Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-2890
tagDiv Opt-In Builder <= 1.7 - Authenticated (Subscriber+) SQL Injection via subscriptionCouponId Parameter
Description: The tagDiv Opt-In Builder plugin for WordPress is vulnerable to time-based SQL Injection via the ‘subscriptionCouponId’ parameter in all versions up to, and including, 1.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE
April 30th, 2025 (about 1 month ago)

CVE-2025-3953
WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin <= 14.13.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plug...
Description: The WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'optionUpdater' function in all versions up to, and including, 14.13.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary plugin settings.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE
April 30th, 2025 (about 1 month ago)

CVE-2025-3452
SecuPress Free <= 2.3.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation
Description: The SecuPress Free — WordPress Security plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'secupress_reinstall_plugins_admin_ajax_cb' function in all versions up to, and including, 2.3.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins.

CVSS: MEDIUM (4.3)

EPSS Score: 0.03%

Source: CVE
April 29th, 2025 (about 1 month ago)

CVE-2025-2893
Gutenverse <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via countdown Block
Description: The Gutenverse – Ultimate Block Addons and Page Builder for Site Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's countdown Block in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE
April 29th, 2025 (about 1 month ago)

CVE-2025-39367
WordPress Kleo theme < 5.4.4 - Broken Access Control vulnerability
Description: Missing Authorization vulnerability in SeventhQueen Kleo.This issue affects Kleo: from n/a before 5.4.4.

CVSS: MEDIUM (5.3)

EPSS Score: 0.04%

Source: CVE
April 28th, 2025 (about 1 month ago)

CVE-2024-13688
Admin and Site Enhancements (ASE) < 7.6.10 - Password Protection Bypass
Description: The Admin and Site Enhancements (ASE) WordPress plugin before 7.6.10 uses a hardcoded password in its Password Protection feature, allowing attacker to bypass the protection offered via a crafted request

CVSS: MEDIUM (5.3)

EPSS Score: 0.05%

Source: CVE
April 28th, 2025 (about 1 month ago)

CVE-2024-13812
Anps Theme plugin <= 1.1.1 - Unauthenticated Arbitrary Shortcode Execution
Description: The The Anps Theme plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.1.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

CVSS: MEDIUM (6.5)

EPSS Score: 0.15%

Source: CVE
April 26th, 2025 (about 1 month ago)

CVE-2025-3915
Aeropage Sync for Airtable <= 3.2.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion
Description: The Aeropage Sync for Airtable plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'aeropageDeletePost' function in all versions up to, and including, 3.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts.

CVSS: MEDIUM (4.3)

EPSS Score: 0.03%

Source: CVE
April 26th, 2025 (about 1 month ago)

CVE-2025-1458
Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) <= 5.10.29 - Authenticated (Contributor+)...
Description: The Element Pack Addons for Elementor – Free Templates and Widgets for Your WordPress Websites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets like Dual Button, Creative Button, Image Stack and more in all versions up to, and including, 5.10.29 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE
April 26th, 2025 (about 1 month ago)

CVE-2025-3912
WS Form LITE – Drag & Drop Contact Form Builder for WordPress <= 1.10.35 - Missing Authorization to Unauthenticated Sensitive Information Exposure
Description: The WS Form LITE – Drag & Drop Contact Form Builder for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_config' function in all versions up to, and including, 1.10.35. This makes it possible for unauthenticated attackers to read the value of the plugin's settings, including API keys for integrated services.

CVSS: MEDIUM (5.3)

EPSS Score: 0.06%

Source: CVE
April 25th, 2025 (about 2 months ago)