CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-12816
NOTICE BOARD BY TOWKIR <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description: The NOTICE BOARD BY TOWKIR plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'notice-board' shortcode in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.05%

Source: CVE
January 28th, 2025 (5 months ago)

CVE-2024-12774
Altra Side Menu <= 2.0 - Abitrary Menu Deletion via CSRF
Description: The Altra Side Menu WordPress plugin through 2.0 does not have CSRF checks in some places, which could allow attackers to make logged in admins delete arbitrary menu via a CSRF attack

EPSS Score: 0.04%

Source: CVE
January 28th, 2025 (5 months ago)

CVE-2024-12773
Altra Side Menu <= 2.0 - Admin+ SQL Injection
Description: The Altra Side Menu WordPress plugin through 2.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks

EPSS Score: 0.04%

Source: CVE
January 28th, 2025 (5 months ago)

CVE-2024-12740
Dependency on Vulnerable Third-Party Component exposes Vulnerabilities in NI Vision Software
Description: Vision related software from NI used a third-party library for image processing that exposes several vulnerabilities. These vulnerabilities may result in arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted file.

CVSS: HIGH (7.8)

EPSS Score: 0.04%

Source: CVE
January 28th, 2025 (5 months ago)

CVE-2024-12600
Custom Product Tabs Lite for WooCommerce <= 1.9.0 - Authenticated (Shop Manager+) PHP Object Injection
Description: The Custom Product Tabs Lite for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.0 via deserialization of untrusted input from the 'frs_woo_product_tabs' parameter. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

CVSS: HIGH (7.2)

EPSS Score: 0.06%

Source: CVE
January 28th, 2025 (5 months ago)

CVE-2024-12529
brodos.net Onlineshop Plugin <= 2.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description: The brodos.net Onlineshop Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'BrodosCategory' shortcode in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.05%

Source: CVE
January 28th, 2025 (5 months ago)

CVE-2024-12512
Ask Me Anything (Anonymously) <= 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description: The Ask Me Anything (Anonymously) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'askmeanythingpeople' shortcode in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.05%

Source: CVE
January 28th, 2025 (5 months ago)

CVE-2024-12436
WP Customer Area <= 8.2.4 - Bulk Delete via CSRF
Description: The WP Customer Area WordPress plugin through 8.2.4 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks

CVSS: MEDIUM (4.3)

EPSS Score: 0.04%

Source: CVE
January 28th, 2025 (5 months ago)

CVE-2024-12345
INW Krbyyyzo Daily Huddle Site gbo.aspx resource consumption
Description: A vulnerability classified as problematic was found in INW Krbyyyzo 25.2002. Affected by this vulnerability is an unknown functionality of the file /gbo.aspx of the component Daily Huddle Site. The manipulation of the argument s leads to resource consumption. It is possible to launch the attack on the local host. Other endpoints might be affected as well. In INW Krbyyyzo 25.2002 wurde eine problematische Schwachstelle entdeckt. Hierbei betrifft es unbekannten Programmcode der Datei /gbo.aspx der Komponente Daily Huddle Site. Durch das Manipulieren des Arguments s mit unbekannten Daten kann eine resource consumption-Schwachstelle ausgenutzt werden. Der Angriff muss lokal angegangen werden.

CVSS: MEDIUM (6.7)

EPSS Score: 0.04%

Source: CVE
January 28th, 2025 (5 months ago)

CVE-2024-12334
WC Affiliate – A Complete WooCommerce Affiliate Plugin <= 2.4 - Reflected Cross-Site Scripting
Description: The WC Affiliate – A Complete WooCommerce Affiliate Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via any parameter in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS: MEDIUM (6.1)

EPSS Score: 0.05%

Source: CVE
January 28th, 2025 (5 months ago)