Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-2500
The ColorMag theme for WordPress is vulnerable to Stored Cross-Site Scripting via a user's Display Name in all versions up to, and including, 3.1.6...
Description: The ColorMag theme for WordPress is vulnerable to Stored Cross-Site Scripting via a user's Display Name in all versions up to, and including, 3.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authentciated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.14%

SSVC Exploitation: none

Source: CVE
April 10th, 2025 (11 days ago)

CVE-2024-2326
The Pretty Links – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin plugin for WordPress is vulnerable to Cross-Site Request...
Description: The Pretty Links – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.3. This is due to missing or incorrect nonce validation when saving plugin settings. This makes it possible for unauthenticated attackers to change the plugin's configuration including stripe integration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS: MEDIUM (4.3)

EPSS Score: 0.03%

SSVC Exploitation: none

Source: CVE
April 10th, 2025 (11 days ago)

CVE-2024-1685
The Social Media Share Buttons plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.1.0 via...
Description: The Social Media Share Buttons plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.1.0 via deserialization of untrusted input through the attachmentUrl parameter. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

CVSS: HIGH (8.8)

EPSS Score: 1.96%

SSVC Exploitation: none

Source: CVE
April 10th, 2025 (11 days ago)
Critical SureTriggers Plugin Vulnerability Exploited within 4 hours
Description: If you are a Patchstack customer, you are protected from this vulnerability already, and no further action is required from you. Vulnerability Information On April 10, 2025, a critical vulnerability in the WordPress plugin SureTriggers (version 1.0.78 and below) was identified and published. This flaw, allows unauthenticated attackers to create administrative user accounts on vulnerable […] The post Critical SureTriggers Plugin Vulnerability Exploited within 4 hours appeared first on Patchstack.
Source: PatchStack
April 10th, 2025 (11 days ago)
Hackers exploit WordPress plugin auth bypass hours after disclosure
🚨 Marked as known exploited on April 10th, 2025 (11 days ago).
Description: Hackers started exploiting a high-severity flaw that allows bypassing authentication in the OttoKit (formerly SureTriggers) plugin for WordPress just hours after public disclosure. [...]
Source: BleepingComputer
April 10th, 2025 (11 days ago)

CVE-2025-31411
WordPress Linet ERP-Woocommerce Integration plugin <= 3.5.12 - Arbitrary File Read/Deletion vulnerability
Description: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Aribhour Linet ERP-Woocommerce Integration allows Path Traversal.This issue affects Linet ERP-Woocommerce Integration: from n/a through 3.5.12.

CVSS: MEDIUM (5.9)

EPSS Score: 0.05%

Source: CVE
April 10th, 2025 (11 days ago)

CVE-2025-27350
WordPress Vice Versa plugin <= 2.2.3 - Reflected Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hugh Mungus Vice Versa allows Reflected XSS.This issue affects Vice Versa: from n/a through 2.2.3.

CVSS: HIGH (7.1)

EPSS Score: 0.04%

Source: CVE
April 10th, 2025 (11 days ago)

CVE-2025-32687
WordPress Review Stars Count For WooCommerce <= 2.0 - SQL Injection Vulnerability
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Magnigenie Review Stars Count For WooCommerce allows SQL Injection. This issue affects Review Stars Count For WooCommerce: from n/a through 2.0.

CVSS: HIGH (8.5)

EPSS Score: 0.03%

Source: CVE
April 10th, 2025 (11 days ago)

CVE-2025-32668
WordPress Real Estate Manager plugin <= 7.3 - Local File Inclusion vulnerability
Description: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Rameez Iqbal Real Estate Manager allows PHP Local File Inclusion. This issue affects Real Estate Manager: from n/a through 7.3.

CVSS: HIGH (8.1)

EPSS Score: 0.15%

Source: CVE
April 10th, 2025 (11 days ago)

CVE-2025-32282
WordPress ShareThis Dashboard for Google Analytics plugin <= 3.2.2 - Cross Site Request Forgery (CSRF) vulnerability
Description: Cross-Site Request Forgery (CSRF) vulnerability in ShareThis ShareThis Dashboard for Google Analytics. This issue affects ShareThis Dashboard for Google Analytics: from n/a through 3.2.2.

CVSS: MEDIUM (4.3)

EPSS Score: 0.02%

Source: CVE
April 10th, 2025 (11 days ago)