CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-13185
MinigameCenter module information leakage vulnerability
Description: The MinigameCenter module has insufficient restrictions on loading URLs, which may lead to some information leakage.

CVSS: MEDIUM (6.3)

EPSS Score: 0.04%

Source: CVE
January 9th, 2025 (6 months ago)

CVE-2024-13173
Health information leakage vulnerability
Description: The health module has insufficient restrictions on loading URLs, which may lead to some information leakage.

CVSS: MEDIUM (6.3)

EPSS Score: 0.04%

Source: CVE
January 9th, 2025 (6 months ago)

CVE-2024-12855
AdForest - Classified Ads WordPress Theme <= 5.1.7 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post/Attachment Deletion
Description: The AdForest theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several AJAX actions like 'sb_remove_ad' in all versions up to, and including, 5.1.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete posts, attachments and deactivate a license.

CVSS: MEDIUM (4.3)

EPSS Score: 0.05%

Source: CVE
January 9th, 2025 (6 months ago)

CVE-2024-12854
Garden Gnome Package <= 2.3.0 - Authenticated (Author+) Arbitrary File Upload
Description: The Garden Gnome Package plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the functionality that automatically extracts 'ggpkg' files that have been uploaded in all versions up to, and including, 2.3.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVSS: HIGH (8.8)

EPSS Score: 0.05%

Source: CVE
January 9th, 2025 (6 months ago)

CVE-2024-12853
Modula Image Gallery <= 2.11.10 - Authenticated (Author+) Arbitrary File Upload
Description: The Modula Image Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the zip upload functionality in all versions up to, and including, 2.11.10. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVSS: HIGH (8.8)

EPSS Score: 0.05%

Source: CVE
January 9th, 2025 (6 months ago)

CVE-2024-12852
Happy Addons for Elementor <= 3.15.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description: The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ha_cmc_text' parameter of the Happy Mouse Cursor in all versions up to, and including, 3.15.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.05%

Source: CVE
January 9th, 2025 (6 months ago)

CVE-2024-12851
Element Pack Lite - Addons for Elementor <= 5.10.14 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description: The Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom_attributes parameter of the Cookie Consent Widget in all versions up to, and including, 5.10.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.05%

Source: CVE
January 9th, 2025 (6 months ago)

CVE-2024-12713
SureForms – Drag and Drop Form Builder for WordPress <= 1.2.2 - Missing Authorization to Unauthenticated Protected Post Disclosure
Description: The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.2 via the handle_export_form() function due to a missing capability check. This makes it possible for unauthenticated attackers to export data from password protected, private, or draft posts that they should not have access to.

CVSS: MEDIUM (5.3)

EPSS Score: 0.05%

Source: CVE
January 9th, 2025 (6 months ago)

CVE-2024-12712
Shopping Cart & eCommerce Store <= 5.7.8 - Missing Authorization to Order Updates
Description: The Shopping Cart & eCommerce Store plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the webhook function in all versions up to, and including, 5.7.8. This makes it possible for unauthenticated attackers to modify order statuses.

CVSS: MEDIUM (5.3)

EPSS Score: 0.05%

Source: CVE
January 9th, 2025 (6 months ago)

CVE-2024-12585
PropertyHive < 2.1.1 - Reflected XSS
Description: The Property Hive WordPress plugin before 2.1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

EPSS Score: 0.04%

Source: CVE
January 9th, 2025 (6 months ago)