CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-23669
WordPress WP Smart Tooltip plugin <= 1.0.0 - Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nurul Amin, Mohammad Saiful Islam WP Smart Tooltip allows Stored XSS. This issue affects WP Smart Tooltip: from n/a through 1.0.0.

CVSS: MEDIUM (6.5)

EPSS Score: 0.04%

Source: CVE
January 28th, 2025 (5 months ago)

CVE-2025-23656
WordPress Donate visa plugin <= 1.0.0 - Stored Cross Site Scripting (XSS) vulnerability
Description: Missing Authorization vulnerability in Saul Morales Pacheco Donate visa allows Stored XSS. This issue affects Donate visa: from n/a through 1.0.0.

CVSS: MEDIUM (6.5)

EPSS Score: 0.04%

Source: CVE
January 28th, 2025 (5 months ago)

CVE-2025-23529
WordPress Minterpress plugin <= 1.0.5 - Arbitrary Content Deletion vulnerability
Description: Missing Authorization vulnerability in Blokhaus Minterpress allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Minterpress: from n/a through 1.0.5.

CVSS: MEDIUM (6.5)

EPSS Score: 0.04%

Source: CVE
January 28th, 2025 (5 months ago)

CVE-2025-0350
Divi Carousel Lite <= 2.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Carousel and Logo Carousel Widgets
Description: The Divi Carousel Maker – Image, Logo, Testimonial, Post Carousel & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Carousel and Logo Carousel in all versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.05%

Source: CVE
January 28th, 2025 (5 months ago)

CVE-2024-13721
Plethora Plugins Tabs + Accordions <= 1.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via anchor
Description: The Plethora Plugins Tabs + Accordions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the anchor parameter in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.05%

Source: CVE
January 28th, 2025 (5 months ago)

CVE-2024-13709
Linear <= 2.8.1 - Cross-Site Request Forgery to Cache Reset
Description: The Linear plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.1. This is due to missing or incorrect nonce validation on the 'linear-debug'. This makes it possible for unauthenticated attackers to reset the plugin's cache via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS: MEDIUM (4.3)

EPSS Score: 0.05%

Source: CVE
January 28th, 2025 (5 months ago)

CVE-2024-13599
LearnPress – WordPress LMS Plugin <= 4.2.7.5 - Authenticated (LP Instructor+) Stored Cross-Site Scripting via Lesson Name
Description: The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.2.7.5 due to insufficient input sanitization and output escaping of a lesson name. This makes it possible for authenticated attackers, with LP Instructor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.05%

Source: CVE
January 28th, 2025 (5 months ago)

CVE-2024-13594
Simple Downloads List <= 1.4.2 - Authenticated (Contributor+) SQL Injection
Description: The Simple Downloads List plugin for WordPress is vulnerable to SQL Injection via the 'category' attribute of the 'neofix_sdl' shortcode in all versions up to, and including, 1.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS: MEDIUM (6.5)

EPSS Score: 0.07%

Source: CVE
January 28th, 2025 (5 months ago)

CVE-2024-13586
Masy Gallery <= 1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description: The Masy Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'justified-gallery' shortcode in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.05%

Source: CVE
January 28th, 2025 (5 months ago)

CVE-2024-13572
Precious Metals Charts and Widgets for WordPress <= 1.2.8 - Authenticated (Contributor+) Stored Cross-site Scripting
Description: The Precious Metals Charts and Widgets for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'nfusion-widget' shortcode in all versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.05%

Source: CVE
January 28th, 2025 (5 months ago)