CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-2006 |
Description: The Inline Image Upload for BBPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the file uploading functionality in all versions up to, and including, 1.1.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. This may be exploitable by unauthenticated attackers when the "Allow guest users without accounts to create topics and replies" setting is enabled.
CVSS: HIGH (8.8) EPSS Score: 0.13%
March 29th, 2025 (3 months ago)
|
|
CVE-2024-13557 |
Description: The Shortcodes by United Themes plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.1.6. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
CVSS: MEDIUM (6.5) EPSS Score: 0.15%
March 29th, 2025 (3 months ago)
|
|
CVE-2024-11180 |
Description: The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown Timer Widget ekit_countdown_timer_title parameter in all versions up to, and including, 3.4.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS: MEDIUM (6.4) EPSS Score: 0.03%
March 29th, 2025 (3 months ago)
|
|
CVE-2024-4061 |
Description: The Survey Maker WordPress plugin before 4.2.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
EPSS Score: 0.03% SSVC Exploitation: none
March 29th, 2025 (3 months ago)
|
|
CVE-2024-3822 |
Description: The Base64 Encoder/Decoder WordPress plugin through 0.9.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
EPSS Score: 0.55% SSVC Exploitation: none
March 29th, 2025 (3 months ago)
|
|
CVE-2024-3582 |
Description: The UnGallery WordPress plugin through 2.2.4 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack
EPSS Score: 0.03% SSVC Exploitation: poc
March 29th, 2025 (3 months ago)
|
|
CVE-2024-2439 |
Description: The Salon booking system WordPress plugin through 9.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as Editor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
EPSS Score: 0.08% SSVC Exploitation: none
March 29th, 2025 (3 months ago)
|
|
CVE-2024-1487 |
Description: The Photos and Files Contest Gallery WordPress plugin before 21.3.1 does not sanitize and escape some parameters, which could allow users with a role as low as author to perform Cross-Site Scripting attacks.
EPSS Score: 0.26% SSVC Exploitation: none
March 29th, 2025 (3 months ago)
|
|
CVE-2024-3918 |
Description: The Pet Manager WordPress plugin through 1.4 does not sanitise and escape some of its Pet settings, which could allow high privilege users such as Contributor to perform Stored Cross-Site Scripting attacks.
EPSS Score: 0.03% SSVC Exploitation: none
March 28th, 2025 (3 months ago)
|
|
CVE-2024-4857 |
Description: The FS Product Inquiry WordPress plugin through 1.1.1 does not sanitise and escape some form submissions, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks
EPSS Score: 0.1% SSVC Exploitation: none
March 28th, 2025 (3 months ago)
|