CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2025-1454	Ninja Pages <= 1.4.2 - Admin+ Stored XSS Description: The Ninja Pages WordPress plugin through 1.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). CVSS: MEDIUM (5.4) EPSS Score: 0.03% Source: CVE May 15th, 2025 (about 1 month ago)
CVE-2025-1288	wooexim <= 5.0.0 - CSRF to Reflected XSS Description: The WOOEXIM WordPress plugin through 5.0.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make an unauthenticated user vulnerable to reflected XSS via a CSRF attack. CVSS: MEDIUM (6.1) EPSS Score: 0.02% Source: CVE May 15th, 2025 (about 1 month ago)
CVE-2025-1138	IBM Information Server information disclosure Description: IBM InfoSphere Information Server 11.7 could disclose sensitive information to an authenticated user that could aid in further attacks against the system through a directory listing. CVSS: MEDIUM (4.3) EPSS Score: 0.03% Source: CVE May 15th, 2025 (about 1 month ago)
CVE-2024-9838	Auto Affiliate Links < 6.4.7 - Admin+ SQL Injection Description: The Auto Affiliate Links WordPress plugin before 6.4.7 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks CVSS: MEDIUM (5.4) EPSS Score: 0.03% Source: CVE May 15th, 2025 (about 1 month ago)
CVE-2024-9765	EKC Tournament Manager < 2.2.2 - Local File Download Vulnerability Description: The EKC Tournament Manager WordPress plugin before 2.2.2 allows a logged in admin to download system files outside of the WordPress directory CVSS: MEDIUM (6.5) EPSS Score: 0.03% Source: CVE May 15th, 2025 (about 1 month ago)
CVE-2024-9711	EKC Tournament Manager < 2.2.2 - Delete Tournaments via CSRF Description: The EKC Tournament Manager WordPress plugin before 2.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack CVSS: MEDIUM (5.4) EPSS Score: 0.02% Source: CVE May 15th, 2025 (about 1 month ago)
CVE-2024-9599	Popup Box < 4.7.8 - Admin+ Stored XSS Description: The Popup Box WordPress plugin before 4.7.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). CVSS: MEDIUM (5.4) EPSS Score: 0.03% Source: CVE May 15th, 2025 (about 1 month ago)
CVE-2024-9390	RegistrationMagic < 6.0.2.1 - Stored XSS Description: The RegistrationMagic WordPress plugin before 6.0.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). CVSS: MEDIUM (4.8) EPSS Score: 0.03% Source: CVE May 15th, 2025 (about 1 month ago)
CVE-2024-9238	AVIF & SVG Uploader <= 1.1.0 - Author+ Stored XSS via SVG Uplaod Description: The AVIF Uploader WordPress plugin before 1.1.1 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. CVSS: MEDIUM (5.4) EPSS Score: 0.03% Source: CVE May 15th, 2025 (about 1 month ago)
CVE-2024-9236	Team Members Showcase < 4.4.2 - Editor+ Stored XSS Description: The Team WordPress plugin before 4.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). CVSS: MEDIUM (4.8) EPSS Score: 0.03% Source: CVE May 15th, 2025 (about 1 month ago)