CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-31421
WordPress Srbtranslatin plugin <= 3.2.0 - Sensitive Data Exposure vulnerability
Description: Insertion of Sensitive Information into Externally-Accessible File or Directory vulnerability in Oblak Studio Srbtranslatin allows Retrieve Embedded Sensitive Data.This issue affects Srbtranslatin: from n/a through 3.2.0.

CVSS: MEDIUM (5.8)

EPSS Score: 0.04%

Source: CVE
April 4th, 2025 (2 months ago)

CVE-2025-2797
Woffice Core <= 5.4.21 - Cross-Site Request Forgery to User Registration Approval
Description: The Woffice Core plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.4.21. This is due to missing or incorrect nonce validation on the 'woffice_handle_user_approval_actions' function. This makes it possible for unauthenticated attackers to approve registration for any user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS: MEDIUM (5.4)

EPSS Score: 0.01%

Source: CVE
April 4th, 2025 (2 months ago)

CVE-2025-2279
Maps - Google Maps <= 1.0.6 - Contributor+ Stored XSS
Description: The Maps WordPress plugin through 1.0.6 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

CVSS: MEDIUM (5.9)

EPSS Score: 0.03%

Source: CVE
April 4th, 2025 (2 months ago)

CVE-2025-2836
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login <= 6.0.4.3 - Authenticated (Subscriber+) Stored Cross-Sit...
Description: The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘payment_method’ parameter in all versions up to, and including, 6.0.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.04%

Source: CVE
April 4th, 2025 (2 months ago)

CVE-2024-13898
Simple Banner <= 3.0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting
Description: The Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

CVSS: MEDIUM (4.4)

EPSS Score: 0.03%

Source: CVE
April 4th, 2025 (2 months ago)

CVE-2025-31896
WordPress GetBookingsWP Plugin <= 1.1.27 - Broken Access Control vulnerability
Description: Missing Authorization vulnerability in istmoplugins GetBookingsWP allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects GetBookingsWP: from n/a through 1.1.27.

CVSS: MEDIUM (6.5)

EPSS Score: 0.04%

Source: CVE
April 3rd, 2025 (2 months ago)

CVE-2025-31893
WordPress Botnet Attack Blocker plugin <= 2.0.0 - Stored Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cheesefather Botnet Attack Blocker allows Stored XSS. This issue affects Botnet Attack Blocker: from n/a through 2.0.0.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE
April 3rd, 2025 (2 months ago)

CVE-2025-31876
WordPress Payday plugin <= 3.3.12 - Broken Access Control vulnerability
Description: Missing Authorization vulnerability in gunnarpayday Payday allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Payday: from n/a through 3.3.12.

CVSS: MEDIUM (5.8)

EPSS Score: 0.04%

Source: CVE
April 3rd, 2025 (2 months ago)

CVE-2025-31858
WordPress Local Magic Plugin <= 2.6.0 - Broken Access Control vulnerability
Description: Missing Authorization vulnerability in matthewrubin Local Magic allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Local Magic: from n/a through 2.6.0.

CVSS: MEDIUM (6.5)

EPSS Score: 0.05%

Source: CVE
April 3rd, 2025 (2 months ago)

CVE-2025-31841
WordPress FPW Category Thumbnails Plugin <= 1.9.5 - Broken Access Control vulnerability
Description: Missing Authorization vulnerability in Frank P. Walentynowicz FPW Category Thumbnails allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects FPW Category Thumbnails: from n/a through 1.9.5.

CVSS: MEDIUM (6.3)

EPSS Score: 0.04%

Source: CVE
April 3rd, 2025 (2 months ago)