Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-2573 |
Description: The Amazing service box Addons For WPBakery Page Builder (formerly Visual Composer) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
CVSS: MEDIUM (6.4) EPSS Score: 0.04%
March 26th, 2025 (28 days ago)
|
|
CVE-2025-2165 |
Description: The SH Email Alert plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'mid' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVSS: MEDIUM (6.1) EPSS Score: 0.1%
March 26th, 2025 (28 days ago)
|
|
CVE-2025-1490 |
Description: The Smart Maintenance Mode plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘setstatus’ parameter in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVSS: MEDIUM (6.1) EPSS Score: 0.1%
March 26th, 2025 (28 days ago)
|
|
CVE-2025-2302 |
Description: The Advanced Woo Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aws_search_terms shortcode in all versions up to, and including, 3.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS: MEDIUM (6.4) EPSS Score: 0.03%
March 26th, 2025 (28 days ago)
|
|
CVE-2025-2276 |
Description: The Ultimate Dashboard – Custom WordPress Dashboard plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_module_actions function in all versions up to, and including, 3.8.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate/deactivate plugin modules.
CVSS: MEDIUM (4.3) EPSS Score: 0.03%
March 26th, 2025 (28 days ago)
|
|
CVE-2024-1076 |
Description: The SSL Zen WordPress plugin before 4.6.0 does not properly prevent directory listing of the private keys folder, as it only relies on the use of .htaccess to prevent visitors from accessing the site's generated private keys, which allows an attacker to read them if the site runs on a server who doesn't support .htaccess files, like NGINX.
CVSS: MEDIUM (6.5) EPSS Score: 0.11% SSVC Exploitation: poc
March 25th, 2025 (28 days ago)
|
|
CVE-2024-0677 |
Description: The Pz-LinkCard WordPress plugin through 2.5.1 does not prevent users from pinging arbitrary hosts via some of its shortcodes, which could allow high privilege users such as contributors to perform SSRF attacks.
CVSS: MEDIUM (5.1) EPSS Score: 0.07% SSVC Exploitation: poc
March 25th, 2025 (28 days ago)
|
|
CVE-2024-37227 |
Description: Cross Site Request Forgery (CSRF) vulnerability in Tribulant Newsletters.This issue affects Newsletters: from n/a through 4.9.7.
CVSS: MEDIUM (4.3) EPSS Score: 0.04% SSVC Exploitation: none
March 25th, 2025 (29 days ago)
|
|
CVE-2025-26742 |
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GhozyLab Gallery for Social Photo allows Stored XSS.This issue affects Gallery for Social Photo: from n/a through 1.0.0.35.
CVSS: MEDIUM (6.5) EPSS Score: 0.03% SSVC Exploitation: none
March 25th, 2025 (29 days ago)
|
|
CVE-2024-31120 |
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevart Responsive Image Gallery, Gallery Album allows Stored XSS.This issue affects Responsive Image Gallery, Gallery Album: from n/a through 2.0.3.
CVSS: MEDIUM (6.5) EPSS Score: 0.09% SSVC Exploitation: none
March 25th, 2025 (29 days ago)
|