CyberAlerts

CVE-2025-31541

WordPress TuriTop Booking System plugin <= 1.0.10 - Broken Access Control vulnerability

Description: Missing Authorization vulnerability in turitop TuriTop Booking System allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects TuriTop Booking System: from n/a through 1.0.10.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE

April 3rd, 2025 (18 days ago)

CVE-2025-31091

WordPress CM Header and Footer <= 1.2.4 - Cross Site Scripting (XSS) Vulnerability

Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CreativeMindsSolutions CM Header and Footer allows Stored XSS. This issue affects CM Header and Footer: from n/a through 1.2.4.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE

April 3rd, 2025 (18 days ago)

CVE-2025-30916

WordPress Residential Address Detection plugin <= 2.5.4 - Broken Access Control vulnerability

Description: Missing Authorization vulnerability in enituretechnology Residential Address Detection allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Residential Address Detection: from n/a through 2.5.4.

CVSS: MEDIUM (6.5)

EPSS Score: 0.05%

Source: CVE

April 3rd, 2025 (18 days ago)

CVE-2025-30915

WordPress Small Package Quotes – Worldwide Express Edition plugin <= 5.2.19 - Broken Access Control vulnerability

Description: Missing Authorization vulnerability in enituretechnology Small Package Quotes – Worldwide Express Edition allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Small Package Quotes – Worldwide Express Edition: from n/a through 5.2.19.

CVSS: MEDIUM (6.5)

EPSS Score: 0.05%

Source: CVE

April 3rd, 2025 (18 days ago)

CVE-2025-30596

WordPress include-file <= 1 - Arbitrary File Download Vulnerability

Description: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in NotFound include-file allows Path Traversal. This issue affects include-file: from n/a through 1.

CVSS: MEDIUM (6.5)

EPSS Score: 0.05%

Source: CVE

April 3rd, 2025 (18 days ago)

CVE-2024-9416

Modula Image Gallery <= 2.10.1 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via FancyBox 5 JavaScript Library

Description: The Modula Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's bundled FancyBox JavaScript library (versions <= 5.0.36) due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE

April 3rd, 2025 (18 days ago)

CVE-2025-2299

LuckyWP Table of Contents <= 2.1.10 - Cross-Site Request Forgery to Reflected Cross-Site Scripting

Description: The LuckyWP Table of Contents plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.10. This is due to missing or incorrect nonce validation on the 'ajaxEdit' function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS: MEDIUM (6.1)

EPSS Score: 0.04%

Source: CVE

April 3rd, 2025 (18 days ago)

CVE-2025-2874

User Submitted Posts <= 20241026 - Authenticated (Admin+) Stored Cross-Site Scripting

Description: The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 20240319 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

CVSS: MEDIUM (4.4)

EPSS Score: 0.03%

Source: CVE

April 3rd, 2025 (18 days ago)

CVE-2025-1663

Unlimited Elements For Elementor <= 1.5.142 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description: The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 1.5.142 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE

April 3rd, 2025 (18 days ago)

CVE-2024-13673

Big Boom Directory <= 2.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description: The Big Boom Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bbd-search' shortcode in all versions up to, and including, 2.5.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE

April 3rd, 2025 (18 days ago)

Threat and Vulnerability Intelligence Database

Example Searches: