CyberAlerts

CVE-2024-3552

Web Directory Free < 1.7.0 - Unauthenticated SQL Injection

Description: The Web Directory Free WordPress plugin before 1.7.0 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection with different techniques like UNION, Time-Based and Error-Based.

EPSS Score: 93.2%

SSVC Exploitation: poc

Source: CVE

March 25th, 2025 (25 days ago)

CVE-2024-31095

WordPress Thumbs Rating plugin <= 5.1.0 - Insecure Direct Object References (IDOR) vulnerability

Description: Authorization Bypass Through User-Controlled Key vulnerability in Ricard Torres Thumbs Rating.This issue affects Thumbs Rating: from n/a through 5.1.0.

EPSS Score: 0.3%

SSVC Exploitation: none

Source: CVE

March 25th, 2025 (25 days ago)

CVE-2024-31094

WordPress Filter Custom Fields & Taxonomies Light plugin <= 1.05 - PHP Object Injection vulnerability

Description: Deserialization of Untrusted Data vulnerability in Filter Custom Fields & Taxonomies Light.This issue affects Filter Custom Fields & Taxonomies Light: from n/a through 1.05.

EPSS Score: 0.42%

SSVC Exploitation: poc

Source: CVE

March 25th, 2025 (25 days ago)

CVE-2025-1798

Design Comuni Italia < 1.1.2 - Unauthenticated Stored XSS

Description: The does not sanitise and escape some parameters when outputting them back in a page, allowing unauthenticated users the ability to perform stored Cross-Site Scripting attacks.

EPSS Score: 0.05%

Source: CVE

March 25th, 2025 (25 days ago)

CVE-2025-1452

Favorites < 2.3.5 - Admin+ Stored XSS

Description: The Favorites WordPress plugin before 2.3.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

EPSS Score: 0.03%

Source: CVE

March 25th, 2025 (25 days ago)

CVE-2024-9770

WP-Recall < 16.26.12 - Admin+ SQL Injection

Description: The WP-Recall WordPress plugin before 16.26.12 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks

EPSS Score: 0.02%

Source: CVE

March 25th, 2025 (25 days ago)

CVE-2024-13863

Stylish Google Sheet Reader < 4.1 - Reflected XSS

Description: The Stylish Google Sheet Reader 4.0 WordPress plugin before 4.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

EPSS Score: 0.03%

Source: CVE

March 25th, 2025 (25 days ago)

CVE-2024-13618

Downloable by American Osteopathic Association <= 0.1.0 - Unauthenticated SSRF

Description: The aoa-downloadable WordPress plugin through 0.1.0 lacks authorization and authentication for requests to its download.php endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs.

EPSS Score: 0.04%

Source: CVE

March 25th, 2025 (25 days ago)

CVE-2024-13617

Downloable by American Osteopathic Association <= 0.1.0 - Unauthenticated Arbitrary File Download

Description: The aoa-downloadable WordPress plugin through 0.1.0 doesn't validate a parameter in its download function, allowing unauthenticated attackers to download arbitrary files from the server

EPSS Score: 0.07%

Source: CVE

March 25th, 2025 (25 days ago)

CVE-2024-13123

AFI < 1.100.0 - Admin+ Stored XSS

Description: The AFI WordPress plugin before 1.100.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

EPSS Score: 0.03%

Source: CVE

March 25th, 2025 (25 days ago)

Threat and Vulnerability Intelligence Database

Example Searches: