CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-13341
MultiLoca - WooCommerce Multi Locations Inventory Management <= 4.1.11 - Authenticated (Subscriber+) SQL Injection
Description: The MultiLoca - WooCommerce Multi Locations Inventory Management plugin for WordPress is vulnerable to SQL Injection via the 'data-id' parameter in all versions up to, and including, 4.1.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS: MEDIUM (6.5)

EPSS Score: 0.05%

Source: CVE
February 2nd, 2025 (5 months ago)

CVE-2024-13098
WP Email Newsletter <= 1.1 - Reflected XSS
Description: The WordPress Email Newsletter WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

CVSS: MEDIUM (5.4)

EPSS Score: 0.04%

Source: CVE
February 2nd, 2025 (5 months ago)

CVE-2024-13097
WP Finance <= 1.3.6 - Reflected XSS
Description: The WP Finance WordPress plugin through 1.3.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

CVSS: MEDIUM (5.4)

EPSS Score: 0.04%

Source: CVE
February 2nd, 2025 (5 months ago)

CVE-2024-13096
WP Finance <= 1.3.6 - Stored XSS via CSRF
Description: The WP Finance WordPress plugin through 1.3.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

CVSS: MEDIUM (4.6)

EPSS Score: 0.04%

Source: CVE
February 2nd, 2025 (5 months ago)

CVE-2024-12825
Custom Related Posts <= 1.7.3 - Missing Authorization to Authenticated (Subscriber+) Private Post Search and Relation Updates
Description: The Custom Related Posts plugin for WordPress is vulnerable to unauthorized access & modification of data due to a missing capability check on three AJAX actions in all versions up to, and including, 1.7.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to search posts and link/unlink relations.

CVSS: MEDIUM (5.4)

EPSS Score: 0.05%

Source: CVE
February 2nd, 2025 (5 months ago)

CVE-2024-12768
Responsive iframe <= 1.2.0 - Contributor+ Stored XSS
Description: The Responsive iframe WordPress plugin through 1.2.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

CVSS: MEDIUM (5.4)

EPSS Score: 0.04%

Source: CVE
February 2nd, 2025 (5 months ago)

CVE-2024-12041
Directorist – AI-Powered WordPress Business Directory Plugin with Classified Ads Listings <= 8.0.12 - Unauthenticated User Information Exposure
Description: The Directorist: AI-Powered WordPress Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 8.0.12 via the /wp-json/directorist/v1/users/ endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including including usernames, email addresses, names, and more information about users.

CVSS: MEDIUM (5.3)

EPSS Score: 0.05%

Source: CVE
February 2nd, 2025 (5 months ago)

CVE-2024-11829
The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.1.8 - Authenticated (Contributor+) Stored Cr...
Description: The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table Widget's searchable_label parameter in all versions up to, and including, 6.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.06%

Source: CVE
February 2nd, 2025 (5 months ago)

CVE-2025-24597
WordPress Barcode Generator for WooCommerce plugin <= 2.0.2 - Sensitive Data Exposure vulnerability
Description: Insertion of Sensitive Information Into Sent Data vulnerability in UkrSolution Barcode Generator for WooCommerce allows Retrieve Embedded Sensitive Data. This issue affects Barcode Generator for WooCommerce: from n/a through 2.0.2.

CVSS: MEDIUM (6.5)

EPSS Score: 0.04%

Source: CVE
February 1st, 2025 (5 months ago)

CVE-2025-23987
WordPress Designer plugin <= 1.6.0 - Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodegearThemes Designer allows DOM-Based XSS. This issue affects Designer: from n/a through 1.6.0.

CVSS: MEDIUM (6.5)

EPSS Score: 0.04%

Source: CVE
February 1st, 2025 (5 months ago)