Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-46258
WordPress Element Pack Pro Plugin < 8.0.0 - Broken Access Control vulnerability
Description: Missing Authorization vulnerability in BdThemes Element Pack Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Element Pack Pro: from n/a before 8.0.0.

CVSS: MEDIUM (5.4)

EPSS Score: 0.03%

SSVC Exploitation: none

Source: CVE
June 5th, 2025 (2 days ago)

CVE-2025-46257
WordPress Element Pack Pro Plugin < 8.0.0 - Cross Site Request Forgery (CSRF) vulnerability
Description: Cross-Site Request Forgery (CSRF) vulnerability in BdThemes Element Pack Pro allows Cross Site Request Forgery.This issue affects Element Pack Pro: from n/a before 8.0.0.

CVSS: MEDIUM (4.3)

EPSS Score: 0.01%

SSVC Exploitation: none

Source: CVE
June 5th, 2025 (2 days ago)

CVE-2024-22027
Improper input validation vulnerability in WordPress Quiz Maker Plugin prior to 6.5.0.6 allows a remote authenticated attacker to perform a Denial...
Description: Improper input validation vulnerability in WordPress Quiz Maker Plugin prior to 6.5.0.6 allows a remote authenticated attacker to perform a Denial of Service (DoS) attack against external services.

CVSS: MEDIUM (6.5)

EPSS Score: 0.51%

SSVC Exploitation: none

Source: CVE
June 5th, 2025 (2 days ago)

CVE-2025-5701
HyperComments <= 1.2.2 - Unauthenticated (Subscriber+) Arbitrary Options Update
Description: The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hc_request_handler function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

CVSS: CRITICAL (9.8)

EPSS Score: 0.07%

Source: CVE
June 5th, 2025 (3 days ago)

CVE-2025-5341
Forminator <= 1.44.1 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via id and data-size Parameters
Description: The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id' and 'data-size’ parameters in all versions up to, and including, 1.44.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE
June 5th, 2025 (3 days ago)

CVE-2025-3055
WP User Frontend Pro <= 4.1.3 - Authenticated (Subscriber+) Arbitrary File Deletion
Description: The WP User Frontend Pro plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_avatar_ajax() function in all versions up to, and including, 4.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

CVSS: HIGH (8.1)

EPSS Score: 0.53%

Source: CVE
June 5th, 2025 (3 days ago)

CVE-2025-3054
WP User Frontend Pro <= 4.1.3 - Authenticated (Subscriber+) Arbitrary File Upload
Description: The WP User Frontend Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the upload_files() function in all versions up to, and including, 4.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Please note that this requires the 'Private Message' module to be enabled and the Business version of the PRO software to be in use.

CVSS: HIGH (8.8)

EPSS Score: 0.24%

Source: CVE
June 5th, 2025 (3 days ago)
[auth0/wordpress] Auth0 Wordpress Plugin vulnerable to Deserialization of Untrusted Data
Description: Overview The Auth0 Wordpress plugin contains a critical vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Am I Affected? You are affected by this vulnerability if you meet the following preconditions: Applications using the Auth0 WordPress plugin, versions between 5.0.0 BETA-0 to 5.0.1. Auth0 WordPress plugin uses the Auth0-PHP SDK with version 8.0.0-BETA3 to 8.3.0. Fix Upgrade the Auth0 WordPress plugin to the latest version (v5.3.0). References https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492 https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34 https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r https://nvd.nist.gov/vuln/detail/CVE-2025-48951 https://github.com/advisories/GHSA-862m-5253-832r

CVSS: CRITICAL (9.3)

EPSS Score: 0.08%

Source: Github Advisory Database (Composer)
June 5th, 2025 (3 days ago)
[auth0/auth0-php] Auth0-PHP SDK Deserialization of Untrusted Data vulnerability
Description: Overview The Auth0 PHP SDK contains a vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Am I Affected? You are affected by this vulnerability if you meet the following preconditions: Applications using the Auth0-PHP SDK, versions between 8.0.0-BETA3 to 8.3.0. Applications using the following SDKs that rely on the Auth0-PHP SDK versions between 8.0.0-BETA3 to 8.3.0: a. Auth0/symfony, b. Auth0/laravel-auth0, c. Auth0/wordpress. Fix Upgrade Auth0/Auth0-PHP to 8.3.1. Acknowledgement Okta would like to thank Andreas Forsblom for discovering this vulnerability. References https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492 https://nvd.nist.gov/vuln/detail/CVE-2025-48951 https://github.com/auth0/auth0-PHP/commit/04b1f5daa8bdfebc5e740ec5ca0fb2df1648a715 https://github.com/advisories/GHSA-v9m8-9xxp-q492

CVSS: CRITICAL (9.3)

EPSS Score: 0.08%

Source: Github Advisory Database (Composer)
June 4th, 2025 (3 days ago)

CVE-2025-5482
Sunshine Photo Cart <= 3.4.11 - Authenticated (Subscriber) Privilege Escalation
Description: The Sunshine Photo Cart: Free Client Photo Galleries for Photographers plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.11. This is due to the plugin not properly validating a user-supplied key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's passwords through the password reset functionality, including administrators, and leverage that to reset the user's password and gain access to their account.

CVSS: HIGH (8.8)

EPSS Score: 0.04%

Source: CVE
June 4th, 2025 (4 days ago)