Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-4131 |
Description: The GmapsMania plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's gmap shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS: MEDIUM (6.4) EPSS Score: 0.03%
May 2nd, 2025 (3 days ago)
|
|
CVE-2025-3746 |
Description: The OTP-less one tap Sign in plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 2.0.14 to 2.0.59. This is due to the plugin not properly validating a user's identity prior to updating their details, like email. This makes it possible for unauthenticated attackers to change arbitrary users' email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
Additionally, the plugin returns authentication cookies in the response, which can be used to access the account directly.
CVSS: CRITICAL (9.8) EPSS Score: 0.11%
May 2nd, 2025 (3 days ago)
|
|
CVE-2025-3709 |
Description: Agentflow from Flowring Technology has an Account Lockout Bypass vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to perform password brute force attack.
CVSS: CRITICAL (9.8) EPSS Score: 0.04%
May 2nd, 2025 (3 days ago)
|
|
CVE-2025-3708 |
Description: Le-show medical practice management system from Le-yan has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
CVSS: CRITICAL (9.8) EPSS Score: 0.08%
May 2nd, 2025 (3 days ago)
|
|
CVE-2025-3707 |
Description: The eHDR CTMS from Sunnet has a SQL Injection vulnerability, allowing remote attackers with regular privileges to inject arbitrary SQL command to read database contents.
CVSS: MEDIUM (6.5) EPSS Score: 0.03%
May 2nd, 2025 (3 days ago)
|
|
CVE-2025-3670 |
Description: The KiwiChat NextClient plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in all versions up to, and including, 6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS: MEDIUM (6.4) EPSS Score: 0.03%
May 2nd, 2025 (3 days ago)
|
|
CVE-2025-29825 |
Description: User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.
CVSS: MEDIUM (6.5) EPSS Score: 0.09%
May 2nd, 2025 (3 days ago)
|
|
CVE-2025-2880 |
Description: The Yame | Link In Bio plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 0.9.0 through the publicly accessible phpinfo.php script. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed file.
CVSS: MEDIUM (5.3) EPSS Score: 0.04%
May 2nd, 2025 (3 days ago)
|
|
CVE-2024-55913 |
Description: IBM Concert Software 1.0.0 through 1.0.5 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.
CVSS: MEDIUM (5.3) EPSS Score: 0.05%
May 2nd, 2025 (3 days ago)
|
|
CVE-2024-55912 |
Description: IBM Concert Software 1.0.0 through 1.0.5 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
CVSS: MEDIUM (5.9) EPSS Score: 0.02%
May 2nd, 2025 (3 days ago)
|