CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-31730
WordPress Marketer Addons Plugin <= 1.0.1 - Stored Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DigitalCourt Marketer Addons allows Stored XSS. This issue affects Marketer Addons: from n/a through 1.0.1.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE
April 1st, 2025 (3 months ago)

CVE-2025-31408
WordPress Zoho Flow plugin <= 2.13.3 - Broken Access Control vulnerability
Description: Missing Authorization vulnerability in Zoho Flow allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Zoho Flow: from n/a through 2.13.3.

CVSS: MEDIUM (4.3)

EPSS Score: 0.03%

Source: CVE
April 1st, 2025 (3 months ago)

CVE-2025-2906
Contempo Real Estate Core <= 3.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Description: The Contempo Real Estate Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 3.6.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE
April 1st, 2025 (3 months ago)

CVE-2025-2237
WP RealEstate <= 1.6.26 - Authentication Bypass via 'process_register'
Description: The WP RealEstate plugin for WordPress, used by the Homeo theme, is vulnerable to authentication bypass in all versions up to, and including, 1.6.26. This is due to insufficient role restrictions in the 'process_register' function. This makes it possible for unauthenticated attackers to register an account with the Administrator role.

CVSS: CRITICAL (9.8)

EPSS Score: 0.29%

Source: CVE
April 1st, 2025 (3 months ago)

CVE-2024-13553
SMS Alert Order Notifications – WooCommerce <= 3.7.9 - Unauthenticated Account Takeover/Privilege Escalation
Description: The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.7.9. This is due to the plugin using the Host header to determine if the plugin is in a playground environment. This makes it possible for unauthenticated attackers to spoof the Host header to make the OTP code "1234" and authenticate as any user, including administrators.

CVSS: CRITICAL (9.8)

EPSS Score: 0.09%

Source: CVE
April 1st, 2025 (3 months ago)

CVE-2025-2891
WP Pro Real Estate 7 <= 3.5.4 - Authenticated (Custom) Arbitrary File Upload
Description: The Real Estate 7 WordPress theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the 'template-submit-listing.php' file in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with Seller-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible if front-end listing submission has been enabled.

CVSS: HIGH (8.8)

EPSS Score: 0.26%

Source: CVE
April 1st, 2025 (3 months ago)

CVE-2025-2048
Lana Downloads Manager < 1.10.0 - Admin+ Arbitrary File Download via Path Traversal
Description: The Lana Downloads Manager WordPress plugin before 1.10.0 does not validate user input used in a path, which could allow users with an admin role to perform path traversal attacks and download arbitrary files on the server

EPSS Score: 0.03%

Source: CVE
April 1st, 2025 (3 months ago)

CVE-2025-1986
Gutentor < 3.4.7 - Admin+ SQL Injection
Description: The Gutentor WordPress plugin before 3.4.7 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks

EPSS Score: 0.03%

Source: CVE
April 1st, 2025 (3 months ago)

CVE-2025-1512
PowerPack Elementor Addons (Free Widgets, Extensions and Templates) <= 2.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description: The PowerPack Elementor Addons (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom Cursor Extension in all versions up to, and including, 2.9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE
April 1st, 2025 (3 months ago)

CVE-2025-1267
Groundhogg <= 3.7.4.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via label Parameter
Description: The Groundhogg plugin for Wordpress is vulnerable to Stored Cross-Site Scripting via the ‘label' parameter in versions up to, and including, 3.7.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

CVSS: MEDIUM (5.5)

EPSS Score: 0.04%

Source: CVE
April 1st, 2025 (3 months ago)