: 0.01%

Source: Github Advisory Database (NPM)
February 27th, 2025 (4 months ago)

CVE-2024-3353
SourceCodester Aplaya Beach Resort Online Reservation System index.php sql injection
Description: A vulnerability was found in SourceCodester Aplaya Beach Resort Online Reservation System 1.0 and classified as critical. This issue affects some unknown processing of the file admin/mod_reports/index.php. The manipulation of the argument categ/end leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-259457 was assigned to this vulnerability. Eine kritische Schwachstelle wurde in SourceCodester Aplaya Beach Resort Online Reservation System 1.0 gefunden. Dies betrifft einen unbekannten Teil der Datei admin/mod_reports/index.php. Dank der Manipulation des Arguments categ/end mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.

CVSS: HIGH (7.3)

EPSS Score: 0.21%

SSVC Exploitation: poc

Source: CVE
February 27th, 2025 (4 months ago)

CVE-2024-3347
SourceCodester Airline Ticket Reservation System activate_jet_details_form_handler.php sql injection
Description: A vulnerability was found in SourceCodester Airline Ticket Reservation System 1.0. It has been rated as critical. This issue affects some unknown processing of the file activate_jet_details_form_handler.php. The manipulation of the argument jet_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-259451. Eine Schwachstelle wurde in SourceCodester Airline Ticket Reservation System 1.0 ausgemacht. Sie wurde als kritisch eingestuft. Es geht hierbei um eine nicht näher spezifizierte Funktion der Datei activate_jet_details_form_handler.php. Mittels dem Manipulieren des Arguments jet_id mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Der Exploit steht zur öffentlichen Verfügung.

CVSS: HIGH (7.3)

EPSS Score: 0.3%

SSVC Exploitation: poc

Source: CVE
February 27th, 2025 (4 months ago)