CyberAlerts

CVE-2025-3503

Description: The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CVSS: MEDIUM (4.8)

EPSS Score: 0.03%

SSVC Exploitation: poc

Source: CVE

May 1st, 2025 (about 2 months ago)

CVE-2025-3502

WP Maps < 4.7.2 - Admin+ Stored XSS

Description: The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CVSS: LOW (3.5)

EPSS Score: 0.03%

SSVC Exploitation: poc

Source: CVE

May 1st, 2025 (about 2 months ago)

CVE-2025-27007

WordPress SureTriggers <= 1.0.82 - Privilege Escalation Vulnerability

🚨 Marked as known exploited on May 7th, 2025 (about 1 month ago).

Description: Incorrect Privilege Assignment vulnerability in Brainstorm Force SureTriggers allows Privilege Escalation.This issue affects SureTriggers: from n/a through 1.0.82.

CVSS: CRITICAL (9.8)

EPSS Score: 17.88%

SSVC Exploitation: none

Source: CVE

May 1st, 2025 (about 2 months ago)

CVE-2025-2168

Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider <= ...

Description: The Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.1. This is due to missing or incorrect nonce validation on the dismiss() function. This makes it possible for unauthenticated attackers to set arbitrary user meta values to `1` which can be leveraged to lock and administrator out of their site via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS: MEDIUM (4.3)

EPSS Score: 0.01%

SSVC Exploitation: none

Source: CVE

May 1st, 2025 (about 2 months ago)

CVE-2025-1529

AM LottiePlayer <= 3.5.3 - Authenticated (Author+) Stored Cross-Site Scripting via Uploaded Lottie File

Description: The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded lottie files in all versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

SSVC Exploitation: none

Source: CVE

May 1st, 2025 (about 2 months ago)

CVE-2025-1305

NewsBlogger <= 0.2.5.4 - Cross-Site Request Forgery to Arbitrary Plugin Installation

Description: The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2.5.4. This is due to missing or incorrect nonce validation on the newsblogger_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS: HIGH (8.8)

EPSS Score: 0.06%

SSVC Exploitation: none

Source: CVE

May 1st, 2025 (about 2 months ago)

CVE-2025-1304

NewsBlogger <= 0.2.5.1 - Authenticated (Subscriber+) Arbitrary File Upload

Description: The NewsBlogger theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the newsblogger_install_and_activate_plugin() function in all versions up to, and including, 0.2.5.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVSS: HIGH (8.8)

EPSS Score: 0.23%

SSVC Exploitation: none

Source: CVE

May 1st, 2025 (about 2 months ago)

Fake Security Plugin on WordPress Enables Remote Admin Access for Attackers

Description: Cybersecurity researchers have shed light on a new campaign targeting WordPress sites that disguises the malware as a security plugin. The plugin, which goes by the name "WP-antymalwary-bot.php," comes with a variety of features to maintain access, hide itself from the admin dashboard, and execute remote code. "Pinging functionality that can report back to a command-and-control (C&C) server

Source: TheHackerNews

May 1st, 2025 (about 2 months ago)

CVE-2024-13381

Calculated Fields Form < 5.2.62 - Admin+ Stored XSS

Description: The Calculated Fields Form WordPress plugin before 5.2.62 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CVSS: MEDIUM (4.8)

EPSS Score: 0.03%

Source: CVE

May 1st, 2025 (about 2 months ago)

CVE-2024-13845

Gravity Forms WebHooks <= 1.6.0 - Authenticated (Admin+) Server-Side Request Forgery via Webhook

Description: The Gravity Forms WebHooks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.0 via the 'process_feed' method of the GF_Webhooks class This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

CVSS: MEDIUM (5.5)

EPSS Score: 0.04%

Source: CVE

May 1st, 2025 (about 2 months ago)

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2025-3503	WP Maps < 4.7.2 - Admin+ Stored XSS Description: The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). CVSS: MEDIUM (4.8) EPSS Score: 0.03% SSVC Exploitation: poc Source: CVE May 1st, 2025 (about 2 months ago)
CVE-2025-3502	WP Maps < 4.7.2 - Admin+ Stored XSS Description: The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). CVSS: LOW (3.5) EPSS Score: 0.03% SSVC Exploitation: poc Source: CVE May 1st, 2025 (about 2 months ago)
CVE-2025-27007	WordPress SureTriggers <= 1.0.82 - Privilege Escalation Vulnerability 🚨 Marked as known exploited on May 7th, 2025 (about 1 month ago). Description: Incorrect Privilege Assignment vulnerability in Brainstorm Force SureTriggers allows Privilege Escalation.This issue affects SureTriggers: from n/a through 1.0.82. CVSS: CRITICAL (9.8) EPSS Score: 17.88% SSVC Exploitation: none Source: CVE May 1st, 2025 (about 2 months ago)
CVE-2025-2168	Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider <= ... Description: The Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.1. This is due to missing or incorrect nonce validation on the dismiss() function. This makes it possible for unauthenticated attackers to set arbitrary user meta values to `1` which can be leveraged to lock and administrator out of their site via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVSS: MEDIUM (4.3) EPSS Score: 0.01% SSVC Exploitation: none Source: CVE May 1st, 2025 (about 2 months ago)
CVE-2025-1529	AM LottiePlayer <= 3.5.3 - Authenticated (Author+) Stored Cross-Site Scripting via Uploaded Lottie File Description: The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded lottie files in all versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVSS: MEDIUM (6.4) EPSS Score: 0.03% SSVC Exploitation: none Source: CVE May 1st, 2025 (about 2 months ago)
CVE-2025-1305	NewsBlogger <= 0.2.5.4 - Cross-Site Request Forgery to Arbitrary Plugin Installation Description: The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2.5.4. This is due to missing or incorrect nonce validation on the newsblogger_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVSS: HIGH (8.8) EPSS Score: 0.06% SSVC Exploitation: none Source: CVE May 1st, 2025 (about 2 months ago)
CVE-2025-1304	NewsBlogger <= 0.2.5.1 - Authenticated (Subscriber+) Arbitrary File Upload Description: The NewsBlogger theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the newsblogger_install_and_activate_plugin() function in all versions up to, and including, 0.2.5.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. CVSS: HIGH (8.8) EPSS Score: 0.23% SSVC Exploitation: none Source: CVE May 1st, 2025 (about 2 months ago)
	Fake Security Plugin on WordPress Enables Remote Admin Access for Attackers Description: Cybersecurity researchers have shed light on a new campaign targeting WordPress sites that disguises the malware as a security plugin. The plugin, which goes by the name "WP-antymalwary-bot.php," comes with a variety of features to maintain access, hide itself from the admin dashboard, and execute remote code. "Pinging functionality that can report back to a command-and-control (C&C) server Source: TheHackerNews May 1st, 2025 (about 2 months ago)
CVE-2024-13381	Calculated Fields Form < 5.2.62 - Admin+ Stored XSS Description: The Calculated Fields Form WordPress plugin before 5.2.62 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). CVSS: MEDIUM (4.8) EPSS Score: 0.03% Source: CVE May 1st, 2025 (about 2 months ago)
CVE-2024-13845	Gravity Forms WebHooks <= 1.6.0 - Authenticated (Admin+) Server-Side Request Forgery via Webhook Description: The Gravity Forms WebHooks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.0 via the 'process_feed' method of the GF_Webhooks class This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. CVSS: MEDIUM (5.5) EPSS Score: 0.04% Source: CVE May 1st, 2025 (about 2 months ago)