CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-12629
Prototype Pollution in Progress® Telerik® KendoReact
Description: In Progress® Telerik® KendoReact versions v3.5.0 through v9.4.0, an attacker can introduce or modify properties within the global prototype chain which can result in denial of service or command injection.

CVSS: MEDIUM (4.1)

EPSS Score: 0.05%

Source: CVE
February 13th, 2025 (5 months ago)

CVE-2024-12386
WP Abstracts <= 2.7.3 - Cross-Site Request Forgery to Arbitrary Account Deletion
Description: The WP Abstracts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.3. This is due to missing nonce validation on multiple functions. This makes it possible for unauthenticated attackers to delete arbitrary accounts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS: HIGH (8.1)

EPSS Score: 0.05%

Source: CVE
February 13th, 2025 (5 months ago)

CVE-2024-12379
Allocation of Resources Without Limits or Throttling in GitLab
Description: A denial of service vulnerability in GitLab CE/EE affecting all versions from 14.1 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to impact the availability of GitLab via unbounded symbol creation via the scopes parameter in a Personal Access Token.

CVSS: MEDIUM (6.5)

EPSS Score: 0.04%

Source: CVE
February 13th, 2025 (5 months ago)

CVE-2024-12315
Export All Posts, Products, Orders, Refunds & Users <= 2.9.3 - Information Disclosure Through Unprotected Directory
Description: The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.3 via the exports directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/smack_uci_uploads/exports/ directory which can contain information like exported user data.

CVSS: HIGH (7.5)

EPSS Score: 0.05%

Source: CVE
February 13th, 2025 (5 months ago)

CVE-2024-12296
Apus Framework <= 2.3 - Authenticated (Subscriber+) Arbitrary Options Update in import_page_options
Description: The Apus Framework plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'import_page_options' function in all versions up to, and including, 2.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

CVSS: HIGH (8.8)

EPSS Score: 0.05%

Source: CVE
February 13th, 2025 (5 months ago)

CVE-2024-12251
Improper neutralization special element in hyperlinks
Description: In Progress® Telerik® UI for WinUI versions prior to 2025 Q1 (3.0.0), a command injection attack is possible through improper neutralization of hyperlink elements.

CVSS: HIGH (7.8)

EPSS Score: 0.04%

Source: CVE
February 13th, 2025 (5 months ago)

CVE-2024-12213
WP Job Board Pro <= 1.2.76 - Unauthenticated Privilege Escalation via process_register
Description: The WP Job Board Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.2.76. This is due to the plugin allowing a user to supply the 'role' field when registering. This makes it possible for unauthenticated attackers to register as an administrator on vulnerable sites.

CVSS: CRITICAL (9.8)

EPSS Score: 0.09%

Source: CVE
February 13th, 2025 (5 months ago)

CVE-2024-12164
WPSyncSheets Lite For WPForms – WPForms Google Spreadsheet Addon <= 1.6 - Missing Authorization to Authenticated (Subscriber+) Settings Reset
Description: The WPSyncSheets Lite For WPForms – WPForms Google Spreadsheet Addon plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpsslwp_reset_settings() function in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's settings.

CVSS: MEDIUM (4.3)

EPSS Score: 0.05%

Source: CVE
February 13th, 2025 (5 months ago)

CVE-2024-11746
Discover the Best Woocommerce Product Brands Plugin for WordPress – Woocommerce Brands Plugin <= 1.3.2 - Authenticated (Contributor+) Stored Cross-...
Description: The Discover the Best Woocommerce Product Brands Plugin for WordPress – Woocommerce Brands Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'product_brand' shortcode in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.05%

Source: CVE
February 13th, 2025 (5 months ago)

CVE-2024-11629
Telerik Document Processing RTF Export of Arbitrary File Path
Description: In Progress® Telerik® Document Processing Libraries, versions prior to 2025 Q1 (2025.1.205), using .NET Standard 2.0, the contents of a file at an arbitrary path can be exported to RTF.

CVSS: HIGH (7.1)

EPSS Score: 0.05%

Source: CVE
February 13th, 2025 (5 months ago)