CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-13378 |
Description: The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style_settings’ parameter in versions 2.9.0.1 up to, and including, 2.9.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The attack is only successful in the Chrome web browser, and requires directly browsing the media file via the attachment post.
CVSS: MEDIUM (5.4) EPSS Score: 0.05%
January 18th, 2025 (6 months ago)
|
|
CVE-2024-13377 |
Description: The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘alt’ parameter in all versions up to, and including, 2.9.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS: HIGH (7.2) EPSS Score: 0.05%
January 18th, 2025 (6 months ago)
|
|
CVE-2024-13367 |
Description: The Sandbox plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the export_download action in all versions up to, and including, 0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to download an entire copy of a sandbox environment which can contain sensitive information like the wp-config.php file.
CVSS: MEDIUM (6.5) EPSS Score: 0.05%
January 18th, 2025 (6 months ago)
|
|
CVE-2024-13366 |
Description: The Sandbox plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'debug' parameter in all versions up to, and including, 0.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVSS: MEDIUM (6.1) EPSS Score: 0.05%
January 18th, 2025 (6 months ago)
|
|
CVE-2024-13333 |
Description: The Advanced File Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fma_local_file_system' function in versions 5.2.12 to 5.2.13. This makes it possible for authenticated attackers, with Subscriber-level access and above and upload permissions granted by an administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. The function can be exploited only if the "Display .htaccess?" setting is enabled.
CVSS: HIGH (7.5) EPSS Score: 0.06%
January 18th, 2025 (6 months ago)
|
|
CVE-2024-13026 |
Description: A vulnerability exists in Algo Edge up to 2.1.1 - a previously used (legacy) component of navify® Algorithm Suite. The vulnerability impacts the authentication mechanism of this component and could allow an attacker with adjacent access to the laboratory network and the Algo Edge system to craft valid authentication tokens and access the component. Other components of navify® Algorithm Suite are not affected.
CVSS: MEDIUM (6.1) EPSS Score: 0.04%
January 18th, 2025 (6 months ago)
|
|
CVE-2024-12757 |
Description: Nedap Librix Ecoreader
is missing authentication for critical functions that could allow an
unauthenticated attacker to potentially execute malicious code.
CVSS: HIGH (8.6) EPSS Score: 0.04%
January 18th, 2025 (6 months ago)
|
|
CVE-2024-12703 |
Description: CWE-502: Deserialization of untrusted data vulnerability exists that could lead to loss of confidentiality, integrity
and potential remote code execution on workstation when a non-admin authenticated user opens a malicious
project file.
CVSS: HIGH (8.5) EPSS Score: 0.04%
January 18th, 2025 (6 months ago)
|
|
CVE-2024-12637 |
Description: The Moving Users plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.05 via the export functionality. The JSON files are stored in predictable locations with guessable file names when exporting user data. This could allow unauthenticated attackers to extract sensitive user data, for instance, email addresses, hashed passwords, and IP addresses.
CVSS: MEDIUM (5.3) EPSS Score: 0.05%
January 18th, 2025 (6 months ago)
|
|
CVE-2024-12598 |
Description: The MyBookProgress by Stormhill Media plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘book’ parameter in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS: MEDIUM (6.4) EPSS Score: 0.05%
January 18th, 2025 (6 months ago)
|