Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-13731
Alert Box Block – Display notice/alerts in the front end <= 1.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Alert Box Block
Description: The Alert Box Block – Display notice/alerts in the front end. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Alert Box block in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE
March 25th, 2025 (29 days ago)

CVE-2024-13710
Estatebud – Properties & Listings <= 5.5.0 - Cross-Site Request Forgery to Settings Update
Description: The Estatebud – Properties & Listings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.5.0. This is due to missing or incorrect nonce validation on the 'estatebud_settings' page. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS: MEDIUM (4.3)

EPSS Score: 0.01%

Source: CVE
March 25th, 2025 (29 days ago)

CVE-2025-2252
Easy Digital Downloads – eCommerce Payments and Subscriptions made easy <= 3.3.6.1 - Unauthenticated Private Post Title Disclosure
Description: The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.6.1 via the edd_ajax_get_download_title() function. This makes it possible for unauthenticated attackers to extract private post titles of downloads. The impact here is minimal.

CVSS: MEDIUM (5.3)

EPSS Score: 0.05%

Source: CVE
March 25th, 2025 (29 days ago)

CVE-2025-1320
teachPress <= 9.0.9 - Cross-Site Request Forgery to Import Delete
Description: The teachPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.0.9. This is due to missing or incorrect nonce validation on the import.php page. This makes it possible for unauthenticated attackers to delete imports via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS: MEDIUM (4.3)

EPSS Score: 0.01%

Source: CVE
March 25th, 2025 (29 days ago)

CVE-2024-12623
DICOM Support <= 0.10.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description: The DICOM Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dcm' shortcode in all versions up to, and including, 0.10.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE
March 25th, 2025 (29 days ago)

CVE-2025-2224
Directorist <= 8.2 - Missing Authorization to Unauthenticated Arbitrary Post Publishing
Description: The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'parse_query' function in all versions up to, and including, 8.2. This makes it possible for unauthenticated attackers to update the post_status of any post to 'publish'.

CVSS: MEDIUM (5.3)

EPSS Score: 0.06%

Source: CVE
March 25th, 2025 (29 days ago)

CVE-2025-0845
DesignThemes Core Features <= 4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Description: The DesignThemes Core Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.02%

Source: CVE
March 25th, 2025 (29 days ago)

CVE-2025-30623
WordPress wA11y – The Web Accessibility Toolbox plugin <= 1.0.3 - Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rachel Cherry wA11y – The Web Accessibility Toolbox allows Stored XSS. This issue affects wA11y – The Web Accessibility Toolbox: from n/a through 1.0.3.

CVSS: MEDIUM (5.9)

EPSS Score: 0.03%

Source: CVE
March 24th, 2025 (30 days ago)

CVE-2025-30619
WordPress SpeakPipe - <= <= 0.2 Cross Site Request Forgery (CSRF) Vulnerability
Description: Cross-Site Request Forgery (CSRF) vulnerability in SpeakPipe SpeakPipe allows Cross Site Request Forgery. This issue affects SpeakPipe: from n/a through 0.2.

CVSS: MEDIUM (5.4)

EPSS Score: 0.02%

Source: CVE
March 24th, 2025 (30 days ago)

CVE-2025-30617
WordPress Rewrite - <= <= 0.2.1 Cross Site Request Forgery (CSRF) Vulnerability
Description: Cross-Site Request Forgery (CSRF) vulnerability in takien Rewrite allows Cross Site Request Forgery. This issue affects Rewrite: from n/a through 0.2.1.

CVSS: MEDIUM (4.3)

EPSS Score: 0.02%

Source: CVE
March 24th, 2025 (30 days ago)