CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
Description:
Web App Scanning Plugin ID 114593 with Medium Severity
Synopsis
Build Private Store For Woocommerce Plugin for WordPress < 1.1 Cross-Site Request Forgery
Description
The WordPress Build Private Store For Woocommerce Plugin installed on the remote host is affected by a Cross-Site Request Forgery (CSRF) vulnerability.Note that the scanner has not tester for these issues but has instead relied only the application's self-reported version number.
Solution
Upgrade to Build Private Store For Woocommerce 1.1 or later
Read more at https://www.tenable.com/plugins/was/114593
February 12th, 2025 (4 months ago)
|
CVE-2025-0862 |
Description: The SuperSaaS – online appointment scheduling plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘after’ parameter in all versions up to, and including, 2.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is limited to Chromium-based browsers (e.g. Chrome, Edge, Brave).
CVSS: MEDIUM (4.9) EPSS Score: 0.07%
February 12th, 2025 (4 months ago)
|
|
CVE-2025-0181 |
Description: The WP Foodbakery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.7. This is due to the plugin not properly validating a user's identity prior to setting the current user and their authentication cookie. This makes it possible for unauthenticated attackers to gain access to a target user's (e.g. administrators) account.
CVSS: CRITICAL (9.8) EPSS Score: 0.09%
February 12th, 2025 (4 months ago)
|
|
CVE-2025-0180 |
Description: The WP Foodbakery plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.3. This is due to the plugin not properly restricting what user meta can be updated during profile registration. This makes it possible for unauthenticated attackers to register on the site as an administrator.
CVSS: CRITICAL (9.8) EPSS Score: 0.09%
February 12th, 2025 (4 months ago)
|
|
CVE-2024-32085 |
Description: Cross-Site Request Forgery (CSRF) vulnerability in AitThemes Citadela Listing.This issue affects Citadela Listing: from n/a before 5.20.0.
CVSS: MEDIUM (5.4) EPSS Score: 0.04%
February 12th, 2025 (4 months ago)
|
|
CVE-2024-13643 |
Description: The Zox News - Professional WordPress News & Magazine Theme plugin for WordPress is vulnerable to unauthorized data modification. This vulnerability can lead to privilege escalation and denial of service conditions due to missing capability checks on the backup_options() and reset_options() functions in all versions up to and including 3.17.0. This vulnerability allows authenticated attackers with Subscriber-level access and above to update and delete arbitrary option values on the WordPress site. Attackers can exploit this issue to update the default user role for registration to Administrator and enable user registration, thereby gaining administrative access to the vulnerable site. Additionally, they could delete critical options, causing errors that may disrupt the site's functionality and deny service to legitimate users.
CVSS: HIGH (8.8) EPSS Score: 0.06%
February 12th, 2025 (4 months ago)
|
|
CVE-2024-13570 |
Description: The Stray Random Quotes WordPress plugin through 1.9.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
EPSS Score: 0.05%
February 12th, 2025 (4 months ago)
|
|
CVE-2024-13544 |
Description: The Zarinpal Paid Download WordPress plugin through 2.3 does not properly validate uploaded files, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)
EPSS Score: 0.05%
February 12th, 2025 (4 months ago)
|
|
CVE-2024-13543 |
Description: The Zarinpal Paid Download WordPress plugin through 2.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
EPSS Score: 0.05%
February 12th, 2025 (4 months ago)
|
|
CVE-2024-13506 |
Description: The GeoDirectory – WP Business Directory Plugin and Classified Listings Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the display_name profile parameter in all versions up to, and including, 2.8.97 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS: MEDIUM (6.4) EPSS Score: 0.05%
February 12th, 2025 (4 months ago)
|