CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
WooCommerce Users Targeted by Fake Patch Phishing Campaign Deploying Site Backdoors
Description: Cybersecurity researchers are warning about a large-scale phishing campaign targeting WooCommerce users with a fake security alert urging them to download a "critical patch" but deploy a backdoor instead. WordPress security company Patchstack described the activity as sophisticated and a variant of another campaign observed in December 2023 that employed a fake CVE ploy to breach sites running
Source: TheHackerNews
April 28th, 2025 (about 2 months ago)

CVE-2025-0627
AI Autotagger < 3.30.0 - Admin+ Stored XSS
Description: The WordPress Tag, Category, and Taxonomy Manager WordPress plugin before 3.30.0 does not sanitise and escape some of its Widgets settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

EPSS Score: 0.03%

Source: CVE
April 28th, 2025 (about 2 months ago)

CVE-2024-9771
WP-Recall < 16.26.12 - Admin+ Stored XSS
Description: The WP-Recall WordPress plugin before 16.26.12 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

EPSS Score: 0.03%

Source: CVE
April 28th, 2025 (about 2 months ago)

CVE-2024-13688
Admin and Site Enhancements (ASE) < 7.6.10 - Password Protection Bypass
Description: The Admin and Site Enhancements (ASE) WordPress plugin before 7.6.10 uses a hardcoded password in its Password Protection feature, allowing attacker to bypass the protection offered via a crafted request

CVSS: MEDIUM (5.3)

EPSS Score: 0.05%

Source: CVE
April 28th, 2025 (about 2 months ago)
WooCommerce admins targeted by fake security patches that hijack sites
Description: A large-scale phishing campaign targets WooCommerce users with a fake security alert urging them to download a "critical patch" that adds a Wordpress backdoor to the site. [...]
Source: BleepingComputer
April 27th, 2025 (about 2 months ago)

CVE-2025-2101
Edumall <= 4.2.4 - Unauthenticated Local File Inclusion
Description: The Edumall theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.2.4 via the 'template' parameter of the 'edumall_lazy_load_template' AJAX action. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP files can be uploaded and included.

CVSS: HIGH (8.1)

EPSS Score: 0.23%

Source: CVE
April 26th, 2025 (about 2 months ago)

CVE-2024-13812
Anps Theme plugin <= 1.1.1 - Unauthenticated Arbitrary Shortcode Execution
Description: The The Anps Theme plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.1.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

CVSS: MEDIUM (6.5)

EPSS Score: 0.15%

Source: CVE
April 26th, 2025 (about 2 months ago)

CVE-2025-2907
Order Delivery Date Pro for WooCommerce < 12.3.1 - Unauthenticated Arbitrary Option Update
Description: The Order Delivery Date WordPress plugin before 12.3.1 does not have authorization and CSRF checks when importing settings. Furthermore it also lacks proper checks to only update options relevant to the Order Delivery Date WordPress plugin before 12.3.1. This leads to attackers being able to modify the default_user_role to administrator and users_can_register, allowing them to register as an administrator of the site for complete site takeover.

CVSS: CRITICAL (9.8)

EPSS Score: 3.36%

Source: CVE
April 26th, 2025 (about 2 months ago)

CVE-2025-3915
Aeropage Sync for Airtable <= 3.2.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion
Description: The Aeropage Sync for Airtable plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'aeropageDeletePost' function in all versions up to, and including, 3.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary posts.

CVSS: MEDIUM (4.3)

EPSS Score: 0.03%

Source: CVE
April 26th, 2025 (about 2 months ago)

CVE-2025-3914
Aeropage Sync for Airtable <= 3.2.0 - Authenticated (Subscriber+) Arbitrary File Upload
Description: The Aeropage Sync for Airtable plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'aeropage_media_downloader' function in all versions up to, and including, 3.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVSS: HIGH (8.8)

EPSS Score: 0.28%

Source: CVE
April 26th, 2025 (about 2 months ago)