Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-5019
Hive Support <= 1.2.4 - Cross-Site Request Forgery via hs_update_ai_chat_settings Function
Description: The Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing or incorrect nonce validation on the hs_update_ai_chat_settings() function. This makes it possible for unauthenticated attackers to reconfigure the plugin’s AI/chat settings (including API keys) and to potentially redirect notifications or leak data to attacker-controlled endpoints via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS: MEDIUM (5.4)

EPSS Score: 0.01%

Source: CVE
June 6th, 2025 (2 days ago)

CVE-2025-5018
Hive Support <= 1.2.4 - Authenticated (Subscriber+) Missing Authorization via hs_update_ai_chat_settings and hive_lite_support_get_all_binbox
Description: The Hive Support plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the hs_update_ai_chat_settings() and hive_lite_support_get_all_binbox() functions in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read and overwrite the site’s OpenAI API key and inspection data or modify AI-chat prompts and behavior. This vulnerability is potentially a duplicate of CVE-2025-32208 or/and CVE-2025-32242.

CVSS: HIGH (7.1)

EPSS Score: 0.03%

Source: CVE
June 6th, 2025 (2 days ago)

CVE-2025-4966
WP Online Users Stats <= 1.0.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via hk_dataset_results Function
Description: The WP Online Users Stats plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation within the hk_dataset_results() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS: MEDIUM (6.1)

EPSS Score: 0.01%

Source: CVE
June 6th, 2025 (2 days ago)

CVE-2025-4964
WP Online Users Stats <= 1.0.0 - Authenticated (Editor+) SQL Injection via table_name Parameter
Description: The WP Online Users Stats plugin for WordPress is vulnerable to time-based SQL Injection via the ‘table_name’ parameter in all versions up to, and including, 1.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS: MEDIUM (4.9)

EPSS Score: 0.02%

Source: CVE
June 6th, 2025 (2 days ago)

CVE-2025-2935
Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms <= 2024.7 - Cross-Site Request Forgery to Multiple Administrative Actions
Description: The Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2024.7. This is due to missing or incorrect nonce validation in the 'ss_option_maint.php' and 'ss_user_filter_list' files. This makes it possible for unauthenticated attackers to delete pending comments, and re-enable a previously blocked user via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS: MEDIUM (5.4)

EPSS Score: 0.01%

Source: CVE
June 6th, 2025 (2 days ago)

CVE-2025-1778
Art Theme <= 3.12.2.3 - Missing Authorization to Authenticated (Subscriber+) Theme Option Delete
Description: The Art Theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'arttheme_theme_option_restore' AJAX function in all versions up to, and including, 3.12.2.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete the theme option.

CVSS: MEDIUM (4.3)

EPSS Score: 0.03%

Source: CVE
June 6th, 2025 (2 days ago)

CVE-2025-1777
BM Content Builder <= 3.16.2.1 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via ux_cb_page_options_save
Description: The BM Content Builder plugin for WordPress is vulnerable to unauthorized modification of data to a missing capability check on the 'ux_cb_page_options_save' function in all versions up to, and including, 3.16.2.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE
June 6th, 2025 (2 days ago)

CVE-2025-5733
Modern Events Calendar <= 7.21.9 - Information Exposure
Description: The Modern Events Calendar Lite plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 7.21.9. This is due improper or insufficient validation of the id property when exporting calendars. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.

CVSS: MEDIUM (5.3)

EPSS Score: 0.02%

Source: CVE
June 6th, 2025 (2 days ago)
[auth0/symfony] Auth0 Symfony SDK Deserialization of Untrusted Data vulnerability
Description: Overview The Auth0 Symfony SDK contains a critical vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Am I Affected? You are affected by this vulnerability if you meet the following preconditions: Applications using the Auth0 Symfony SDK, versions between 5.0.0 BETA-0 to 5.0.0. Auth0 Symfony SDK uses the Auth0-PHP SDK with version 8.0.0-BETA3 to 8.3.0. Fix Upgrade Auth0/symfony to the latest version (v5.4.0). Acknowledgement Okta would like to thank Andreas Forsblom for discovering this vulnerability. References https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492 https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34 https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r https://nvd.nist.gov/vuln/detail/CVE-2025-48951 https://github.com/advisories/GHSA-98j6-67v3-mw34

CVSS: CRITICAL (9.3)

EPSS Score: 0.08%

Source: Github Advisory Database (Composer)
June 6th, 2025 (2 days ago)

CVE-2025-48133
WordPress Uncanny Automator <= 6.4.0.2 - Broken Access Control Vulnerability
Description: Missing Authorization vulnerability in Uncanny Owl Uncanny Automator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Uncanny Automator: from n/a through 6.4.0.2.

CVSS: MEDIUM (6.5)

EPSS Score: 0.04%

Source: CVE
June 5th, 2025 (2 days ago)