CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-1285
Resido - Real Estate WordPress Theme <= 3.6 - Missing Authorization to Unauthenticated Server-Side Request Forgery and API Key Settings Update
Description: The Resido - Real Estate WordPress Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the delete_api_key and save_api_key AJAX actions in all versions up to, and including, 3.6. This makes it possible for unauthenticated attackers to issue requests to internal services and update API key details.

CVSS: MEDIUM (5.3)

EPSS Score: 0.05%

Source: CVE
March 14th, 2025 (3 months ago)

CVE-2025-0955
VidoRev Extensions <= 2.9.9.9.9.9.5 - Missing Authorization to Unauthenticated Youtube Video Import
Description: The VidoRev Extensions plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'vidorev_import_single_video' AJAX action in all versions up to, and including, 2.9.9.9.9.9.5. This makes it possible for unauthenticated attackers to import arbitrary youtube videos.

CVSS: MEDIUM (5.3)

EPSS Score: 0.05%

Source: CVE
March 14th, 2025 (3 months ago)

CVE-2024-35768
WordPress Page Builder: Live Composer plugin <= 1.5.42 - Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Live Composer Team Page Builder: Live Composer allows Stored XSS.This issue affects Page Builder: Live Composer: from n/a through 1.5.42.

CVSS: MEDIUM (5.9)

EPSS Score: 0.23%

SSVC Exploitation: none

Source: CVE
March 13th, 2025 (3 months ago)

CVE-2024-3641
Newsletter Popup <= 1.2 - Unauthenticated Stored XSS
Description: The Newsletter Popup WordPress plugin through 1.2 does not sanitise and escape some parameters, which could allow unauthenticated visitors to perform Cross-Site Scripting attacks against admins

CVSS: MEDIUM (6.1)

EPSS Score: 0.21%

SSVC Exploitation: poc

Source: CVE
March 13th, 2025 (3 months ago)

CVE-2025-1785
Download Manager <= 3.3.08 - Authenticated (Author+) Path Traversal to Limited File Overwrite
Description: The Download Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.08 via the 'wpdm_newfile' action. This makes it possible for authenticated attackers, with Author-level access and above, to overwrite select file types outside of the originally intended directory, which may cause a denial of service.

CVSS: MEDIUM (5.4)

EPSS Score: 0.27%

Source: CVE
March 13th, 2025 (3 months ago)

CVE-2025-2104
Page Builder: Pagelayer – Drag and Drop website builder <= 1.9.9 - Missing Authorization to Authenticated (Contributor+) Post Publication
Description: The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to unauthorized post publication due to insufficient validation on the pagelayer_save_content() function in all versions up to, and including, 1.9.8. This makes it possible for authenticated attackers, with Contributor-level access and above, to bypass post moderation and publish posts to the site.

CVSS: MEDIUM (4.3)

EPSS Score: 0.03%

Source: CVE
March 13th, 2025 (3 months ago)

CVE-2025-1503
WP Recipe Maker <= 9.8.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description: The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Roundup Recipe Name field in all versions up to, and including, 9.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE
March 13th, 2025 (3 months ago)

CVE-2025-2250
WordPress Report Brute Force Attacks and Login Protection ReportAttacks Plugins <= 2.32 - Authenticated (Admin+) SQL Injection
Description: The WordPress Report Brute Force Attacks and Login Protection ReportAttacks Plugins plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.32 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS: MEDIUM (4.9)

EPSS Score: 0.04%

Source: CVE
March 13th, 2025 (3 months ago)

CVE-2024-13887
Business Directory Plugin - Easy Listing Directories for WordPress <= 6.4.14 - Insecure Direct Object Reference to Listing Arbitrary Image Addition
Description: The Business Directory Plugin – Easy Listing Directories for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.4.14 via the 'ajax_listing_submit_image_upload' function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to add arbitrary images to listings.

CVSS: MEDIUM (5.3)

EPSS Score: 0.03%

Source: CVE
March 13th, 2025 (3 months ago)

CVE-2025-1559
CC-IMG-Shortcode <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description: The CC-IMG-Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'img' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE
March 13th, 2025 (3 months ago)