CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-13910 |
Description: The Database Backup and check Tables Automated With Scheduler 2024 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'database_backup_ajax_delete' function in all versions up to, and including, 2.35. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The vulnerability was partially patched in version 2.36.
CVSS: HIGH (7.2) EPSS Score: 0.71%
March 1st, 2025 (4 months ago)
|
|
CVE-2024-13697 |
Description: The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.4 via the 'nice_links'. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Successful exploitation requires the "Enable link previews" to be enabled (default).
CVSS: MEDIUM (4.8) EPSS Score: 0.04%
March 1st, 2025 (4 months ago)
|
|
CVE-2024-13611 |
Description: The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.9 via the 'bp-better-messages' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/bp-better-messages directory which can contain file attachments included in chat messages.
CVSS: HIGH (7.5) EPSS Score: 0.05%
March 1st, 2025 (4 months ago)
|
|
CVE-2025-1671 |
Description: The Academist Membership plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.6. This is due to the academist_membership_check_facebook_user() function not properly verifying a user's identity prior to authenticating them. This makes it possible for unauthenticated attackers to log in as any user, including site administrators.
CVSS: CRITICAL (9.8) EPSS Score: 0.06%
March 1st, 2025 (4 months ago)
|
|
CVE-2025-1638 |
Description: The Alloggio Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.2. This is due to the plugin not properly validating a user's identity through the alloggio_membership_init_rest_api_facebook_login and alloggio_membership_init_rest_api_google_login functions. This makes it possible for unauthenticated attackers to log in as any user, including administrators, without knowing a password.
CVSS: CRITICAL (9.8) EPSS Score: 0.15%
March 1st, 2025 (4 months ago)
|
|
CVE-2025-1564 |
Description: The SetSail Membership plugin for WordPress is vulnerable to in all versions up to, and including, 1.0.3. This is due to the plugin not properly verifying a users identity through the social login. This makes it possible for unauthenticated attackers to log in as any user, including administrators and take over access to their account.
CVSS: CRITICAL (9.8) EPSS Score: 0.06%
March 1st, 2025 (4 months ago)
|
|
CVE-2024-13911 |
Description: The Database Backup and check Tables Automated With Scheduler 2024 plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.35 via the /dashboard/backup.php file. This makes it possible for authenticated attackers, with Administrator-level access and above, to extract sensitive data including full database credentials.
CVSS: HIGH (7.2) EPSS Score: 0.1%
March 1st, 2025 (4 months ago)
|
|
CVE-2024-13806 |
Description: The The Authors List plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.6. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
CVSS: MEDIUM (6.5) EPSS Score: 0.08%
March 1st, 2025 (4 months ago)
|
|
CVE-2024-12544 |
Description: The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to arbitrary file deletion due to a missing capability check on the callback function of the SurveyJS_DeleteFile class in all versions up to, and including, 1.12.17. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This function is still vulnerable to Cross-Site Request Forgery as of 1.12.20.
CVSS: HIGH (8.8) EPSS Score: 0.23%
March 1st, 2025 (4 months ago)
|
|
CVE-2025-1730 |
Description: The Simple Download Counter plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.0 via the 'simple_download_counter_download_handler'. This makes it possible for authenticated attackers, with Author-level access and above, to extract sensitive data including any local file on the server, such as wp-config.php or /etc/passwd.
CVSS: MEDIUM (6.5) EPSS Score: 0.04%
March 1st, 2025 (4 months ago)
|