CyberAlerts

VexTrio Using 20,000 Hacked WordPress Sites in Traffic Redirect Scheme

Description: A massive cybercrime network known as "VexTrio" is using thousands of compromised WordPress sites to funnel traffic through a complex redirection scheme.

Source: Dark Reading

March 20th, 2025 (3 months ago)

CVE-2024-3594

IDonate <= 1.9.0 - Admin+ Stored XSS

Description: The IDonate WordPress plugin through 1.9.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

EPSS Score: 0.27%

SSVC Exploitation: none

Source: CVE

March 20th, 2025 (3 months ago)

CVE-2024-1756

WooCommerce Customers Manager < 29.8 - Subscriber+ Email Disclosure

Description: The WooCommerce Customers Manager WordPress plugin before 29.8 does not have authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber, to call it and retrieve the list of customer email addresses along with their id, first name and last name

EPSS Score: 0.33%

SSVC Exploitation: none

Source: CVE

March 20th, 2025 (3 months ago)

CVE-2024-2739

Advance Search <= 1.1.6 - Shortcode Deletion via CSRF

Description: The Advanced Search WordPress plugin through 1.1.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks

EPSS Score: 0.08%

SSVC Exploitation: none

Source: CVE

March 20th, 2025 (3 months ago)

WordPress security plugin WP Ghost vulnerable to remote code execution bug

Description: Popular WordPress security plugin WP Ghost is vulnerable to a critical severity flaw that could allow unauthenticated attackers to remotely execute code and hijack servers. [...]

Source: BleepingComputer

March 20th, 2025 (3 months ago)

CVE-2024-13881

LinkMyPosts <= 1.0 - Reflected XSS

Description: The Link My Posts WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

EPSS Score: 0.04%

Source: CVE

March 20th, 2025 (3 months ago)

CVE-2024-13880

My Quota <= 1.0.8 - Reflected XSS

Description: The My Quota WordPress plugin through 1.0.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

EPSS Score: 0.04%

Source: CVE

March 20th, 2025 (3 months ago)

CVE-2024-13878

SpotBot <= 0.1.8 - Reflected XSS

Description: The SpotBot WordPress plugin through 0.1.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

EPSS Score: 0.04%

Source: CVE

March 20th, 2025 (3 months ago)

CVE-2024-13877

Passbeemedia Web Push Notifications <= 1.0.0 - Reflected XSS

Description: The Passbeemedia Web Push Notification WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

EPSS Score: 0.04%

Source: CVE

March 20th, 2025 (3 months ago)

CVE-2024-13876

Meintopf <= 0.2.1 - Reflected XSS

Description: The mEintopf WordPress plugin through 0.2.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

EPSS Score: 0.04%

Source: CVE

March 20th, 2025 (3 months ago)

Threat and Vulnerability Intelligence Database

Example Searches:

	VexTrio Using 20,000 Hacked WordPress Sites in Traffic Redirect Scheme Description: A massive cybercrime network known as "VexTrio" is using thousands of compromised WordPress sites to funnel traffic through a complex redirection scheme. Source: Dark Reading March 20th, 2025 (3 months ago)
CVE-2024-3594	IDonate <= 1.9.0 - Admin+ Stored XSS Description: The IDonate WordPress plugin through 1.9.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) EPSS Score: 0.27% SSVC Exploitation: none Source: CVE March 20th, 2025 (3 months ago)
CVE-2024-1756	WooCommerce Customers Manager < 29.8 - Subscriber+ Email Disclosure Description: The WooCommerce Customers Manager WordPress plugin before 29.8 does not have authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber, to call it and retrieve the list of customer email addresses along with their id, first name and last name EPSS Score: 0.33% SSVC Exploitation: none Source: CVE March 20th, 2025 (3 months ago)
CVE-2024-2739	Advance Search <= 1.1.6 - Shortcode Deletion via CSRF Description: The Advanced Search WordPress plugin through 1.1.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks EPSS Score: 0.08% SSVC Exploitation: none Source: CVE March 20th, 2025 (3 months ago)
	WordPress security plugin WP Ghost vulnerable to remote code execution bug Description: Popular WordPress security plugin WP Ghost is vulnerable to a critical severity flaw that could allow unauthenticated attackers to remotely execute code and hijack servers. [...] Source: BleepingComputer March 20th, 2025 (3 months ago)
CVE-2024-13881	LinkMyPosts <= 1.0 - Reflected XSS Description: The Link My Posts WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. EPSS Score: 0.04% Source: CVE March 20th, 2025 (3 months ago)
CVE-2024-13880	My Quota <= 1.0.8 - Reflected XSS Description: The My Quota WordPress plugin through 1.0.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. EPSS Score: 0.04% Source: CVE March 20th, 2025 (3 months ago)
CVE-2024-13878	SpotBot <= 0.1.8 - Reflected XSS Description: The SpotBot WordPress plugin through 0.1.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. EPSS Score: 0.04% Source: CVE March 20th, 2025 (3 months ago)
CVE-2024-13877	Passbeemedia Web Push Notifications <= 1.0.0 - Reflected XSS Description: The Passbeemedia Web Push Notification WordPress plugin through 1.0.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. EPSS Score: 0.04% Source: CVE March 20th, 2025 (3 months ago)
CVE-2024-13876	Meintopf <= 0.2.1 - Reflected XSS Description: The mEintopf WordPress plugin through 0.2.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. EPSS Score: 0.04% Source: CVE March 20th, 2025 (3 months ago)