CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-1232
Site Reviews < 7.2.5 - Unauthenticated Stored XSS
Description: The Site Reviews WordPress plugin before 7.2.5 does not properly sanitise and escape some of its Review fields, which could allow unauthenticated users to perform Stored XSS attacks

EPSS Score: 0.05%

Source: CVE
March 19th, 2025 (3 months ago)

CVE-2024-12922
Altair <= 5.2.4 - Unauthenticated Arbitrary Options Update via pp_import_current
Description: The Altair theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check within functions.php in all versions up to, and including, 5.2.4. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

CVSS: CRITICAL (9.8)

EPSS Score: 0.07%

Source: CVE
March 19th, 2025 (3 months ago)

CVE-2025-2290
LifterLMS <= 8.0.1 - Missing Authorization to Unauthenticated Post Trashing
Description: The LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to Unauthenticated Post Trashing due to a missing capability check on the delete_access_plan function and the related AJAX calls in all versions up to, and including, 8.0.1. This makes it possible for unauthenticated attackers to change status to "Trash" for every published post, therefore limiting the availability of the website's content.

CVSS: MEDIUM (5.3)

EPSS Score: 0.05%

Source: CVE
March 19th, 2025 (3 months ago)

CVE-2024-12295
BoomBox Theme Extensions <= 1.8.0 - Authenticated (Subscriber+) Privilege Escalation via Password Reset/Account Takeover in boombox_ajax_reset_pass...
Description: The BoomBox Theme Extensions plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.8.0. This is due to the plugin not properly validating a user's identity prior to updating their password through the 'boombox_ajax_reset_password' function. This makes it possible for authenticated attackers, with subscriber-level privileges and above, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

CVSS: HIGH (8.8)

EPSS Score: 0.04%

Source: CVE
March 19th, 2025 (3 months ago)

CVE-2024-7713
AI Chatbot with ChatGPT by AYS <= 2.0.9 - Unauthenticated OpenAI Key Disclosure
Description: The AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin before 2.1.0 discloses the Open AI API Key, allowing unauthenticated users to obtain it

EPSS Score: 0.05%

SSVC Exploitation: poc

Source: CVE
March 18th, 2025 (3 months ago)

CVE-2024-4094
Simple Share Buttons Adder < 8.5.1 - Admin+ Stored XSS
Description: The Simple Share Buttons Adder WordPress plugin before 8.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

EPSS Score: 0.03%

SSVC Exploitation: poc

Source: CVE
March 18th, 2025 (3 months ago)

CVE-2024-12563
s2Member Pro <= 250214 - Authenticated (Contributor+) Local File Inclusion to Remote Code Execution via Shortcode
Description: The s2Member Pro plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 250214 via the 'template' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution.

CVSS: HIGH (8.8)

EPSS Score: 0.1%

SSVC Exploitation: none

Source: CVE
March 18th, 2025 (3 months ago)

CVE-2024-4180
The Events Calendar < 6.4.0.1 - Reflected XSS
Description: The Events Calendar WordPress plugin before 6.4.0.1 does not properly sanitize user-submitted content when rendering some views via AJAX.

EPSS Score: 0.16%

SSVC Exploitation: poc

Source: CVE
March 18th, 2025 (3 months ago)

CVE-2024-4970
Widget Bundle <= 2.0.0 - Admin+ Stored XSS
Description: The Widget Bundle WordPress plugin through 2.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

EPSS Score: 0.09%

SSVC Exploitation: none

Source: CVE
March 18th, 2025 (3 months ago)

CVE-2024-4469
Migration Backup Restore < 3.5.0 - Admin+ SSRF
Description: The WP STAGING WordPress Backup Plugin WordPress plugin before 3.5.0 does not prevent users with the administrator role from pinging conducting SSRF attacks, which may be a problem in multisite configurations.

EPSS Score: 0.12%

SSVC Exploitation: poc

Source: CVE
March 18th, 2025 (3 months ago)