CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-0958
Ultimate WordPress Auction Plugin <= 4.2.9 - Missing Authorization to Arbitrary Post Deletion
Description: The Ultimate WordPress Auction Plugin plugin for WordPress is vulnerable to unauthorized access to functionality in all versions up to, and including, 4.2.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary auctions, posts as well as pages and allows them to execute other actions related to auction handling.

CVSS: MEDIUM (5.4)

EPSS Score: 0.05%

Source: CVE
March 4th, 2025 (4 months ago)

CVE-2025-0370
WP Shortcodes Plugin — Shortcodes Ultimate <= 7.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via src Parameter
Description: The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘src’ parameter in all versions up to, and including, 7.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE
March 4th, 2025 (4 months ago)
How Google tracks Android device users before they've even opened an app
Source: TheRegister
March 4th, 2025 (4 months ago)
Over 4,000 ISP IPs Targeted in Brute-Force Attacks to Deploy Info Stealers and Cryptominers
Description: Internet service providers (ISPs) in China and the West Coast of the United States have become the target of a mass exploitation campaign that deploys information stealers and cryptocurrency miners on compromised hosts. The findings come from the Splunk Threat Research Team, which said the activity also led to the delivery of various binaries that facilitate data exfiltration as well as offer
Source: TheHackerNews
March 4th, 2025 (4 months ago)
Suspected Iranian Hackers Used Compromised Indian Firm's Email to Target U.A.E. Aviation Sector
Description: Threat hunters are calling attention to a new highly-targeted phishing campaign that singled out "fewer than five" entities in the United Arab Emirates (U.A.E.) to deliver a previously undocumented Golang backdoor dubbed Sosano. The malicious activity was specifically directed against aviation and satellite communications organizations, according to Proofpoint, which detected it in late October
Source: TheHackerNews
March 4th, 2025 (4 months ago)

CVE-2024-43093
Google Patches Two Actively Exploited Zero-Day Flaws in Android
🚨 Marked as known exploited on April 10th, 2025 (3 months ago).
Description: Google has released a security update for Android, addressing two zero-day vulnerabilities that were being actively exploited in targeted attacks. The flaws, tracked as CVE-2024-43093 and CVE-2024-50302, were fixed in the latest March 2025 Android Security Bulletin, with Google urging users to apply the latest patches as soon as possible. The update comes after Amnesty … The post Google Patches Two Actively Exploited Zero-Day Flaws in Android appeared first on CyberInsider.

CVSS: HIGH (7.8)

Source: CyberInsider
March 4th, 2025 (4 months ago)

CVE-2025-26849
There is a Hard-coded Cryptographic Key in Docusnap 13.0.1440.24261, and earlier and later versions.
Description: There is a Hard-coded Cryptographic Key in Docusnap 13.0.1440.24261, and earlier and later versions.

CVSS: MEDIUM (4.3)

EPSS Score: 0.02%

Source: CVE
March 4th, 2025 (4 months ago)

CVE-2025-0512
Structured Content (JSON-LD) #wpsc <= 1.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via sc_fs_local_business Shortcode
Description: The Structured Content (JSON-LD) #wpsc plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sc_fs_local_business shortcode in all versions up to, and including, 6.4.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE
March 4th, 2025 (4 months ago)

CVE-2025-0433
Master Addons <= 2.0.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter
Description: The Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 2.0.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE
March 4th, 2025 (4 months ago)

CVE-2024-9618
Master Addons <= 2.0.7.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Description: The Master Addons – Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 2.0.7.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.09%

Source: CVE
March 4th, 2025 (4 months ago)