CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-13403
WPForms Lite <= 1.9.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via fieldHTML Parameter
Description: The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘fieldHTML’ parameter in all versions up to, and including, 1.9.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.07%

Source: CVE
February 5th, 2025 (5 months ago)

CVE-2024-13356
DSGVO All in one for WP <= 4.6 - Cross-Site Request Forgery to Account Deletion
Description: The DSGVO All in one for WP plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6. This is due to missing or incorrect nonce validation in the user_remove_form.php file. This makes it possible for unauthenticated attackers to delete admin user accounts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS: MEDIUM (6.5)

EPSS Score: 0.05%

Source: CVE
February 5th, 2025 (5 months ago)

CVE-2024-12597
HT Mega <= 2.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via block_css and inner_css
Description: The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'block_css' and 'inner_css' parameters in all versions up to, and including, 2.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.05%

Source: CVE
February 5th, 2025 (5 months ago)

CVE-2024-12046
Medical Addon for Elementor <= 1.6.2 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Exposure via Shortcode
Description: The Medical Addon for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.6.2 via the 'namedical_elementor_template' shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the content of draft, pending, and private posts.

CVSS: MEDIUM (4.3)

EPSS Score: 0.07%

Source: CVE
February 5th, 2025 (5 months ago)

CVE-2025-24697
WordPress Image Gallery – Responsive Photo Gallery plugin <= 1.0.5 - Broken Access Control vulnerability
Description: Missing Authorization vulnerability in Realwebcare Image Gallery – Responsive Photo Gallery allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Image Gallery – Responsive Photo Gallery: from n/a through 1.0.5.

CVSS: MEDIUM (6.5)

EPSS Score: 0.04%

Source: CVE
February 4th, 2025 (5 months ago)

CVE-2025-24643
WordPress WPGuppy plugin <= 1.1.0 - Broken Authentication vulnerability
Description: Missing Authorization vulnerability in Amento Tech Pvt ltd WPGuppy allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WPGuppy: from n/a through 1.1.0.

CVSS: MEDIUM (6.5)

EPSS Score: 0.04%

Source: CVE
February 4th, 2025 (5 months ago)

CVE-2025-24642
WordPress Setup Default Featured Image plugin <= 1.2 - Broken Access Control vulnerability
Description: Missing Authorization vulnerability in theme funda Setup Default Featured Image allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Setup Default Featured Image: from n/a through 1.2.

CVSS: MEDIUM (6.5)

EPSS Score: 0.04%

Source: CVE
February 4th, 2025 (5 months ago)

CVE-2025-24639
WordPress Korea for WooCommerce plugin <= 1.1.11 - Sensitive Data Exposure vulnerability
Description: Insertion of Sensitive Information Into Sent Data vulnerability in GREYS Korea for WooCommerce allows Retrieve Embedded Sensitive Data. This issue affects Korea for WooCommerce: from n/a through 1.1.11.

CVSS: MEDIUM (6.5)

EPSS Score: 0.04%

Source: CVE
February 4th, 2025 (5 months ago)

CVE-2025-23747
WordPress Awesome Timeline plugin <= 1.0.1 - Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nitesh Singh Awesome Timeline allows Stored XSS. This issue affects Awesome Timeline: from n/a through 1.0.1.

CVSS: MEDIUM (6.5)

EPSS Score: 0.04%

Source: CVE
February 4th, 2025 (5 months ago)

CVE-2025-23581
WordPress Demo User DZS plugin <= 1.1.0 - Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Digital Zoom Studio Demo User DZS allows Stored XSS. This issue affects Demo User DZS: from n/a through 1.1.0.

CVSS: MEDIUM (6.5)

EPSS Score: 0.04%

Source: CVE
February 4th, 2025 (5 months ago)