CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-25104
WordPress URL-Preview-Box plugin <= 1.20 - CSRF to Stored XSS vulnerability
Description: Cross-Site Request Forgery (CSRF) vulnerability in mraliende URL-Preview-Box allows Cross Site Request Forgery. This issue affects URL-Preview-Box: from n/a through 1.20.

CVSS: HIGH (7.1)

EPSS Score: 0.04%

Source: CVE
February 8th, 2025 (5 months ago)

CVE-2025-25088
WordPress WP Keyword Monitor Plugin <=1.0.5 - CSRF to Stored XSS vulnerability
Description: Cross-Site Request Forgery (CSRF) vulnerability in blackus3r WP Keyword Monitor allows Stored XSS. This issue affects WP Keyword Monitor: from n/a through 1.0.5.

CVSS: HIGH (7.1)

EPSS Score: 0.04%

Source: CVE
February 8th, 2025 (5 months ago)

CVE-2025-25075
WordPress Show notice or message on admin area plugin <= 2.0 - CSRF to Stored XSS vulnerability
Description: Cross-Site Request Forgery (CSRF) vulnerability in Venugopal Show notice or message on admin area allows Stored XSS. This issue affects Show notice or message on admin area: from n/a through 2.0.

CVSS: HIGH (7.1)

EPSS Score: 0.04%

Source: CVE
February 8th, 2025 (5 months ago)

CVE-2025-25074
WordPress WP Social Stream plugin <= 1.1 - CSRF to Stored XSS vulnerability
Description: Cross-Site Request Forgery (CSRF) vulnerability in Nirmal Kumar Ram WP Social Stream allows Stored XSS. This issue affects WP Social Stream: from n/a through 1.1.

CVSS: HIGH (7.1)

EPSS Score: 0.04%

Source: CVE
February 8th, 2025 (5 months ago)

CVE-2025-25072
WordPress WP Admin Custom Page plugin <= 1.5.0 - CSRF to Stored XSS vulnerability
Description: Cross-Site Request Forgery (CSRF) vulnerability in thunderbax WP Admin Custom Page allows Stored XSS. This issue affects WP Admin Custom Page: from n/a through 1.5.0.

CVSS: HIGH (7.1)

EPSS Score: 0.04%

Source: CVE
February 8th, 2025 (5 months ago)

CVE-2025-25071
WordPress Vignette Ads plugin <= 0.2 - CSRF to Stored XSS vulnerability
Description: Cross-Site Request Forgery (CSRF) vulnerability in topplugins Vignette Ads allows Stored XSS. This issue affects Vignette Ads: from n/a through 0.2.

CVSS: HIGH (7.1)

EPSS Score: 0.04%

Source: CVE
February 8th, 2025 (5 months ago)

CVE-2025-24366
Insufficient sanitization of user provided rsync command in SFTPGo
Description: SFTPGo is an open source, event-driven file transfer solution. SFTPGo supports execution of a defined set of commands via SSH. Besides a set of default commands some optional commands can be activated, one of them being `rsync`. It is disabled in the default configuration and it is limited to the local filesystem, it does not work with cloud/remote storage backends. Due to missing sanitization of the client provided `rsync` command, an authenticated remote user can use some options of the rsync command to read or write files with the permissions of the SFTPGo server process. This issue was fixed in version v2.6.5 by checking the client provided arguments. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS: HIGH (7.5)

EPSS Score: 0.04%

Source: CVE
February 8th, 2025 (5 months ago)

CVE-2025-24028
Cross-site Scripting (XSS) in Rich Text Editor allows arbitrary code execution in Joplin
Description: Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by differences between how Joplin's HTML sanitizer handles comments and how the browser handles comments. This affects both the Rich Text Editor and the Markdown viewer. However, unlike the Rich Text Editor, the Markdown viewer is `cross-origin isolated`, which prevents JavaScript from directly accessing functions/variables in the toplevel Joplin `window`. This issue is not present in Joplin 3.1.24 and may have been introduced in `9b50539`. This is an XSS vulnerability that impacts users that open untrusted notes in the Rich Text Editor. This vulnerability has been addressed in version 3.2.12 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS: HIGH (7.8)

EPSS Score: 0.05%

Source: CVE
February 8th, 2025 (5 months ago)

CVE-2025-22880
Heap-based Buffer Overflow in CNCSoft-G2
Description: Delta Electronics CNCSoft-G2 lacks proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. If a target visits a malicious page or opens a malicious file an attacker can leverage this vulnerability to execute code in the context of the current process.

CVSS: HIGH (7.8)

EPSS Score: 0.04%

Source: CVE
February 8th, 2025 (5 months ago)

CVE-2025-1108
Insufficient data authenticity vulnerability in Janto
Description: Insufficient data authenticity verification vulnerability in Janto, versions prior to r12. This allows an unauthenticated attacker to modify the content of emails sent to reset the password. To exploit the vulnerability, the attacker must create a POST request by injecting malicious content into the ‘Xml’ parameter on the ‘/public/cgi/Gateway.php’ endpoint.

CVSS: HIGH (8.6)

EPSS Score: 0.04%

Source: CVE
February 8th, 2025 (5 months ago)