Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-39517
WordPress Basic Interactive World Map plugin <= 2.7 - Cross Site Request Forgery (CSRF) to Settings Change vulnerability
Description: Cross-Site Request Forgery (CSRF) vulnerability in WP Map Plugins Basic Interactive World Map allows Cross Site Request Forgery. This issue affects Basic Interactive World Map: from n/a through 2.7.

CVSS: MEDIUM (4.3)

EPSS Score: 0.01%

Source: CVE
April 16th, 2025 (3 days ago)

CVE-2025-39516
WordPress Author WIP Progress Bar <= 1.0 - Cross Site Scripting (XSS) Vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alan Petersen Author WIP Progress Bar allows DOM-Based XSS. This issue affects Author WIP Progress Bar: from n/a through 1.0.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE
April 16th, 2025 (3 days ago)

CVE-2025-39515
WordPress Attendance Manager <= 0.6.2 - Cross Site Scripting (XSS) Vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tnomi Attendance Manager allows Stored XSS. This issue affects Attendance Manager: from n/a through 0.6.2.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE
April 16th, 2025 (3 days ago)

CVE-2025-39514
WordPress Asgaros Forum <= 3.0.0 - Cross Site Scripting (XSS) Vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Asgaros Asgaros Forum allows Stored XSS. This issue affects Asgaros Forum: from n/a through 3.0.0.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE
April 16th, 2025 (3 days ago)

CVE-2025-39513
WordPress ActiveDEMAND <= 0.2.46 - Broken Access Control Vulnerability
Description: Missing Authorization vulnerability in ActiveDEMAND Online Agency Marketing Automation ActiveDEMAND allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects ActiveDEMAND: from n/a through 0.2.46.

CVSS: MEDIUM (5.3)

EPSS Score: 0.04%

Source: CVE
April 16th, 2025 (3 days ago)

CVE-2025-39512
WordPress Bulk Term Editor <= 1.1.4 - Cross Site Request Forgery (CSRF) Vulnerability
Description: Cross-Site Request Forgery (CSRF) vulnerability in Yuya Hoshino Bulk Term Editor allows Cross Site Request Forgery. This issue affects Bulk Term Editor: from n/a through 1.1.4.

CVSS: MEDIUM (4.3)

EPSS Score: 0.01%

Source: CVE
April 16th, 2025 (3 days ago)

CVE-2025-3104
WP Staging Pro <= 6.1.2 - Unauthenticated Information Exposure via getOutdatedPluginsRequest Function
Description: The WP STAGING Pro WordPress Backup Plugin for WordPress is vulnerable to Information Exposure in all versions up to and including 6.1.2 due to missing capability checks on the getOutdatedPluginsRequest() function. This makes it possible for unauthenticated attackers to reveal outdated installed active or inactive plugins.

CVSS: MEDIUM (5.3)

EPSS Score: 0.04%

Source: CVE
April 16th, 2025 (3 days ago)

CVE-2025-3077
Betheme <= 28.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description: The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button shortcode and Custom CSS field in all versions up to, and including, 28.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE
April 16th, 2025 (3 days ago)

CVE-2025-3247
Contact Form 7 <= 6.0.5 - Order Replay Vulnerability
Description: The Contact Form 7 plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 6.0.5 via the 'wpcf7_stripe_skip_spam_check' function due to insufficient validation on a user controlled key. This makes it possible for unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. Only the first transaction is processed via Stripe, but the plugin sends a successful email message for each transaction, which may trick an administrator into fulfilling each order.

CVSS: MEDIUM (5.3)

EPSS Score: 0.01%

Source: CVE
April 16th, 2025 (3 days ago)

CVE-2025-2314
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor <= 3.13.5 - Authenticated (Contributor+) Stored Cross-Si...
Description: The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.13.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The issue was partially patched in version 3.13.6 of the plugin, and fully patched in 3.13.7.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE
April 16th, 2025 (4 days ago)