Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-3897 |
Description: The EUCookieLaw plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.7.2 via the 'file_get_contents' function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. The vulnerability can only be exploited if a caching plugin such as W3 Total Cache is installed and activated.
CVSS: MEDIUM (5.9) EPSS Score: 0.16%
May 9th, 2025 (about 1 month ago)
|
|
CVE-2025-3949 |
Description: The Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'seedprod_lite_get_revisisons' function in all versions up to, and including, 6.18.15. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the content of arbitrary landing page revisions.
CVSS: MEDIUM (4.3) EPSS Score: 0.03%
May 9th, 2025 (about 1 month ago)
|
|
CVE-2025-4208 |
Description: The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Limited Code Execution in all versions up to, and including, 8.9.1 via the get_table_records function. This is due to the unsanitized use of user-supplied input in call_user_func(). This makes it possible for authenticated attackers, with Custom-level access, to execute arbitrary PHP functions that meet specific constraints (static methods or global functions accepting a single array parameter).
CVSS: MEDIUM (6.3) EPSS Score: 0.07%
May 8th, 2025 (about 1 month ago)
|
|
CVE-2025-3862 |
Description: Contest Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 26.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS: MEDIUM (6.4) EPSS Score: 0.04%
May 8th, 2025 (about 1 month ago)
|
|
CVE-2025-3468 |
Description: The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the clean_html and form_fields parameters in all versions up to, and including, 8.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS: MEDIUM (6.4) EPSS Score: 0.03%
May 8th, 2025 (about 1 month ago)
|
|
CVE-2025-2806 |
Description: The tagDiv Composer plugin for WordPress, used by the Newspaper theme, is vulnerable to Reflected Cross-Site Scripting via the ‘data’ parameter in all versions up to, and including, 5.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVSS: MEDIUM (6.1) EPSS Score: 0.09%
May 8th, 2025 (about 1 month ago)
|
|
CVE-2025-4127 |
Description: The WP SEO Structured Data Schema plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Price Range’ parameter in all versions up to, and including, 2.7.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts that will execute whenever an administrator accesses the plugin settings page.
CVSS: MEDIUM (6.4) EPSS Score: 0.03%
May 8th, 2025 (about 1 month ago)
|
|
CVE-2024-0963 |
Description: The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's CP_CALCULATED_FIELDS shortcode in all versions up to, and including, 1.2.52 due to insufficient input sanitization and output escaping on user supplied 'location' attribute. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS: MEDIUM (6.4) EPSS Score: 0.12% SSVC Exploitation: none
May 7th, 2025 (about 1 month ago)
|
|
CVE-2024-0907 |
Description: The NEX-Forms – Ultimate Form Builder – Contact forms and much more plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the restore_records() function in all versions up to, and including, 8.5.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to restore records.
CVSS: MEDIUM (5.3) EPSS Score: 0.49% SSVC Exploitation: none
May 7th, 2025 (about 1 month ago)
|
|
CVE-2025-47692 |
Description: Missing Authorization vulnerability in contentstudio ContentStudio allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ContentStudio: from n/a through 1.3.3.
CVSS: MEDIUM (4.3) EPSS Score: 0.03%
May 7th, 2025 (about 1 month ago)
|