CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-1512
PowerPack Elementor Addons (Free Widgets, Extensions and Templates) <= 2.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description: The PowerPack Elementor Addons (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom Cursor Extension in all versions up to, and including, 2.9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE
April 1st, 2025 (3 months ago)

CVE-2025-1267
Groundhogg <= 3.7.4.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via label Parameter
Description: The Groundhogg plugin for Wordpress is vulnerable to Stored Cross-Site Scripting via the ‘label' parameter in versions up to, and including, 3.7.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

CVSS: MEDIUM (5.5)

EPSS Score: 0.04%

Source: CVE
April 1st, 2025 (3 months ago)

CVE-2024-12189
WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder <= 1.2.2 - Authenticated (Contributor+) Stored Cro...
Description: The WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom widgets in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE
April 1st, 2025 (3 months ago)

CVE-2025-31409
WordPress Bridge Core plugin < 3.3.1 - Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Bridge Core allows Stored XSS. This issue affects Bridge Core: from n/a through n/a.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE
April 1st, 2025 (3 months ago)

CVE-2025-30926
WordPress King Addons for Elementor plugin <= 24.12.58 - Broken Access Control Vulnerability
Description: Missing Authorization vulnerability in KingAddons.com King Addons for Elementor. This issue affects King Addons for Elementor: from n/a through 24.12.58.

CVSS: MEDIUM (4.3)

EPSS Score: 0.03%

Source: CVE
April 1st, 2025 (3 months ago)

CVE-2025-30802
WordPress Our Team Members plugin <= 2.2 - Sensitive Data Exposure vulnerability
Description: Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPBean Our Team Members. This issue affects Our Team Members: from n/a through 2.2.

CVSS: MEDIUM (4.3)

EPSS Score: 0.03%

Source: CVE
April 1st, 2025 (3 months ago)

CVE-2025-30613
WordPress Nmedia MailChimp plugin <= 5.4 - Cross Site Scripting (XSS) Vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in N-Media Nmedia MailChimp allows Stored XSS. This issue affects Nmedia MailChimp: from n/a through 5.4.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE
April 1st, 2025 (3 months ago)

CVE-2025-30594
WordPress Include URL <= 0.3.5 Arbitrary File Download Vulnerability
Description: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in NotFound Include URL allows Path Traversal. This issue affects Include URL: from n/a through 0.3.5.

CVSS: MEDIUM (6.5)

EPSS Score: 0.05%

Source: CVE
April 1st, 2025 (3 months ago)

CVE-2025-1665
Avada Builder <= 3.11.14 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description: The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin's shortcodes in all versions up to, and including, 3.11.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE
April 1st, 2025 (3 months ago)

CVE-2025-31629
WordPress Infusionsoft Web Form JavaScript plugin <= 1.1.1 - Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jacob Allred Infusionsoft Web Form JavaScript allows Stored XSS. This issue affects Infusionsoft Web Form JavaScript: from n/a through 1.1.1.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE
March 31st, 2025 (3 months ago)