Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-13933 |
Description: The FoodBakery | Delivery Restaurant Directory WordPress Theme theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.7. This is due to missing or incorrect nonce validation on the foodbakery_var_backup_file_delete, foodbakery_widget_file_delete, theme_option_save, export_widget_settings, ajax_import_widget_data, foodbakery_var_settings_backup_generate, foodbakery_var_backup_file_restore, and theme_option_rest_all functions. This makes it possible for unauthenticated attackers to delete arbitrary files, update theme options, export widget options, import widget options, generate backups, restore backups, and reset theme options via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS: HIGH (8.8) EPSS Score: 0.03%
March 19th, 2025 (about 1 month ago)
|
|
CVE-2024-12920 |
Description: The FoodBakery | Delivery Restaurant Directory WordPress Theme theme for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the foodbakery_var_backup_file_delete, foodbakery_widget_file_delete, theme_option_save, export_widget_settings, ajax_import_widget_data, foodbakery_var_settings_backup_generate, foodbakery_var_backup_file_restore, and theme_option_rest_all functions in all versions up to, and including, 4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files, update theme options, export widget options, import widget options, generate backups, restore backups, and reset theme options.
CVSS: HIGH (8.8) EPSS Score: 0.05%
March 19th, 2025 (about 1 month ago)
|
|
CVE-2024-13412 |
Description: The CozyStay theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_handler function in all versions up to, and including, 1.7.0. This makes it possible for unauthenticated attackers to execute arbitrary actions.
CVSS: HIGH (7.5) EPSS Score: 0.04%
March 19th, 2025 (about 1 month ago)
|
|
CVE-2024-12295 |
Description: The BoomBox Theme Extensions plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.8.0. This is due to the plugin not properly validating a user's identity prior to updating their password through the 'boombox_ajax_reset_password' function. This makes it possible for authenticated attackers, with subscriber-level privileges and above, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
CVSS: HIGH (8.8) EPSS Score: 0.04%
March 19th, 2025 (about 1 month ago)
|
|
CVE-2024-12563 |
Description: The s2Member Pro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 250214 via the 'template' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution.
CVSS: HIGH (8.8) EPSS Score: 0.1% SSVC Exploitation: none
March 18th, 2025 (about 1 month ago)
|
|
CVE-2024-37479 |
Description: Local File Inclusion vulnerability in LA-Studio LA-Studio Element Kit for Elementor via "LaStudioKit Progress Bar" widget in New Post, specifically in the "progress_type" attribute.This issue affects LA-Studio Element Kit for Elementor: from n/a through 1.3.8.1.
CVSS: HIGH (8.5) EPSS Score: 0.33% SSVC Exploitation: none
March 18th, 2025 (about 1 month ago)
|
|
CVE-2025-2262 |
Description: The The Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.7.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
CVSS: HIGH (7.3) EPSS Score: 0.08%
March 18th, 2025 (about 1 month ago)
|
|
CVE-2025-27281 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in cookforweb All In Menu allows Blind SQL Injection. This issue affects All In Menu: from n/a through 1.1.5.
CVSS: HIGH (8.5) EPSS Score: 0.04%
March 15th, 2025 (about 1 month ago)
|
|
CVE-2025-26978 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound FS Poster. This issue affects FS Poster: from n/a through 6.5.8.
CVSS: HIGH (8.5) EPSS Score: 0.03%
March 15th, 2025 (about 1 month ago)
|
|
CVE-2025-26976 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aldo Latino PrivateContent. This issue affects PrivateContent: from n/a through 8.11.4.
CVSS: HIGH (8.5) EPSS Score: 0.04%
March 15th, 2025 (about 1 month ago)
|