CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-30767
WordPress PDF for WPForms plugin <= 5.3.0 - Arbitrary Shortcode Execution vulnerability
Description: Missing Authorization vulnerability in add-ons.org PDF for WPForms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PDF for WPForms: from n/a through 5.3.0.

CVSS: MEDIUM (5.4)

EPSS Score: 0.03%

Source: CVE
March 27th, 2025 (3 months ago)

CVE-2025-30766
WordPress Happy Addons for Elementor <= 3.16.2 - Cross Site Scripting (XSS) Vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HappyMonster Happy Addons for Elementor allows DOM-Based XSS. This issue affects Happy Addons for Elementor: from n/a through 3.16.2.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE
March 27th, 2025 (3 months ago)

CVE-2025-30765
WordPress FlexStock <= 3.13.1 - SQL Injection Vulnerability
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPPOOL FlexStock allows Blind SQL Injection. This issue affects FlexStock: from n/a through 3.13.1.

CVSS: HIGH (7.6)

EPSS Score: 0.04%

Source: CVE
March 27th, 2025 (3 months ago)

CVE-2025-30764
WordPress Football Pool plugin <= 2.12.2 - Cross Site Request Forgery (CSRF) to Settings Change vulnerability
Description: Cross-Site Request Forgery (CSRF) vulnerability in AntoineH Football Pool allows Cross Site Request Forgery. This issue affects Football Pool: from n/a through 2.12.2.

CVSS: MEDIUM (4.3)

EPSS Score: 0.02%

Source: CVE
March 27th, 2025 (3 months ago)

CVE-2025-30763
WordPress EO4WP <= 1.0.8.4 - Cross Site Scripting (XSS) Vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Olaf Lederer EO4WP allows Stored XSS. This issue affects EO4WP: from n/a through 1.0.8.4.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE
March 27th, 2025 (3 months ago)

CVE-2025-2685
TablePress – Tables in WordPress made easy <= 3.0.4 - Authenticated (Author+) Stored Cross-Site Scripting
Description: The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘table-name’ parameter in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE
March 27th, 2025 (3 months ago)

CVE-2025-2332
Export All Posts, Products, Orders, Refunds & Users <= 2.13 - Unauthenticated PHP Object Injection
Description: The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.13 via deserialization of untrusted input in the 'returnMetaValueAsCustomerInput' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

CVSS: CRITICAL (9.8)

EPSS Score: 0.18%

Source: CVE
March 27th, 2025 (3 months ago)

CVE-2025-2481
MediaView <= 1.1.2 - Reflected Cross-Site Scripting via id Parameter
Description: The MediaView plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘id' parameter in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS: MEDIUM (6.1)

EPSS Score: 0.08%

Source: CVE
March 27th, 2025 (3 months ago)

CVE-2024-0250
Analytics Insights for Google Analytics 4 < 6.3 - Open Redirect
Description: The Analytics Insights for Google Analytics 4 (AIWP) WordPress plugin before 6.3 is vulnerable to Open Redirect due to insufficient validation on the redirect oauth2callback.php file. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.

CVSS: MEDIUM (6.1)

EPSS Score: 20.13%

SSVC Exploitation: none

Source: CVE
March 26th, 2025 (3 months ago)

CVE-2024-1905
Smart Forms < 2.6.96 - Admin+ Stored XSS
Description: The Smart Forms WordPress plugin before 2.6.96 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

EPSS Score: 0.11%

SSVC Exploitation: none

Source: CVE
March 26th, 2025 (3 months ago)