CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-4579 |
Description: The WP Content Security Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the blocked-uri and effective-directive parameters in all versions up to, and including, 2.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS: HIGH (7.2) EPSS Score: 0.12%
May 15th, 2025 (about 1 month ago)
|
|
CVE-2025-4520 |
Description: The Uncanny Automator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple AJAX functions in versions up to, and including, 6.4.0.2. This makes it possible for authenticated attackers, with subscriber-level permissions or above to update plugin settings.
CVSS: MEDIUM (5.4) EPSS Score: 0.03% SSVC Exploitation: none
May 14th, 2025 (about 1 month ago)
|
|
CVE-2025-3623 |
Description: The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted input in the automator_api_decode_message() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files.
CVSS: HIGH (8.1) EPSS Score: 0.06% SSVC Exploitation: none
May 14th, 2025 (about 1 month ago)
|
|
CVE-2025-47445 |
Description: Relative Path Traversal vulnerability in Themewinter Eventin allows Path Traversal.This issue affects Eventin: from n/a through 4.0.26.
CVSS: HIGH (7.5) EPSS Score: 0.06%
May 14th, 2025 (about 1 month ago)
|
|
CVE-2025-3769 |
Description: The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.92 via the 'view_booking_summary_in_lightbox' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to retrieve appointment details such as customer names and email addresses.
CVSS: MEDIUM (5.3) EPSS Score: 0.03%
May 14th, 2025 (about 1 month ago)
|
|
CVE-2024-8988 |
Description: The PeepSo Core: File Uploads plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.4.6.0 via the file_download REST API endpoint due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to download files uploaded by others users and expose potentially sensitive information.
CVSS: MEDIUM (5.3) EPSS Score: 0.03%
May 14th, 2025 (about 1 month ago)
|
|
CVE-2024-13940 |
Description: The Ninja Forms Webhooks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.0.7 via the form webhook functionality. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
CVSS: MEDIUM (5.5) EPSS Score: 0.03%
May 14th, 2025 (about 1 month ago)
|
|
CVE-2025-4474 |
Description: The Frontend Dashboard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the fed_admin_setting_form_function() function in versions 1.0 to 2.2.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the plugin’s 'register' role setting to make new user registrations default to the administrator role, leading to an elevation of privileges to that of an administrator.
CVSS: HIGH (8.8) EPSS Score: 0.05%
May 13th, 2025 (about 1 month ago)
|
|
CVE-2025-4473 |
Description: The Frontend Dashboard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the ajax_request() function in versions 1.0 to 2.2.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to control where the plugin sends outgoing emails. By pointing SMTP to their own server, attackers could capture password reset emails intended for administrators, and elevate their privileges for full site takeover.
CVSS: HIGH (8.8) EPSS Score: 0.06%
May 13th, 2025 (about 1 month ago)
|
|
CVE-2025-4339 |
Description: The TheGem theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxApi() function in all versions up to, and including, 5.10.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary theme options.
CVSS: MEDIUM (4.3) EPSS Score: 0.03%
May 13th, 2025 (about 1 month ago)
|