CyberAlerts

CVE-2025-3404

Download Manager <= 3.3.12 - Authenticated (Author+) Arbitrary File Deletion

Description: The Download Manager plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the savePackage function in all versions up to, and including, 3.3.12. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

CVSS: HIGH (8.8)

Source: CVE

April 19th, 2025 (about 7 hours ago)

CVE-2025-3809

Debug Log Manager <= 2.3.4 - Unauthenticated Stored Cross-Site Scripting

Description: The Debug Log Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the auto-refresh debug log in all versions up to, and including, 2.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: HIGH (7.2)

Source: CVE

April 19th, 2025 (about 9 hours ago)

CVE-2025-2111

WP Headers And Footers <= 3.1.1 - Cross-Site Request Forgery to Arbitrary Options Update

Description: The Insert Headers And Footers plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.1. This is due to missing or incorrect nonce validation on the 'custom_plugin_set_option' function. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. The 'WPBRIGADE_SDK__DEV_MODE' constant must be set to 'true' to exploit the vulnerability.

CVSS: HIGH (7.5)

Source: CVE

April 19th, 2025 (about 9 hours ago)

CVE-2025-3103

CLEVER - HTML5 Radio Player With History - Shoutcast and Icecast - Elementor Widget Addon <= 2.4 - Unauthenticated Arbitrary File Read

Description: The CLEVER - HTML5 Radio Player With History - Shoutcast and Icecast - Elementor Widget Addon plugin for WordPress is vulnerable to arbitrary file read due to insufficient file path validation in the 'history.php' file in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to read arbitrary files on the affected site's server, which may contain sensitive information including database credentials. The vulnerability was partially patched in version 2.4.

CVSS: HIGH (7.5)

Source: CVE

April 19th, 2025 (about 10 hours ago)

CVE-2025-2010

JobWP – Job Board, Job Listing, Career Page and Recruitment Plugin <= 2.3.9 - Unauthenticated SQL Injection

Description: The JobWP – Job Board, Job Listing, Career Page and Recruitment Plugin plugin for WordPress is vulnerable to SQL Injection via the 'jobwp_upload_resume' parameter in all versions up to, and including, 2.3.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS: HIGH (7.5)

Source: CVE

April 19th, 2025 (about 12 hours ago)

CVE-2025-39470

WordPress Ivy School <= 1.6.0 - Local File Inclusion Vulnerability

Description: Path Traversal: '.../...//' vulnerability in ThimPress Ivy School allows PHP Local File Inclusion.This issue affects Ivy School: from n/a through 1.6.0.

CVSS: HIGH (8.1)

EPSS Score: 0.04%

Source: CVE

April 18th, 2025 (1 day ago)

CVE-2025-39469

WordPress Modal Survey plugin <= 2.0.2.0.1 - Cross Site Scripting (XSS) vulnerability

Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pantherius Modal Survey allows Reflected XSS.This issue affects Modal Survey: from n/a through 2.0.2.0.1.

CVSS: HIGH (7.1)

EPSS Score: 0.03%

Source: CVE

April 18th, 2025 (1 day ago)

CVE-2025-3520

Avatar <= 0.1.4 - Authenticated (Subscriber+) Arbitrary File Deletion

Description: The Avatar plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in a function in all versions up to, and including, 0.1.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

CVSS: HIGH (8.1)

EPSS Score: 0.26%

Source: CVE

April 18th, 2025 (1 day ago)

CVE-2025-39594

WordPress Arigato Autoresponder and Newsletter plugin <= 2.7.2.4 - Reflected Cross Site Scripting (XSS) vulnerability

Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bob Arigato Autoresponder and Newsletter allows Reflected XSS. This issue affects Arigato Autoresponder and Newsletter: from n/a through 2.7.2.4.

CVSS: HIGH (7.1)

EPSS Score: 0.03%

Source: CVE

April 17th, 2025 (2 days ago)

CVE-2025-39586

WordPress ProfileGrid <= 5.9.4.8 - SQL Injection Vulnerability

Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Metagauss ProfileGrid allows SQL Injection. This issue affects ProfileGrid : from n/a through 5.9.4.8.

CVSS: HIGH (8.5)

EPSS Score: 0.03%

Source: CVE

April 17th, 2025 (2 days ago)

Threat and Vulnerability Intelligence Database

Example Searches: