Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-2575
Z Companion <= 1.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Description: The Z Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. Note: This requires Royal Shop theme to be installed.

CVSS: MEDIUM (6.4)

EPSS Score: 0.04%

Source: CVE
April 11th, 2025 (8 days ago)

CVE-2025-2541
WP Project Manager <= 2.6.22 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Description: The WP Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.6.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE
April 11th, 2025 (8 days ago)

CVE-2025-2128
Cost Calculator Builder <= 3.2.67 - Authenticated (Subscriber+) SQL Injection via order_ids Parameter
Description: The Cost Calculator Builder plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order_ids’ parameter in all versions up to, and including, 3.2.67 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE
April 11th, 2025 (8 days ago)

CVE-2024-29098
WordPress WP Calameo plugin <= 2.1.7 - Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Calameo WP Calameo allows Stored XSS.This issue affects WP Calameo: from n/a through 2.1.7.

CVSS: MEDIUM (6.5)

EPSS Score: 0.08%

SSVC Exploitation: none

Source: CVE
April 10th, 2025 (9 days ago)

CVE-2024-27967
WordPress DSGVO All in one for WP plugin <= 4.3 - Cross Site Request Forgery (CSRF) vulnerability
Description: Cross-Site Request Forgery (CSRF) vulnerability in Michael Leithold DSGVO All in one for WP.This issue affects DSGVO All in one for WP: from n/a through 4.3.

CVSS: MEDIUM (4.3)

EPSS Score: 0.04%

SSVC Exploitation: none

Source: CVE
April 10th, 2025 (9 days ago)

CVE-2024-2500
The ColorMag theme for WordPress is vulnerable to Stored Cross-Site Scripting via a user's Display Name in all versions up to, and including, 3.1.6...
Description: The ColorMag theme for WordPress is vulnerable to Stored Cross-Site Scripting via a user's Display Name in all versions up to, and including, 3.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authentciated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.14%

SSVC Exploitation: none

Source: CVE
April 10th, 2025 (9 days ago)

CVE-2024-2326
The Pretty Links – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin plugin for WordPress is vulnerable to Cross-Site Request...
Description: The Pretty Links – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.3. This is due to missing or incorrect nonce validation when saving plugin settings. This makes it possible for unauthenticated attackers to change the plugin's configuration including stripe integration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS: MEDIUM (4.3)

EPSS Score: 0.03%

SSVC Exploitation: none

Source: CVE
April 10th, 2025 (9 days ago)

CVE-2025-31411
WordPress Linet ERP-Woocommerce Integration plugin <= 3.5.12 - Arbitrary File Read/Deletion vulnerability
Description: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Aribhour Linet ERP-Woocommerce Integration allows Path Traversal.This issue affects Linet ERP-Woocommerce Integration: from n/a through 3.5.12.

CVSS: MEDIUM (5.9)

EPSS Score: 0.05%

Source: CVE
April 10th, 2025 (9 days ago)

CVE-2025-32282
WordPress ShareThis Dashboard for Google Analytics plugin <= 3.2.2 - Cross Site Request Forgery (CSRF) vulnerability
Description: Cross-Site Request Forgery (CSRF) vulnerability in ShareThis ShareThis Dashboard for Google Analytics. This issue affects ShareThis Dashboard for Google Analytics: from n/a through 3.2.2.

CVSS: MEDIUM (4.3)

EPSS Score: 0.02%

Source: CVE
April 10th, 2025 (10 days ago)

CVE-2025-32275
WordPress Survey Maker plugin <= 5.1.5.4 - Bypass vulnerability
Description: Authentication Bypass by Spoofing vulnerability in Ays Pro Survey Maker allows Identity Spoofing. This issue affects Survey Maker: from n/a through 5.1.5.4.

CVSS: MEDIUM (4.3)

EPSS Score: 0.04%

Source: CVE
April 10th, 2025 (10 days ago)