CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-39513
WordPress ActiveDEMAND <= 0.2.46 - Broken Access Control Vulnerability
Description: Missing Authorization vulnerability in ActiveDEMAND Online Agency Marketing Automation ActiveDEMAND allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects ActiveDEMAND: from n/a through 0.2.46.

CVSS: MEDIUM (5.3)

EPSS Score: 0.05%

Source: CVE
April 16th, 2025 (about 2 months ago)

CVE-2025-39512
WordPress Bulk Term Editor <= 1.1.4 - Cross Site Request Forgery (CSRF) Vulnerability
Description: Cross-Site Request Forgery (CSRF) vulnerability in Yuya Hoshino Bulk Term Editor allows Cross Site Request Forgery. This issue affects Bulk Term Editor: from n/a through 1.1.4.

CVSS: MEDIUM (4.3)

EPSS Score: 0.02%

Source: CVE
April 16th, 2025 (about 2 months ago)

CVE-2025-3104
WP Staging Pro <= 6.1.2 - Unauthenticated Information Exposure via getOutdatedPluginsRequest Function
Description: The WP STAGING Pro WordPress Backup Plugin for WordPress is vulnerable to Information Exposure in all versions up to and including 6.1.2 due to missing capability checks on the getOutdatedPluginsRequest() function. This makes it possible for unauthenticated attackers to reveal outdated installed active or inactive plugins.

CVSS: MEDIUM (5.3)

EPSS Score: 0.05%

Source: CVE
April 16th, 2025 (about 2 months ago)

CVE-2025-3077
Betheme <= 28.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description: The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button shortcode and Custom CSS field in all versions up to, and including, 28.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE
April 16th, 2025 (about 2 months ago)

CVE-2025-3247
Contact Form 7 <= 6.0.5 - Order Replay Vulnerability
Description: The Contact Form 7 plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 6.0.5 via the 'wpcf7_stripe_skip_spam_check' function due to insufficient validation on a user controlled key. This makes it possible for unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. Only the first transaction is processed via Stripe, but the plugin sends a successful email message for each transaction, which may trick an administrator into fulfilling each order.

CVSS: MEDIUM (5.3)

EPSS Score: 0.02%

Source: CVE
April 16th, 2025 (about 2 months ago)

CVE-2025-2314
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor <= 3.13.5 - Authenticated (Contributor+) Stored Cross-Si...
Description: The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.13.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The issue was partially patched in version 3.13.6 of the plugin, and fully patched in 3.13.7.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE
April 16th, 2025 (about 2 months ago)

CVE-2024-13452
Contact Form by Supsystic <= 1.7.29 - Cross-Site Request Forgery to Stored Cross-Site Scripting via saveAsCopy AJAX Action
Description: The Contact Form by Supsystic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.29. This is due to missing or incorrect nonce validation on a saveAsCopy function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS: MEDIUM (6.1)

EPSS Score: 0.03%

Source: CVE
April 16th, 2025 (about 2 months ago)

CVE-2025-30982
WordPress MyBookProgress by Stormhill Media plugin <= 1.0.8 - Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zookatron MyBookProgress by Stormhill Media allows Stored XSS. This issue affects MyBookProgress by Stormhill Media: from n/a through 1.0.8.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE
April 15th, 2025 (about 2 months ago)

CVE-2025-30966
WordPress WPJobBoard plugin < 5.11.1 - Path Traversal vulnerability
Description: Path Traversal vulnerability in NotFound WPJobBoard allows Path Traversal. This issue affects WPJobBoard: from n/a through n/a.

CVSS: MEDIUM (5.4)

EPSS Score: 0.04%

Source: CVE
April 15th, 2025 (about 2 months ago)

CVE-2025-26998
WordPress SKT Blocks – Gutenberg based Page Builder plugin <= 1.8 - Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sonalsinha21 SKT Blocks – Gutenberg based Page Builder allows Stored XSS. This issue affects SKT Blocks – Gutenberg based Page Builder: from n/a through 1.8.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE
April 15th, 2025 (about 2 months ago)