Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-1318 |
Description: The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'feedzy_wizard_step_process' and 'import_status' functions in all versions up to, and including, 4.4.2. This makes it possible for authenticated attackers, with Contributor access and above, who are normally restricted to only being able to create posts rather than pages, to draft and publish posts with arbitrary content.
CVSS: MEDIUM (6.5) EPSS Score: 0.17% SSVC Exploitation: none
April 22nd, 2025 (about 2 months ago)
|
|
CVE-2024-1090 |
Description: The ImageRecycle pdf & image compression plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the stopOptimizeAll function in all versions up to, and including, 3.1.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify image optimization settings.
CVSS: MEDIUM (4.3) EPSS Score: 0.24% SSVC Exploitation: none
April 22nd, 2025 (about 2 months ago)
|
|
CVE-2024-25930 |
Description: Cross-Site Request Forgery (CSRF) vulnerability in Nuggethon Custom Order Statuses for WooCommerce.This issue affects Custom Order Statuses for WooCommerce: from n/a through 1.5.2.
CVSS: MEDIUM (4.3) EPSS Score: 0.17% SSVC Exploitation: none
April 22nd, 2025 (about 2 months ago)
|
|
CVE-2024-1860 |
Description: The Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the antihacker_add_whitelist() function in all versions up to, and including, 4.51. This makes it possible for unauthenticated attackers to add their IP Address to the whitelist circumventing protection
CVSS: MEDIUM (6.5) EPSS Score: 0.26% SSVC Exploitation: none
April 22nd, 2025 (about 2 months ago)
|
|
CVE-2024-1136 |
Description: The Coming Soon Page & Maintenance Mode plugin for WordPress is vulnerable to unauthorized access of data due to an improperly implemented URL check in the wpsm_coming_soon_redirect function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to view a site with maintenance mode or coming-soon mode enabled to view the site's content.
CVSS: MEDIUM (5.3) EPSS Score: 0.39% SSVC Exploitation: none
April 22nd, 2025 (about 2 months ago)
|
|
CVE-2024-0431 |
Description: The Gestpay for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 20221130. This is due to missing or incorrect nonce validation on the 'ajax_set_default_card' function. This makes it possible for unauthenticated attackers to set the default card token for a user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS: MEDIUM (4.3) EPSS Score: 0.16% SSVC Exploitation: none
April 22nd, 2025 (about 2 months ago)
|
|
CVE-2025-3472 |
Description: The Ocean Extra plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.4.6. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes when WooCommerce is also installed and activated.
CVSS: MEDIUM (6.5) EPSS Score: 0.11%
April 22nd, 2025 (about 2 months ago)
|
|
CVE-2025-3458 |
Description: The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ocean_gallery_id’ parameter in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The Classic Editor plugin must be installed and activated to exploit the vulnerability.
CVSS: MEDIUM (6.4) EPSS Score: 0.03%
April 22nd, 2025 (about 2 months ago)
|
|
CVE-2025-3457 |
Description: The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'oceanwp_icon' shortcode in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS: MEDIUM (6.4) EPSS Score: 0.03%
April 22nd, 2025 (about 2 months ago)
|
|
CVE-2024-11299 |
Description: The Memberpress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.11.37 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.
CVSS: MEDIUM (5.3) EPSS Score: 0.07%
April 22nd, 2025 (about 2 months ago)
|