Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-31120
WordPress Gallery – Image and Video Gallery with Thumbnails plugin <= 2.0.3 - Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevart Responsive Image Gallery, Gallery Album allows Stored XSS.This issue affects Responsive Image Gallery, Gallery Album: from n/a through 2.0.3.

CVSS: MEDIUM (6.5)

EPSS Score: 0.09%

SSVC Exploitation: none

Source: CVE
March 25th, 2025 (29 days ago)

CVE-2024-30493
WordPress Church Admin plugin <= 4.1.7 - Cross Site Request Forgery (CSRF) vulnerability
Description: Cross-Site Request Forgery (CSRF) vulnerability in Andy Moyle Church Admin.This issue affects Church Admin: from n/a through 4.1.7.

CVSS: MEDIUM (4.3)

EPSS Score: 0.04%

SSVC Exploitation: none

Source: CVE
March 25th, 2025 (29 days ago)

CVE-2024-30469
WordPress Wholesale For WooCommerce plugin <= 2.3.0 - Unauthenticated Sensitive Data Exposure vulnerability
Description: Missing Authorization vulnerability in WPExperts Wholesale For WooCommerce.This issue affects Wholesale For WooCommerce: from n/a through 2.3.0.

CVSS: MEDIUM (5.3)

EPSS Score: 0.14%

SSVC Exploitation: none

Source: CVE
March 25th, 2025 (29 days ago)

CVE-2024-30451
WordPress Geo Controller plugin <= 8.6.4 - Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in INFINITUM FORM Geo Controller allows Stored XSS.This issue affects Geo Controller: from n/a through 8.6.4.

CVSS: MEDIUM (6.5)

EPSS Score: 0.08%

SSVC Exploitation: none

Source: CVE
March 25th, 2025 (29 days ago)

CVE-2024-2476
The OceanWP theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the load_theme_panel_pane...
Description: The OceanWP theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the load_theme_panel_pane function in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to expose sensitive information such as system/environment data and API keys.

CVSS: MEDIUM (4.3)

EPSS Score: 0.17%

SSVC Exploitation: none

Source: CVE
March 25th, 2025 (29 days ago)

CVE-2024-1692
The BoldGrid Easy SEO – Simple and Effective SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the meta description field...
Description: The BoldGrid Easy SEO – Simple and Effective SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the meta description field in all versions up to, and including, 1.6.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.09%

SSVC Exploitation: none

Source: CVE
March 25th, 2025 (29 days ago)

CVE-2025-2109
WP Compress <= 6.30.15 - Unauthenticated Server-Side Request Forgery via init Function
Description: The WP Compress – Instant Performance & Speed Optimization plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.30.15 via the init() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query information from internal services.

CVSS: MEDIUM (5.8)

EPSS Score: 0.06%

Source: CVE
March 25th, 2025 (29 days ago)

CVE-2025-2635
Digital License Manager <= 1.7.3 - Reflected Cross-Site Scripting via remove_query_arg Function
Description: The Digital License Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg() function without appropriate escaping on the URL in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS: MEDIUM (6.1)

EPSS Score: 0.08%

Source: CVE
March 25th, 2025 (29 days ago)

CVE-2025-2542
Your Simple SVG Support <= 1.0.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Description: The Your Simple SVG Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

CVSS: MEDIUM (6.4)

EPSS Score: 0.04%

Source: CVE
March 25th, 2025 (29 days ago)

CVE-2025-2510
Frndzk Expandable Bottom Bar <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via text Parameter
Description: The Frndzk Expandable Bottom Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'text' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

CVSS: MEDIUM (5.5)

EPSS Score: 0.03%

Source: CVE
March 25th, 2025 (29 days ago)