Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-3275 |
Description: The Themesflat Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the TF E Slider widget in all versions up to, and including, 2.2.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS: MEDIUM (6.4)
April 19th, 2025 (about 3 hours ago)
|
|
CVE-2025-1457 |
Description: The Element Pack Addons for Elementor – Free Templates and Widgets for Your WordPress Websites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Wrapper Link, Countdown and Gallery widgets in all versions up to, and including, 5.10.28 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS: MEDIUM (6.4)
April 19th, 2025 (about 3 hours ago)
|
|
CVE-2025-3284 |
Description: The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.1.3. This is due to missing or incorrect nonce validation on the user_registration_pro_delete_account() function. This makes it possible for unauthenticated attackers to force delete users, including administrators, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS: MEDIUM (4.3)
April 19th, 2025 (about 4 hours ago)
|
|
CVE-2025-43903 |
Description: NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the adbe.pkcs7.sha1 signatures on documents, resulting in potential signature forgeries.
CVSS: MEDIUM (4.3)
April 18th, 2025 (about 9 hours ago)
|
|
CVE-2025-3796 |
Description: A vulnerability classified as critical has been found in PHPGurukul Men Salon Management System 1.0. This affects an unknown part of the file /admin/contact-us.php. The manipulation of the argument pagetitle/pagedes/email/mobnumber/timing leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Es wurde eine Schwachstelle in PHPGurukul Men Salon Management System 1.0 entdeckt. Sie wurde als kritisch eingestuft. Betroffen hiervon ist ein unbekannter Ablauf der Datei /admin/contact-us.php. Durch die Manipulation des Arguments pagetitle/pagedes/email/mobnumber/timing mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Der Exploit steht zur öffentlichen Verfügung.
CVSS: MEDIUM (5.3)
April 18th, 2025 (about 10 hours ago)
|
|
CVE-2025-3795 |
Description: A vulnerability was found in DaiCuo 1.3.13. It has been rated as problematic. Affected by this issue is some unknown functionality of the component SEO Optimization Settings Section. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Eine problematische Schwachstelle wurde in DaiCuo 1.3.13 ausgemacht. Betroffen davon ist ein unbekannter Prozess der Komponente SEO Optimization Settings Section. Mit der Manipulation mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.
CVSS: MEDIUM (4.8)
April 18th, 2025 (about 11 hours ago)
|
|
CVE-2025-36625 |
Description: In Nessus versions prior to 10.8.4, a non-authenticated attacker could alter Nessus logging entries by manipulating http requests to the application.
CVSS: MEDIUM (4.3) SSVC Exploitation: none
April 18th, 2025 (about 11 hours ago)
|
|
CVE-2025-32377 |
Description: Rasa Pro is a framework for building scalable, dynamic conversational AI assistants that integrate large language models (LLMs). A vulnerability has been identified in Rasa Pro where voice connectors in Rasa Pro do not properly implement authentication even when a token is configured in the credentials.yml file. This could allow an attacker to submit voice data to the Rasa Pro assistant from an unauthenticated source. This issue has been patched for audiocodes, audiocodes_stream, and genesys connectors in versions 3.9.20, 3.10.19, 3.11.7 and 3.12.6.
CVSS: MEDIUM (6.5)
April 18th, 2025 (about 11 hours ago)
|
|
CVE-2025-28355 |
Description: Volmarg Personal Management System 1.4.65 is vulnerable to Cross Site Request Forgery (CSRF) allowing attackers to execute arbitrary code and obtain sensitive information via the SameSite cookie attribute defaults value set to none
CVSS: MEDIUM (4.7) SSVC Exploitation: poc
April 18th, 2025 (about 12 hours ago)
|
|
CVE-2025-1697 |
Description: A potential security vulnerability has been identified in the HP Touchpoint Analytics Service for certain HP PC products with versions prior to 4.2.2439. This vulnerability could potentially allow a local attacker to escalate privileges. HP is providing software updates to mitigate this potential vulnerability.
CVSS: MEDIUM (6.9) SSVC Exploitation: none
April 18th, 2025 (about 13 hours ago)
|