CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-13513
Oliver POS – A WooCommerce Point of Sale (POS) <= 2.4.2.3 - Sensitive Information Exposure to Privilege Escalation
Description: The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4.2.3 via the logging functionality. This makes it possible for unauthenticated attackers to extract sensitive data including the plugin's clientToken, which in turn can be used to change user account information including emails and account type. This allows attackers to then change account passwords resulting in a complete site takeover. Version 2.4.2.3 disabled logging but left sites with existing log files vulnerable.

CVSS: CRITICAL (9.8)

EPSS Score: 0.06%

Source: CVE
February 16th, 2025 (5 months ago)

CVE-2024-13500
WP Project Manager <= 2.6.17 - Authenticated (Subscriber+) SQL Injection via orderby Parameter
Description: The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 2.6.17 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS: MEDIUM (6.5)

EPSS Score: 0.07%

Source: CVE
February 16th, 2025 (5 months ago)

CVE-2024-13488
LTL Freight Quotes – Estes Edition <= 3.3.7 - Unauthenticated SQL Injection
Description: The LTL Freight Quotes – Estes Edition plugin for WordPress is vulnerable to SQL Injection via the 'dropship_edit_id' and 'edit_id' parameters in all versions up to, and including, 3.3.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS: HIGH (7.5)

EPSS Score: 0.06%

Source: CVE
February 16th, 2025 (5 months ago)

CVE-2024-13439
Team – Team Members Showcase Plugin <= 4.4.9 - Missing Authorization to Authenticated (Subscriber+) Settings Update
Description: The Team – Team Members Showcase Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the response() function in all versions up to, and including, 4.4.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings.

CVSS: MEDIUM (4.3)

EPSS Score: 0.06%

Source: CVE
February 16th, 2025 (5 months ago)

CVE-2024-13306
WP Google Map < 1.9.4 - Admin+ Stored XSS
Description: The Maps Plugin using Google Maps for WordPress WordPress plugin before 1.9.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

EPSS Score: 0.04%

Source: CVE
February 16th, 2025 (5 months ago)

CVE-2024-13208
WP Google Map < 1.9.4 - Admin+ Stored XSS
Description: The Maps Plugin using Google Maps for WordPress WordPress plugin before 1.9.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

EPSS Score: 0.04%

Source: CVE
February 16th, 2025 (5 months ago)

CVE-2024-12562
s2Member Pro <= 241216 - Unauthenticated PHP Object Injection
Description: The s2Member Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 241216 via deserialization of untrusted input from the 's2member_pro_remote_op' vulnerable parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

CVSS: CRITICAL (9.8)

EPSS Score: 0.07%

Source: CVE
February 16th, 2025 (5 months ago)

CVE-2024-10581
DirectoryPress Frontend <= 2.7.9 - Cross-Site Request Forgery to Listing Status Update
Description: The DirectoryPress Frontend plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.9. This is due to missing or incorrect nonce validation on the dpfl_listingStatusChange() function. This makes it possible for unauthenticated attackers to update listing statuses via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS: MEDIUM (4.3)

EPSS Score: 0.05%

Source: CVE
February 16th, 2025 (5 months ago)
Daily Dose of Dark Web Informer - February 15th, 2025
Description: This daily article is intended to make it easier for those who want to stay updated with my regular Dark Web Informer and X/Twitter posts.
Source: DarkWebInformer
February 16th, 2025 (5 months ago)
rufusdomando Claims to have Leaked the Data of Private University Hospital of Cordoba
Description: rufusdomando Claims to have Leaked the Data of Private University Hospital of Cordoba
Source: DarkWebInformer
February 15th, 2025 (5 months ago)