CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-1705
tagDiv Composer <= 5.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Description: The tagDiv Composer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.3. This is due to missing or incorrect nonce validation within the td_ajax_get_views AJAX action. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS: MEDIUM (6.1)

EPSS Score: 0.04%

Source: CVE
March 28th, 2025 (3 months ago)

CVE-2025-2578
Booking for Appointments and Events Calendar – Amelia <= 1.2.19 - Unauthenticated Full Path Disclosure
Description: The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.2.19 via the 'wpAmeliaApiCall' function. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.

CVSS: MEDIUM (5.3)

EPSS Score: 0.05%

Source: CVE
March 28th, 2025 (3 months ago)

CVE-2025-2074
Advanced Google reCAPTCHA <= 1.29 - Authenticated (Subscriber+) Limited SQL Injection via 'sSearch' Parameter
Description: The Advanced Google reCAPTCHA plugin for WordPress is vulnerable to generic SQL Injection via the ‘sSearch’ parameter in all versions up to, and including, 1.29 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries, particularly when the plugin’s settings page hasn’t been visited and its welcome message has not been dismissed. This issue can be used to extract sensitive information from the database.

CVSS: MEDIUM (5.3)

EPSS Score: 0.04%

Source: CVE
March 28th, 2025 (3 months ago)

CVE-2025-2804
tagDiv Composer <= 5.3 - Reflected Cross-Site Scripting via 'account_id' and 'account_username'
Description: The tagDiv Composer plugin for WordPress, used by the Newspaper theme, is vulnerable to Reflected Cross-Site Scripting via the 'account_id' and 'account_username' parameters in all versions up to, and including, 5.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS: MEDIUM (6.1)

EPSS Score: 0.08%

Source: CVE
March 28th, 2025 (3 months ago)

CVE-2025-31092
WordPress Click to Chat – WP Support All-in-One Floating Widget plugin <= 2.3.4 - Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ninja Team Click to Chat – WP Support All-in-One Floating Widget allows Stored XSS. This issue affects Click to Chat – WP Support All-in-One Floating Widget: from n/a through 2.3.4.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE
March 28th, 2025 (3 months ago)

CVE-2025-31101
WordPress VaultRE Contact Form 7 plugin <= 1.0 - Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vault Group Pty Ltd VaultRE Contact Form 7 allows Stored XSS.This issue affects VaultRE Contact Form 7: from n/a through 1.0.

CVSS: MEDIUM (5.9)

EPSS Score: 0.03%

Source: CVE
March 27th, 2025 (3 months ago)

CVE-2025-31031
WordPress Job Colors for WP Job Manager plugin <= 1.0.4 - Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Astoundify Job Colors for WP Job Manager allows Stored XSS.This issue affects Job Colors for WP Job Manager: from n/a through 1.0.4.

CVSS: MEDIUM (5.9)

EPSS Score: 0.03%

Source: CVE
March 27th, 2025 (3 months ago)

CVE-2025-22740
WordPress Sensei LMS plugin <= 4.24.4 - Broken Access Control vulnerability
Description: Missing Authorization vulnerability in Automattic Sensei LMS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sensei LMS: from n/a through 4.24.4.

CVSS: MEDIUM (5.3)

EPSS Score: 0.04%

Source: CVE
March 27th, 2025 (3 months ago)

CVE-2025-22739
WordPress LearnPress plugin <= 4.2.7.5 - Broken Access Control vulnerability
Description: Missing Authorization vulnerability in ThimPress LearnPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LearnPress: from n/a through 4.2.7.5.

CVSS: MEDIUM (5.3)

EPSS Score: 0.04%

Source: CVE
March 27th, 2025 (3 months ago)

CVE-2024-0757
Insert or Embed Articulate Content into WordPress <= 4.3000000023 - Author+ Upload to RCE
Description: The Insert or Embed Articulate Content into WordPress plugin through 4.3000000023 is not properly filtering which file extensions are allowed to be imported on the server, allowing the uploading of malicious code within zip files

CVSS: MEDIUM (5.4)

EPSS Score: 32.0%

SSVC Exploitation: none

Source: CVE
March 27th, 2025 (3 months ago)