Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-31397
WordPress Bus Ticket Booking with Seat Reservation for WooCommerce plugin <= 1.7 - SQL Injection vulnerability
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in smartcms Bus Ticket Booking with Seat Reservation for WooCommerce allows SQL Injection. This issue affects Bus Ticket Booking with Seat Reservation for WooCommerce: from n/a through 1.7.

CVSS: CRITICAL (9.3)

EPSS Score: 0.04%

Source: CVE
May 23rd, 2025 (17 days ago)

CVE-2025-31069
WordPress HotStar – Multi-Purpose Business Theme <= 1.4 - PHP Object Injection Vulnerability
Description: Deserialization of Untrusted Data vulnerability in themeton HotStar – Multi-Purpose Business Theme allows Object Injection. This issue affects HotStar – Multi-Purpose Business Theme: from n/a through 1.4.

CVSS: CRITICAL (9.8)

EPSS Score: 0.05%

Source: CVE
May 23rd, 2025 (17 days ago)

CVE-2025-31064
WordPress Vizeon - Business Consulting <= 1.1.7 - Local File Inclusion Vulnerability
Description: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Vizeon - Business Consulting allows PHP Local File Inclusion. This issue affects Vizeon - Business Consulting: from n/a through 1.1.7.

CVSS: HIGH (8.1)

EPSS Score: 0.15%

Source: CVE
May 23rd, 2025 (17 days ago)

CVE-2025-31060
WordPress Capie <= 1.0.40 - Local File Inclusion Vulnerability
Description: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Capie allows PHP Local File Inclusion. This issue affects Capie: from n/a through 1.0.40.

CVSS: HIGH (8.1)

EPSS Score: 0.15%

Source: CVE
May 23rd, 2025 (17 days ago)

CVE-2025-31056
WordPress WhatsCart plugin <= 1.1.0 - SQL Injection vulnerability
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Techspawn WhatsCart - Whatsapp Abandoned Cart Recovery, Order Notifications, Chat Box, OTP for WooCommerce allows SQL Injection. This issue affects WhatsCart - Whatsapp Abandoned Cart Recovery, Order Notifications, Chat Box, OTP for WooCommerce: from n/a through 1.1.0.

CVSS: CRITICAL (9.3)

EPSS Score: 0.04%

Source: CVE
May 23rd, 2025 (17 days ago)

CVE-2025-31053
WordPress KBx Pro Ultimate <= 7.9.8 - Arbitrary File Deletion Vulnerability
Description: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in quantumcloud KBx Pro Ultimate allows Path Traversal. This issue affects KBx Pro Ultimate: from n/a through 7.9.8.

CVSS: HIGH (7.7)

EPSS Score: 0.05%

Source: CVE
May 23rd, 2025 (17 days ago)

CVE-2025-31049
WordPress Dash <= 1.3 - PHP Object Injection Vulnerability
Description: Deserialization of Untrusted Data vulnerability in themeton Dash allows Object Injection. This issue affects Dash: from n/a through 1.3.

CVSS: CRITICAL (9.8)

EPSS Score: 0.05%

Source: CVE
May 23rd, 2025 (17 days ago)

CVE-2025-1123
Solid Mail – SMTP email and logging made by SolidWP <= 2.1.5 - Unauthenticated Stored Cross-Site Scripting via Email
Description: The Solid Mail – SMTP email and logging made by SolidWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email Name, Subject, and Body in all versions up to, and including, 2.1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: HIGH (7.2)

EPSS Score: 0.07%

SSVC Exploitation: none

Source: CVE
May 23rd, 2025 (17 days ago)

CVE-2025-5096
TablePress <= 3.1.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Multiple Parameters
Description: The TablePress plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the 'data-caption', 'data-s-content-padding', 'data-s-title', and 'data-footer' data-attributes in all versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.06%

Source: CVE
May 23rd, 2025 (17 days ago)

CVE-2025-4594
Tournamatch <= 4.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description: The Tournamatch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'trn-ladder-registration-button' shortcode in all versions up to, and including, 4.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE
May 23rd, 2025 (17 days ago)