CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-47442
WordPress CC BMI Calculator <= 2.1.0 - Cross Site Scripting (XSS) Vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CC CC BMI Calculator allows Stored XSS. This issue affects CC BMI Calculator: from n/a through 2.1.0.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE
May 7th, 2025 (about 1 month ago)

CVE-2025-47441
WordPress Progress Bar <= 2.2.3 - Cross Site Scripting (XSS) Vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chris Reynolds Progress Bar allows Stored XSS. This issue affects Progress Bar: from n/a through 2.2.3.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE
May 7th, 2025 (about 1 month ago)

CVE-2025-47440
WordPress WPAdverts <= 2.2.2 - Local File Inclusion Vulnerability
Description: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Greg Winiarski WPAdverts allows PHP Local File Inclusion. This issue affects WPAdverts: from n/a through 2.2.2.

CVSS: HIGH (7.5)

EPSS Score: 0.13%

Source: CVE
May 7th, 2025 (about 1 month ago)

CVE-2025-47439
WordPress Download Monitor <= 5.0.22 - Local File Inclusion Vulnerability
Description: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Chill Download Monitor allows PHP Local File Inclusion. This issue affects Download Monitor: from n/a through 5.0.22.

CVSS: HIGH (7.5)

EPSS Score: 0.13%

Source: CVE
May 7th, 2025 (about 1 month ago)
OttoKit WordPress Plugin with 100K+ Installs Hit by Exploits Targeting Multiple Flaws
🚨 Marked as known exploited on May 7th, 2025 (about 1 month ago).
Description: A second security flaw impacting the OttoKit (formerly SureTriggers) WordPress plugin has come under active exploitation in the wild. The vulnerability, tracked as CVE-2025-27007 (CVSS score: 9.8), is a privilege escalation bug impacting all versions of the plugin prior to and including version 1.0.82.  "This is due to the create_wp_connection() function missing a capability check and

CVSS: CRITICAL (9.8)

EPSS Score: 17.88%

Source: TheHackerNews
May 7th, 2025 (about 1 month ago)

CVE-2025-4104
Frontend Dashboard 1.0 - 2.2.6 - Missing Authorization to Unauthenticated Privilege Escalation via fed_wp_ajax_fed_login_form_post Function
Description: The Frontend Dashboard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the fed_wp_ajax_fed_login_form_post() function in versions 1.0 to 2.2.6. This makes it possible for unauthenticated attackers to reset the administrator’s email and password, and elevate their privileges to that of an administrator.

CVSS: CRITICAL (9.8)

EPSS Score: 0.12%

Source: CVE
May 7th, 2025 (about 1 month ago)

CVE-2025-39361
WordPress Royal Elementor Addons plugin <= 1.7.1017 - Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WProyal Royal Elementor Addons allows Stored XSS.This issue affects Royal Elementor Addons: from n/a through 1.7.1017.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE
May 7th, 2025 (about 1 month ago)

CVE-2025-4171
WZ Followed Posts – Display what visitors are reading <= 3.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description: The WZ Followed Posts – Display what visitors are reading plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wfp' shortcode in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE
May 7th, 2025 (about 1 month ago)

CVE-2024-12120
Royal Elementor Addons and Templates <= 1.7.1017 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description: The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown widget display_message_text parameter in all versions up to, and including, 1.7.1017 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (5.4)

EPSS Score: 0.03%

Source: CVE
May 7th, 2025 (about 1 month ago)

CVE-2025-3766
Login Lockdown & Protection <= 2.11 - Missing Authorization to Authenticated (Subscriber+) Arbitrary IP Whitelisting
Description: The Login Lockdown & Protection plugin for WordPress is vulnerable to unauthorized nonce access due to a missing capability check on the ajax_run_tool function in all versions up to, and including, 2.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain a valid nonce that can be used to generate a global unlock key, which can in turn be used to add arbitrary IP address to the plugin allowlist. This can only by exploited on new installations where the site administrator hasn't visited the loginlockdown page yet.

CVSS: MEDIUM (5.4)

EPSS Score: 0.03%

Source: CVE
May 7th, 2025 (about 1 month ago)