CyberAlerts

CVE-2024-13146

Booknetic < 4.1.5 - Staff Creation via CSRF

Description: The Booknetic WordPress plugin before 4.1.5 does not have CSRF check when creating Staff accounts, which could allow attackers to make logged in admin add arbitrary Staff members via a CSRF attack

EPSS Score: 0.04%

Source: CVE

March 26th, 2025 (24 days ago)

CVE-2024-12683

Smart Maintenance Mode < 1.5.2 - Admin+ Stored XSS

Description: The Smart Maintenance Mode WordPress plugin before 1.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

EPSS Score: 0.03%

Source: CVE

March 26th, 2025 (24 days ago)

CVE-2024-11847

WP SVG Upload <= 1.0.0 - Author+ Stored XSS via SVG

Description: The wp-svg-upload WordPress plugin through 1.0.0 does not sanitize SVG file contents, which enables users with at least the author role to SVG with malicious JavaScript to conduct Stored XSS attacks.

EPSS Score: 0.03%

Source: CVE

March 26th, 2025 (24 days ago)

CVE-2024-4533

KKProgressbar2 Free <= 1.1.4.2 - Admin+ SQL Injection

Description: The KKProgressbar2 Free WordPress plugin through 1.1.4.2 does not sanitize and escape a parameter before using it in a SQL statement, allowing admin users to perform SQL injection attacks

EPSS Score: 0.09%

SSVC Exploitation: poc

Source: CVE

March 25th, 2025 (25 days ago)

CVE-2024-4480

WP Prayer II <= 2.4.7 - Email Settings Update via CSRF

Description: The WP Prayer II WordPress plugin through 2.4.7 does not have CSRF check in place when updating its email settings, which could allow attackers to make a logged in admin change them via a CSRF attack

EPSS Score: 0.07%

SSVC Exploitation: poc

Source: CVE

March 25th, 2025 (25 days ago)

CVE-2024-3631

HL Twitter <= 2014.1.18 - Unlink Twitter Account via CSRF

Description: The HL Twitter WordPress plugin through 2014.1.18 does not have CSRF check when unlinking twitter accounts, which could allow attackers to make logged in admins perform such actions via a CSRF attack

EPSS Score: 0.1%

SSVC Exploitation: poc

Source: CVE

March 25th, 2025 (25 days ago)

CVE-2024-3478

Herd Effects < 5.2.7 - Effect Deletion via CSRF

Description: The Herd Effects WordPress plugin before 5.2.7 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting effects via CSRF attacks

EPSS Score: 0.02%

SSVC Exploitation: poc

Source: CVE

March 25th, 2025 (25 days ago)

CVE-2024-3992

Amen <= 3.3.1 - Admin+ Stored XSS

Description: The Amen WordPress plugin through 3.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

EPSS Score: 0.13%

SSVC Exploitation: none

Source: CVE

March 25th, 2025 (25 days ago)

CVE-2024-3477

Popup Box < 2.2.7 - Popup Deletion via CSRF

Description: The Popup Box WordPress plugin before 2.2.7 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting popups via CSRF attacks

EPSS Score: 0.02%

SSVC Exploitation: poc

Source: CVE

March 25th, 2025 (25 days ago)

CVE-2024-4535

KKProgressbar2 Free <= 1.1.4.2 - Progress Bar Deletion via CSRF

Description: The KKProgressbar2 Free WordPress plugin through 1.1.4.2 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks

EPSS Score: 0.12%

SSVC Exploitation: poc

Source: CVE

March 25th, 2025 (25 days ago)

Threat and Vulnerability Intelligence Database

Example Searches: