CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-31043
WordPress JetSearch plugin <= 3.5.7 - Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound JetSearch allows DOM-Based XSS. This issue affects JetSearch: from n/a through 3.5.7.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE
March 31st, 2025 (3 months ago)

CVE-2025-31016
WordPress JetWooBuilder plugin <= 2.1.18 - Local File Inclusion vulnerability
Description: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound JetWooBuilder allows PHP Local File Inclusion. This issue affects JetWooBuilder: from n/a through 2.1.18.

CVSS: HIGH (7.5)

EPSS Score: 0.13%

Source: CVE
March 31st, 2025 (3 months ago)

CVE-2025-30987
WordPress JetBlocks For Elementor plugin <= 1.3.16 - Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound JetBlocks For Elementor allows Stored XSS. This issue affects JetBlocks For Elementor: from n/a through 1.3.16.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE
March 31st, 2025 (3 months ago)

CVE-2025-30855
WordPress Ads by WPQuads plugin <= 2.0.87.1 - Broken Access Control Vulnerability
Description: Missing Authorization vulnerability in Ads by WPQuads Ads by WPQuads allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ads by WPQuads: from n/a through 2.0.87.1.

CVSS: HIGH (7.5)

EPSS Score: 0.04%

Source: CVE
March 31st, 2025 (3 months ago)

CVE-2025-30835
WordPress Accounting for WooCommerce plugin <= 1.6.8 - Local File Inclusion vulnerability
Description: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Bastien Ho Accounting for WooCommerce allows PHP Local File Inclusion. This issue affects Accounting for WooCommerce: from n/a through 1.6.8.

CVSS: HIGH (7.5)

EPSS Score: 0.11%

Source: CVE
March 31st, 2025 (3 months ago)

CVE-2025-0613
Photo Gallery < 1.8.34 - Unauthenticated Stored XSS
Description: The Photo Gallery by 10Web WordPress plugin before 1.8.34 does not sanitised and escaped comment added on images by unauthenticated users, leading to an Unauthenticated Stored-XSS attack when comments are displayed

EPSS Score: 0.06%

Source: CVE
March 31st, 2025 (3 months ago)

CVE-2025-2840
DAP to Autoresponders Email Syncing <= 1.0 - Unauthenticated Information Exposure
Description: The DAP to Autoresponders Email Syncing plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0 through the publicly accessible phpinfo.php script. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed file.

CVSS: MEDIUM (5.3)

EPSS Score: 0.05%

Source: CVE
March 29th, 2025 (3 months ago)

CVE-2025-2803
So-Called Air Quotes <= 0.1 - Unauthenticated Arbitrary Shortcode Execution
Description: The So-Called Air Quotes plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 0.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

CVSS: HIGH (7.3)

EPSS Score: 0.2%

Source: CVE
March 29th, 2025 (3 months ago)

CVE-2025-2266
Checkout Mestres do WP for WooCommerce 8.6.5 - 8.7.5 - Unauthenticated Arbitrary Options Update
Description: The Checkout Mestres do WP for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the cwmpUpdateOptions() function in versions 8.6.5 to 8.7.5. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

CVSS: CRITICAL (9.8)

EPSS Score: 0.09%

Source: CVE
March 29th, 2025 (3 months ago)

CVE-2025-2249
SoJ Soundslides <= 1.2.2 - Authenticated (Contributor+) Arbitrary File Upload
Description: The SoJ SoundSlides plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the soj_soundslides_options_subpanel() function in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVSS: HIGH (8.8)

EPSS Score: 0.26%

Source: CVE
March 29th, 2025 (3 months ago)