CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-3752
Able Player, accessible HTML5 media player <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via preload Parameter
Description: The Able Player, accessible HTML5 media player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘preload’ parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE
April 25th, 2025 (2 months ago)

CVE-2025-46595
An XSS issue was discovered in the Flag module before 1.x-3.6.2 for Backdrop CMS. Flag is a module that allows flags to be added to nodes,...
Description: An XSS issue was discovered in the Flag module before 1.x-3.6.2 for Backdrop CMS. Flag is a module that allows flags to be added to nodes, comments, users, and any other type of entity. It doesn't verify flag links before performing the flag action, or verify that the response returned was provided by the flag module. This can allow crafted HTML to result in Cross Site Scripting. This is mitigated by the fact that an attacker must have a role with permission to create links on the website, for example: create or edit comments or content with a filtered text format.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE
April 25th, 2025 (2 months ago)

CVE-2025-46547
In Sherpa Orchestrator 141851, the web application lacks protection against CSRF attacks, with resultant effects of an attacker conducting XSS...
Description: In Sherpa Orchestrator 141851, the web application lacks protection against CSRF attacks, with resultant effects of an attacker conducting XSS attacks, adding a new user or role, or exploiting a SQL injection issue.

CVSS: MEDIUM (5.4)

EPSS Score: 0.02%

Source: CVE
April 25th, 2025 (2 months ago)

CVE-2025-46545
In Sherpa Orchestrator 141851, the functionality for adding or updating licenses allows for stored XSS attacks by an administrator through the name...
Description: In Sherpa Orchestrator 141851, the functionality for adding or updating licenses allows for stored XSS attacks by an administrator through the name parameter. The XSS payload can execute when the license expires.

CVSS: MEDIUM (4.4)

EPSS Score: 0.04%

Source: CVE
April 25th, 2025 (2 months ago)

CVE-2025-46544
In Sherpa Orchestrator 141851, a low-privileged user can elevate their privileges by creating new users and roles.
Description: In Sherpa Orchestrator 141851, a low-privileged user can elevate their privileges by creating new users and roles.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE
April 25th, 2025 (2 months ago)

CVE-2025-3749
Breeze Display <= 1.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via cal_size Parameter
Description: The Breeze Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘cal_size’ parameter in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE
April 24th, 2025 (2 months ago)

CVE-2025-43861
ManageWiki Vulnerable to Self-XSS in review dialog via unsanitized field reflection
Description: ManageWiki is a MediaWiki extension allowing users to manage wikis. Prior to commit 2f177dc, ManageWiki is vulnerable to reflected or stored XSS in the review dialog. A logged-in attacker must change a form field to include a malicious payload. If that same user then opens the "Review Changes" dialog, the payload will be rendered and executed in the context of their own session. This issue has been patched in commit 2f177dc.

CVSS: MEDIUM (4.4)

EPSS Score: 0.03%

Source: CVE
April 24th, 2025 (2 months ago)

CVE-2025-46542
WordPress Xpert Tab <= 1.3 - Cross Site Scripting (XSS) Vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeXpert Xpert Tab allows Stored XSS. This issue affects Xpert Tab: from n/a through 1.3.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE
April 24th, 2025 (2 months ago)

CVE-2025-46541
WordPress WP-reCAPTCHA-bp <= 4.1 - Cross Site Scripting (XSS) Vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in elrata_ WP-reCAPTCHA-bp allows Stored XSS. This issue affects WP-reCAPTCHA-bp: from n/a through 4.1.

CVSS: MEDIUM (5.9)

EPSS Score: 0.03%

Source: CVE
April 24th, 2025 (2 months ago)

CVE-2025-46540
WordPress GNA Search Shortcode <= 0.9.5 - Cross Site Scripting (XSS) Vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chris Mok GNA Search Shortcode allows Stored XSS. This issue affects GNA Search Shortcode: from n/a through 0.9.5.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE
April 24th, 2025 (2 months ago)